Securing everything everywhere is the ultimate pipe dream. Nevertheless, securing every “thing” is becoming a critical issue as we move into the era of the “Internet of things.”

Security is critical to IoT’s adoption because we want to make sure we can “trust” the hardware, software, data and other connected elements we embed in our phones, appliances, robots, drones and other sensor-equipped smart devices.

Defending the IoT against cyberattacks will be the mother of all security challenges. One of the most dreaded IoT security scenarios is the zero-day attack, under which hackers exploit vulnerabilities for which there are no prebuilt defenses. The IoT presents a potentially unlimited attack surface for such assaults in the form of exploitable entry points for malware, intrusions and advanced persistent threats.

These vulnerabilities derive from the inherently complex, dynamic, distributed, heterogeneous and innovative environment that the IoT represents. To mitigate the threat from zero-day hacks and other cyberattacks, IoT security professionals require that protections be implemented at edge devices, in the cloud and in the ecosystem of hardware, software and service providers that keep this distributed fabric up and running without incident.

Recently, Microsoft announced Azure Sphere, an ambitious new security initiative for edge-to-cloud IoT security. Wikibon sees Azure Sphere, which is still in private preview, as an important harbinger of how end-to-end IoT security will be rolled out on a vendor-agnostic basis within the next five to 10 years.

As a comprehensive framework for IoT security, the key elements of Microsoft’s Azure Sphere initiative are as follows:

IoT edge security

The first and foremost layer of IoT protection must be built into edge devices themselves. Under the Azure Sphere initiative, Microsoft announced a new secure class of embedded microcontroller unit or MCU chipsets for IoT devices.

As the core of IoT device systems on a chip, each Azure Sphere MCU will include the embedded Pluton security subsystem. This creates a hardware root of trust on the endpoint, stores private keys locally and executes cryptographic operations. The MCU runs a secure, embedded Linux-based operating system, support secured application containers and include a security monitor.

The MCU will also provide network connectivity, an application processor, a real-time processor, flash memory, SRAM and multiplexed I/O. Developer kits for the MCUs are expected to become available sometime in the next few months, with the first MCU expected by the end of the year.

IoT cloud security

The cloud is the center of the IoT. Consequently, end-to-end security features must be built into fabric that governs how endpoints, hubs, and other nodes interact with users, apps, runtime engines, data platforms and other distributed elements.

To that end, Microsoft launched Azure Sphere Security Service. Also under preview, this turnkey cloud service will:

• broker edge-to-cloud certificate-based trust relationships,
• authenticate all communications, messaging, and interactions,
• guarantee edge device authenticity,
• ensure that devices only run genuine software,
• perform device status and health monitoring,
• provide insights into device and application failures,
• flag emerging edge and cloud security threats, and
• automate software and OS updates to all devices.

Further strengthening edge-to-cloud IoT security, Microsoft announced previews of a new suite of intelligent Microsoft 365 cloud services across the Azure Sphere and other distributed services within Microsoft’s cloud portfolio:

• Benchmarking IoT endpoint security readiness: Microsoft announced tools that will help to prevent threats before they happen. The new Microsoft Secure Score and Attack Simulator will use built-in machine learning to help enterprises automatically score and benchmark their IoT security readiness against organizations with similar profiles. This will help  to determine which IoT security controls they should activate to help protect their users’ IoT devices, apps and data. The service will work in conjunction with Microsoft’s new Attack Simulator, which is a part of Office 365 Threat Intelligence that lets security teams run simulated attacks to event-test their employees’ responses and tune edge-device security configurations.
• Detecting and preventing IoT-endpoint intrusions in real-time: Microsoft announced a new ML-driven service that will automatically detect and respond to threats on IoT endpoints in real time and at scale. The new Windows Defender Advanced Threat Protection, currently in preview and a part of Microsoft 365, provides threat protection and remediation across Office 365, Windows and Azure. The new Conditional Access provides real-time risk assessments for ensuring that access to sensitive data is appropriately controlled. The device risk level set by Windows Defender ATP works with Conditional Access to help ensure that compromised devices can’t access sensitive business data.
• Contextualizing IoT endpoint security intelligence: The vendor announced a new API for connecting partner-provided IoT solutions and its own with the Microsoft Intelligent Security Graph. By facilitating connection of individual tools to the Intelligent Security Graph, the API will more rapidly surface more security-relevant patterns from huge amount of real-time IoT data. This will accelerate investigation and remediation of complex IoT security threats.

IoT ecosystem security

IoT edge-to-cloud protections aren’t resilient unless they are enforced within an ecosystem of certified hardware, software and other solution providers who build, deploy and maintain every component of the distributed fabric.

To build an industry ecosystem around its Azure Sphere Vision, Microsoft announced the following partner-enablement activities:

• Licensing: Microsoft is licensing the new MCUs’ intellectual property royalty-free for partners who are interested in developing and manufacturing the chips. The first MCU is being developed by MediaTek Inc. Other hardware partners in the Sphere ecosystem include Arm Ltd., Hilscher, LitePoint, LongSys, Nordic, Nuvoton, NXP, Qualcomm, Seeed Studio, Silicon Labs, ST Micro, Toshiba and VeriSilicon.
• Tooling: Microsoft has released the new Visual Studio Tools for Azure Sphere to help partners get started writing applications for edge devices and cloud services within the Azure Sphere environment. Tools include application templates, development tools and the Azure Sphere software development kit. These tools simplify and accelerate development, streamline debugging, connect Azure Sphere devices quickly and easily to Azure IoT, provide wizards to guide developers through the process of connecting devices to Azure IoT Hub, send telemetry from devices to the cloud, and enable messaging among devices and cloud services.
• Collaboration: Microsoft established a new association to encourage for security technology partners to contribute to and benefit from the forthcoming Intelligent Security Graph API. It is also engaged with a select group of cybersecurity industry leaders — including Anomali, Palo Alto Networks and PwC — in early exploration and testing of the new Intelligent Security Graph API.

Check out this recent Microsoft video for more information on Azure Sphere:

Image: TheDigitalArtist/Pixabay