It is my pleasure to announce the availability of the public preview of the Azure Sphere Security Service, Azure Sphere Operating System, and Visual Studio development experience for Azure Sphere. Today’s announcement marks an important milestone in Microsoft’s commitment to provide an end-to-end solution for securing any IoT device. In tandem with these releases, Azure Sphere development kits are immediately available from Seeed Studio. The development kit includes a development board built with the first Azure Sphere certified MCU, the MT3620 from MediaTek, and everything else you need to get started developing Azure Sphere applications.
The seven properties: Setting the bar for connected device security
In 2017 Galen Hunt, George Letey, and I published the white paper “The seven properties of highly secure devices.” Years earlier, we had seen the trends in silicon manufacturing and realized that billions of MCU-powered devices would become connected devices over the next decade. We gathered a team and started investigating, building software and thinking deeply about security for MCU devices. We came away from this investigation dissatisfied. Existing solutions treated security as an afterthought or a “value-add,” and no end-to-end solutions were readily available. A device manufacturer would need to select a silicon platform, piece together or write all the software (firmware, OS, applications), their own set of services to deploy updates and manage those devices, and develop world class security expertise in hardware, software, and services.
The seven properties define the standard that must be met to securely connect an IoT device to the internet. All seven of the properties are required, omitting even one of the properties can leave devices open to catastrophic risk – even worse, it can create a situation where responding to critical security events is difficult and costly. The properties also act as a practical framework for evaluating IoT security. Before we introduced this framework, someone would simply ask, “Is my IoT solution secure?” and the answer from a supplier was always, “yes.” However, security is neither a checkbox nor a single state. It is a spectrum that depends upon the attacks expected against the platform and the functionality that the device provides. We argue that, once any device connects to the open Internet, all properties must be met to offer a solution that can be continuously secured. Outlining these properties allow someone to ask a simple question of suppliers and solution providers, “Do you meet all seven properties?” Having the framework of the properties shifts the conversation from one of absolutes (it’s secure) to one of specifics. We hold these properties dear and we work hard to ensure that Azure Sphere meets the bar we’ve set for ourselves. Here is a summary of the 7 properties and how Azure Sphere implements them:
- Without a hardware root of trust, devices may be imitated, malware may be injected, and encryption algorithms become vulnerable or predictable. Azure Sphere’s Pluton security subsystem accelerates cryptographic tasks, implements a true random number generator, and provides support for secure boot (via ECDSA) and remote attestation. All these features are implemented wholly in silicon, making their functionality immune to software vulnerabilities.
- The risk of a vulnerability completely compromising a device grows as the size of the trusted computing base grows. A small trusted computing base (TCB) is essential to device security. Azure Sphere’s TCB includes only the Pluton runtime and the Azure Sphere security monitor while still providing separation between Azure Sphere’s Linux OS kernel and applications.
- A typical RTOS links in the “OS” or runtime in the same binary payload as connectivity, security, and application functionality. A defense in depth strategy forces attackers to chain together multiple vulnerabilities through multiple layers of software to compromise a device. Azure Sphere uses Trust Zone and a modern operating system design, with a fully separate OS kernel binary, to provide a layered architecture.
- Dynamic Compartments ensure that one failing or buggy program can’t compromise another. They also make it easy to deploy changes in the field with minimal development effort. Azure Sphere’s use of a Cortex-A with an MMU allows Azure Sphere’s custom Linux kernel to implement process-based isolation.
- Certificate based, mutual authentication eliminates the need for passwords, and guarantees both that a device can verify the service it’s communicating with (i.e., Azure) and that cloud services can verify the device’s identity. Azure Sphere MCUs and services go beyond certificates by leveraging remote attestation to verify not only that a device was booted with genuine software, but that the device runs only software that us up to date.
- Renewable security guarantees that software problems, once identified, can be fixed and deployed to the field. Every Azure Sphere device receives software updates to its firmware, operating system and applications for a minimum of 10 years, guaranteeing that devices stay up to date. Connecting a device to the Internet without renewable security is like driving into the desert with only a single tank of gas. Eventually, you’ll be stranded.
- Finally, failure reporting ensures that attacks are detected as they happen, allowing the use of renewable security before attacks become catastrophic. Failure reporting and renewable security work together in a virtuous cycle. Failure reporting without renewable security makes it hard to respond when attacks are detected. Renewable security without failure reporting means that real-time information about device health is simply missing and that new attacks take longer to detect and defend.
Securing IoT with Azure Sphere
Publishing the 7 properties paper represented a watershed moment for MCU-based IoT security at Microsoft. We realized that we needed to go beyond the definition of the 7 properties to develop an end-to-end solution. In April, we announced that product; it’s called Azure Sphere.
The Azure Sphere solution includes three components: Azure Sphere certified MCUs, the Azure Sphere Operating System, and the Azure Sphere Security Service. These components combine to provide a single, end-to-end platform that secures IoT devices and provides all 7 properties to device manufacturers and end users. The MT3620 is the first Azure Sphere MCU, and with public preview we are opening our preview program for all device manufacturers to begin prototyping new devices and providing feedback. Developer feedback through the public preview program is key to helping the engineering team select which features to invest in and how quickly we bring them to market. We’d love to hear from you!
Over the coming months, we’ll dive deeply into each of the 7 properties and use them to provide in-depth coverage of the Azure Sphere platform’s silicon, device software and cloud services. We’ll also be moving the capabilities of the platform forward through regular software and SDK releases. Expect news soon on the Azure Sphere release cadence and schedule for new features and software updates. In the meantime, enjoy Azure Sphere; we’ve just begun our journey and we’re excited to hear what you’re building with Azure Sphere.
Visit our website for documentation and more information on how to get started with your Azure Sphere development kit.
Read more about how customers like E.ON are using Azure Sphere to power and secure new connected experiences.