April 27, 2018 | By Joel Odom
At the recent RSA 2018 conference, Microsoft announced Azure Sphere, a free and open-source security solution that promises to help secure the Internet of Things (IoT). Azure Sphere is a holistic approach to IoT security that includes cloud services, a special-purpose operating system, and a custom microntroller that acts as a hardware root of trust for each device using it.
IISP Analyst Joel Odom: "I've spent some time reviewing the material that Microsoft has published about Azure Sphere, and, from a security standpoint, their solution appears to be promising. The nature of our fast-paced, competitive consumer IoT market means that devices have to be developed quickly and at low cost, and they tend to have short support lifespans. Real security is slow, costly, and requires long-term support. The security community has had decades to learn the best practices required to secure desktop and mobile computers. Azure Sphere brings these best practices into a system that is targeted to meet the specific requirements of IoT.
The security of Azure Sphere starts with a microcontroller that includes a security subsystem ("Pluton") which serves as a hardware root of trust. The Pluton security subsystem isolates the security functions of the microcontroller so that the microcontroller can verify the integrity of the operating system when the device starts, and so that the operating system and applications can utilize the built-in security features. The isolation of security functions into a subsystem means that cryptographic keys and other important security components are difficult to compromise, even if the operating system is compromised. The Azure Sphere microcontroller also provides a handful of other bells and whistles that IoT devices typically require. The last component of the Azure Sphere security system is a cloud service from which the Azure Sphere OS can receive up-to-date security certificates, software updates, and other services. Azure Sphere OS is a Linux-based operating system (yes, this is a Microsoft product!) built to utilize the security features of the hardware.
IoT security is a hard problem. We have learned that to do security right we need features like hardware roots of trust, software updates, strong process isolation, and authentication that includes a well-maintained public-key infrastructure. My phone has these features, but it is manufactured by a company who has the budget and know-how to implement good security, and I paid hundreds of dollars for it. The Azure Sphere solution appears to be Microsoft's attempt to help IoT vendors do security right, and they appear to have a free and open-source approach that will do exactly that. Kudos."
For further reading
- Microsoft: https://www.microsoft.com/en-us/azure-sphere/
- Microsoft Azure: https://azure.microsoft.com/en-us/blog/introducing-microsoft-azure-sphere-secure-and-power-the-intelligent-edge/
Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation.