News

Microsoft Ships Azure Sphere for Securing IoT Devices

• By Kurt Mackie
• 02/26/2020

Microsoft shipped Azure Sphere, an integrated solution for securing Internet of Things (IoT) devices and equipment.

The company this week announced the general availability of Azure Sphere, which was introduced almost two years ago with the promise of securing the billions of devices on the IoT -- from device hardware to software to cloud -- with Microsoft playing a central role.

Azure Sphere Elements
The Azure Sphere family consists of four basic elements:

• Certified chips for devices, built by hardware partners.
• Microsoft's own custom-built Linux operating system for those chips, called Azure Sphere OS.
• The Azure Sphere Security Service, a service running from Microsoft's datacenters that gathers data on the security status of IoT devices and delivers automated updates to those devices.
• The Azure Sphere security team at Microsoft, which helps identify and address IoT device security threats.

Microsoft supplied a reference architecture for the "microcontroller units," and it gets used in Azure Sphere chips that are built by Microsoft's hardware partners.

"A microcontroller, for anybody who is not familiar, is a single-chip computer that has processor, and storage, memory, and IoT capabilities," explained Galen Hunt, Distinguished Engineer and managing director of Azure Sphere, in a Microsoft-produced Q&A on Azure Sphere.

Another notable aspect of the Azure Sphere family is its ability to add protections for older IoT devices via Guardian Modules. These Guardian Modules are part of Azure Sphere chips and support connections to the Azure Sphere Security Service for security checks and automated patching.

"The guardian module is a very small device -- no larger than the size of a deck of cards -- built around an Azure Sphere chip," Hunt explained in the Q&A.

Microsoft used its Windows Update Service model for Azure Sphere. It supports updating "billions of devices, globally, per hour," Hunt explained. Security oversight is also enabled through the use of the Azure Security Center for IoT portal, he added.

Azure Sphere's Origins
Azure Sphere started out as a Microsoft Research project to bring a high level of security to industrial and household devices at a low cost. Microsoft first worked with MediaTek to modify one of its microcontrollers to that end. The idea was to address seven proprieties required of all networked devices. Those properties, according to a Microsoft Research paper, included:

• A hardware-based root of trust
• A small trusted computing base
• Defense-in-depth
• Compartmentalization
• Certificate-based authentication
• Security renewal
• Failure reporting

Microsoft wanted IoT devices to have unique identities, based in hardware, using private keys that were inaccessible to the software. The defense-in-depth concept, based on the Xbox gaming console, according to Hunt, aims to keep devices protected if there's a software-layer breach. Signed certificates using cryptographic keys were to be used instead of passwords. Software was to be updated automatically, and any failures would get reported to the manufacturers.

General Availability
Currently, Azure Sphere is supported by MediaTek's MT3620 chip, which is "available in volume today," Hunt indicated.

Other hardware partners are currently building Azure Sphere chips. Microsoft had announced a partnership with NXP back in June on building an Azure Sphere chip that will add "much larger compute capabilities" than MediaTek's chip, Hunt explained. In October, Qualcomm announced plans to build a "cellular native Azure Sphere chip," he added.

Microsoft aims to make IoT devices trusted with the GA release of Azure Sphere.

"The opportunity to release a brand-new product that addresses crucial and unmet needs is rare," stated Halina McMaster, a Microsoft principal group program manager, in the announcement. "Azure Sphere is truly unique, our product brings a new technology category to the Microsoft family, to the IoT market, and to the security landscape."

Development Environments
Microsoft documentation provides guidance on setting up development environments for working with Azure Sphere with Visual Studio, Visual Studio Code or the command line on Windows, or VS Code and the command line on Linux.