Azure Sphere: An IoT Solution

In many instances, modern devices connect to networks without considering the necessary security. Besides, users rarely update them, posing significant insecurity that might make them compromised. The Azure Sphere is a product and service from Microsoft that enables Internet of Things (IoT)  developers to enhance security. To ensure continuous monitoring, they combine specific Azure-based cloud, Azure Sphere OS, and system-on-chip peripherals. We will learn how developers use the Azure security lab to ensure that such devices are secure. In addition, we will look at how it works and how to get started with the module.

What is Azure Sphere?

It is an advanced and well-secured application platform with radical safety features and built-in communication for internet-connected systems. Comprising a complex Linux-based operating system (OS), a connected and secured crossover microcontroller unit (MCU) provides continuous renewable security. Besides, it features cloud-based security innovations that authenticate device identity to enhance trust, integrity, and secure connectivity operation.

Azure Sphere end-to-end solution 

Along with the application platform and high-level operating system, the Azure security lab enables the creation of controllable, remotely maintainable, and internet-connected systems. Furthermore, any connected device hardware comprising Azure Sphere MCU within the existing MCU(s) offers heightened productivity and security.

Azure Sphere Scenario

Let’s see how this application platform works in a real-world setting.

We will consider a white-goods product company that sets up an Azure Sphere MCU in its dishwashers. With a high-level onboard application and several sensors, the DW100 dishwasher connects with the MCU running on the platform MCU. The company cloud services and the system security services communicate with the applications. As a result, Microsoft issues Azures Sphere OS updates through the Azure Sphere security services. On the other hand, the production company updates its DW100 application software through its security services. Therefore, the dishwasher sensor can monitor rinse agent level, drying, and water temperature. Besides, it can upload all data to company services where cloud service applications evaluate any possible issues.

Azure Sphere MCU

The Seven Properties of High Secure Devices from Azure Sphere

Azure Sphere team identified seven properties based on Microsoft's extensive experience with internet security and highly secured devices. Therefore, its design comes from these seven properties.

• Dense in Depth

In the Azure Sphere platform, every software layer certifies there are layers of security within the upper layer. Dense in-depth offers several high-value security layers, therefore, numerous alleviation from any risk.

• Hardware-based Root of Trust

You can identify this application platform through the unique cryptographic key, which Microsoft-designed security hardware design generates and protects. Hardware-based Root of Trust helps to prevent devices from spoofing and forgery. As a result, it ensures industrial devices aren’t separated from their identity.

System Integration

• Small Trusted Computing Base

To reduce the surface area from attacks, the device’s software remains at the base of a trusted computing code base. Therefore, only the secured Pluton subsystem, Pluton runtime, and Security Monitor run on the trusted computing base.

Computer processor data protection security system

• Password-less Authentication

The Azure security lab platforms oblige software authentication. Its use of certificate signatures and validation from the memorable cryptographic key offers more robust authentication than using passwords. Besides, cloud-to-device communication and back are achievable with the certificates that require further online authentication.

• Dynamic Compartments

Azure Sphere MCUs feature silicon counter-measures to preclude safety opening in one section from promulgating to other sections. Dynamic compartments preclude any spread of a single slip.

• Renewable Security

The device automatically updates itself to rectify the level of security breaches and known vulnerabilities, requiring no manufacturer’s intervention. The application platform Service automatically updates your applications with the Azure Sphere OS.

• Error Reporting

Hardware or software device errors are typically emerging security attacks. Azure security lab reports errors and automatically reports operational data to a cloud-based analysis system. Besides, you can remotely perform servicing and update services.

Azure Sphere Architecture

The Azure Sphere hardware Security Services, software, and hardware firewalls work together, enabling exclusive cohesive device security and maintenance approaches.

The Azure Sphere Security Service

By default, the platform’s security service stores encrypted data. It features three components:

• Password-less Authentication – for providing remote password-less and certificate-based authentication and attestation. As a result, billions of devices can securely and safely connect with online services.
• Update – for automatic ongoing protection updates distribution in all applications and Azure Sphere OS. Furthermore, update services enable the remote services, continued operation, and operation software updates.
• Error Reporting – for reporting and analyzing features included with Microsoft Azure subscription to obtain richer data.

 Laptop computer displaying the logo of Microsoft Azure

Software Architecture and OS

Microsoft maintains and provides all software, including high-level applications aside from device-specific applications. The platform’s OS communicates with real-time capable applications and internet connectivity running on the real-time operating system. In addition, the OS services manage network firewalls and network authentication for outbound traffic. Besides, it's responsible for Azure Sphere Security Service communication as it hosts a high-level application core.

Hardware Architecture

Every associated subsystem in the Azure Sphere-certified chip is in a different trust domain. Each architecture layer assumes there is a compromise in the layer above. Therefore the dynamic compartments and resource isolation provide added security within each layer. The Pluton built-in security subsystem is the platform's secured root. In addition, it includes cryptographic engines, a security processor core, symmetric encryption, and support for ECDSA for enhancing remote attestation.

Closeup view of the electronic system board

Getting Started with Microsoft's Azure Sphere

There are numerous reports of many vulnerable and insecure smart home devices. Therefore, having a dev board to take the place of such devices is essential. The Azure Sphere guardian module comprises a cloud-based security improvement service, Linux-based OS, and core microcontroller. It has 4MB of SPRAM, 16MB of flash storage, and an Arm Cortex-A7 processor. Besides, it has a Microsoft Pluton security system, built-in Wi-Fi, and two Arm Cortex-M4F cores. The I/O such as I2C, SPI as well as 27 GPIO pins helps the microcontrollers and sensors for easier interfacing.

Once you have the Azure Sphere development board, there are some additional components you need to get started. Including

• An unused USB on the PC
• Azure Sphere SDK Preview Visual Studio
• A PC running Windows 10 Update or later
• Visual Studio 2017 IDE – version 15.7 or later, community, professional, or enterprise

Visual studio code updated.

Source: Wikimedia Commons.

Note that when starting, the tools for Azure are still on the private preview. Besides, to use Azure Sphere and start development, you don’t need a Microsoft Azure cloud subscription.

Summary

When looking for a platform to build IoT applications, the Microsoft Azure Sphere module offers a great trustworthy platform. Besides, its rich security key features, powerful processors, microcontrollers, and sensors make almost any embedded project possible. In addition, it helps create internet-connected secure devices, which you can monitor, update, maintain, and control remotely.