Imagine a factory producing automotive or aircraft components, where data about different production steps is collected and used for improvement and analysis. A potential attack on the system by hackers could cause real problems. They could steal or falsify sensitive data. This is why Microsoft gave us Azure Sphere – a secured solution for IoT devices.
The Internet of Things is not just about manufacturing and programming hardware devices. There are many additional aspects, such as receiving or sending data to and from them.
All these connections need to include a proper security system. Microsoft has recently devised a tool for that very purpose: Azure Sphere.
What is Azure Sphere?
Microsoft’s website states that “Azure Sphere is a solution for creating highly secured, connected Microcontroller (MCU) devices” (source). But it is not just about MCU, of course.
The solution also includes an operating system and an application platform. This provides product manufacturers with a chance to create secured, internet-connected devices that can be controlled, updated, monitored and maintained remotely.
What are the three key components of Azure Sphere?
Azure Sphere consists of three main parts:
Here we will go into a little bit more detail on each one.
Secured Micro-controller Unit (MCU)
The first part is a crossover class of MCU with built-in Microsoft security technology and connectivity. Each Azure Sphere MCU includes a wireless communications subsystem that facilitates an internet connection.
It is worth mentioning that the Sphere’s MCU provides a kind of a hardware firewall or “sandbox” that ensures that only certain I/O peripherals are accessible to the core to which they are mapped. Consequently, you cannot connect any sensors without first declaring them.
The application processor also features an ARM Cortex-A subsystem, responsible for executing the operating system, applications and services. It supports two operating environments:
- Normal World (NW) – executes code in both user mode and supervisor mode
- Secure World (SW) – executes only the Microsoft-supplied Security Monitor.
The second component is a highly-secured OS from Microsoft with a custom kernel running on top of Microsoft’s Security Monitor. This creates a trustworthy defense in depth platform.
The purpose of the OS services is two-fold: to host the application container, and to facilitate the communication with the Azure Sphere Security Service described further. These services manage Wi-Fi authentication, including network firewall for all outbound traffic.
The Azure Sphere Security Service guards every Azure Sphere device by renewing security, identifying emerging threats, and brokering trust among devices and the cloud. It also provides certificate-based authentication. Additionally, the remote attestation service connects with the device to test if it booted with the correct software, including its version.
Furthermore, the Security Service distributes automatic updates for all Microsoft-supplied Azure Sphere OS and OEM software. As a result, manufacturers can securely update their devices remotely without having to worry about whether any update is falsified.
Finally, there is a small crash-reporting module which provides crash reporting for deployed software.
How does Azure Sphere work in practice?
You might wonder how to use Azure Sphere in a real-life scenario. Let’s say that our company, Predica, is a manufacturer of washing machines.
In our example, Predica provides high-class, intelligent washing machines that users can remotely control from a mobile app. Each washing machine has an embedded Azure Sphere MCU.
Predica has a software development team responsible for developing both software for the washing machines, as well as the mobile application. There is also a support team responsible for maintenance and detection of potential errors.
Take a look at the diagram below that visualizes the scenario:
As you can see, there are three main parties in the network:
- Microsoft – handles the security aspect. The Azure Sphere Security Service is used to send system updates automatically, so Predica as the manufacturer does not have to worry about them
- Predica software team – develops and releases revisions of software for the washing machines, which is uploaded to the devices using Microsoft Azure cloud services
- Predica support team – responsible for maintenance, checking the system and application versions on each washer, as well as detecting possible issues.
Azure Sphere provides a way to monitor and control all devices in a secured and centralized way. This is the real power of this solution.
How to begin your journey with Azure Sphere?
The Azure Sphere Development Board (hardware) is already available to you. You can order it from the Seeed Studio online store. However, once you receive the board, there a few additional things that you will need in to get started:
- Visual Studio 2017 IDE – Enterprise, Professional or Community, version 15.7 or later
- A PC running Windows 10 Anniversary Update or later
- Azure Sphere SDK Preview for Visual Studio
- An unused USB port on the PC.
It is important to note that at this time the tools for Azure Sphere are still in preview. You do not require a Microsoft Azure cloud subscription to use Azure Sphere and start development.
Before you begin, make sure to also review the device setup instructions in the official Microsoft documentation.
In this article I described Azure Sphere, a solution from Microsoft that enables creating secured and Internet-connected microcontroller (MCU) devices. I also covered the three main components of the solution: a secured OS, cloud security and a secured micro-controller unit (MCU).
You should now have a better idea of how to keep your IoT network secure. Azure Sphere provides a comprehensive solution, not just based on hardware, but also software and cloud services.
A preview version of this technology is now available. I encourage you to try it out and let me know your thoughts. If you wish to learn more – get in touch!