The Internet of Things (IoT) is transforming one industry after another, driving massive growth in the adoption of connected and intelligent devices over the next 10 years. Our goal is to simplify the journey in IoT so that any customer, no matter where they are starting, can create trusted, connected solutions that improve their businesses and customer experiences. The importance of a holistic approach to security that is robust enough to handle the complexity of IoT systems—from cloud to edge—cannot be understated. Earlier this month, we announced Microsoft is investing $5 billion in IoT over the next four years; part of that investment is dedicated to dramatically improving IoT security.
Although we are making strong progress as an industry securing more capable IoT devices, they represent only a small part of the 20 billion devices expected to be connected by 2020. The majority of connected IoT devices in 2020 will be small MCU-class devices.
This week at the 2018 RSA Conference, we are thrilled to announce two large advances in securing the Internet of Things:
- The Preview of Azure Sphere, the industry’s first holistic platform for providing security for MCU-class devices
- The Security Maturity Model, which is being developed in partnership with the Industrial Internet Consortium (IIC)
Azure Sphere: A solution to secure and power a new class of IoT devices at the intelligent edge
As more consumer products, industrial devices, and manufacturing services become connected, a piece of hardware will be present in nearly every one of them: a tiny chip called a microcontroller (MCU). No larger than a thumbnail, these chips will play a vital role in device performance, hosting essential functions such as compute, memory, and storage. With over 9 billion MCU-powered devices shipping in devices ranging from toys and home appliances to industrial equipment every year, they are a particularly vulnerable target for attackers—and that’s why a complete security solution for them is essential.
Azure Sphere has its origins in Microsoft Research beginning years ago when a team began exploring the future of connected devices and innovating solutions for securing the vast number of future internet-connected MCU-powered devices. As the team pursued its agenda to deliver a scalable and affordable way to secure these devices, they leveraged decades of expertise from Microsoft’s vast experience in silicon, software, and cloud. Azure Sphere is the industry’s most holistic solution for securing connected MCUs that includes three components that work together to protect and power devices at the intelligent edge:
- Azure Sphere-certified MCUs
- The Azure Sphere OS
- The Azure Sphere Security Service
The protection starts in the silicon with built-in security technology from Microsoft, inspired by 15 years of experience and learnings from Xbox, to secure this new class of MCUs and the devices they power. The OS combines security innovations pioneered in Windows, a security monitor, and a custom Linux kernel to create a highly secured software environment and a trustworthy platform for new IoT experiences. Finally, the Azure Sphere Security Service guards every Azure Sphere device by managing communications, constantly monitoring and detecting possible threats, and renewing security.
This comprehensive, cloud-to-edge approach to security gives manufacturers the ability to produce the next generation of connected devices while helping ensure protection at every level. To learn more about Azure Sphere and what it can do for you, read our full announcement.
Security Maturity Model: A framework for building security into your system over the long-term
We’re also thrilled to announce the Security Maturity Model, which is being developed with the IIC.
With the continually evolving savvy of attackers and ongoing introduction of new technology, the security landscape is in a state of constant flux. This means that having the right tools in place is only one part of a complete security solution. It is also crucial to assess the security needs of your organization and develop a strategy and set of practices that meet those requirements.
The purpose of the Security Maturity Model is to give IoT providers a framework for designing a comprehensive and sustainable approach to security that addresses their goals, but does not cause them to over-invest. This guide is built on the belief that a full understanding of an organization’s potential threats and vulnerabilities is the only way to establish security controls that will remain effective over the long term. It defines security mechanisms and controls that successfully meet organizational goals as “mature”—meaning that, regardless of their objective strength, they are appropriate for an organization’s unique needs. Therefore, the “security maturity level” is a measure of multiple factors related to an organization’s current security level, such as its knowledge of its and industry verticals’ threat profiles, regulatory and compliance requirements, costs and benefits of its current security plan, and so on.
The Security Maturity Model builds upon prior Microsoft resources, such as the “Seven Properties of Highly Secure Devices,” to help organizations design and maintain more secure IoT infrastructures. Those interested in building fundamental security practices into their IoT systems can access this document at https://www.microsoft.com/en-us/research/publication/seven-properties-highly-secure-devices/.
Microsoft’s commitment to security is grounded in decades of direct experience dealing with the realities and complexities of technology, its vulnerabilities, and the constant—ever-evolving—threat of attacks. As organizations continue to embrace the connectivity benefits of IoT, we’re drawing on this experience to help them come up with modern, secure systems that place customer trust first.
Empowering Customers in IoT
From the cloud to the edge, Microsoft’s IoT offerings span software, cloud, and devices. With the addition of Azure Sphere, Microsoft is addressing security for the spectrum of the billions of connected devices from microprocessors to the smallest edge at the microcontroller level. These announcements are part of a comprehensive set of existing programs and resources we offer customers to better protect themselves.