Microsoft takes holistic approach to IoT security concerns

Azure Sphere extends security from the cloud to the device. It's the most holistic approach on the market and provides another example of Microsoft abandoning its insular past.

Microsoft's latest push takes an end-to-end approach to IoT security concerns in a bid to encourage customers to build applications that incorporate connected devices.

Microsoft Azure Sphere, currently in preview, provides layered security for applications that rely on IoT devices at three levels: hardware, software and cloud. It puts Microsoft's fingerprints on the supply chain in ways beyond what others here have done, and it serves as yet another reminder of the philosophical shift within Microsoft toward more openness.

Azure Sphere incorporates microcontrollers with real-time and application processors that include custom chips based on technology with which Microsoft secures its Xbox devices. There's also a Linux-based OS -- a first for Microsoft -- to run software on these devices, and a cloud-based security service to protect communication to and between devices, detect threats and push updates.

Microsoft has worked with device manufacturers to embed its controllers into IoT devices on the market by the end of 2018. It also teamed with silicon manufacturers to develop microcontrollers that include Microsoft's Pluton security subsystem and can connect to Azure and run the Azure Sphere OS. The first of these chips, the MediaTek MT3620, is expected to be widely available later this year.

Security at the hardware, software and cloud layers

Nearly all of the vendors that have IoT platforms offer external security, but few extend that to the actual device controller. Companies such as Huawei Technologies Co. have developed their own OSes, and chip manufacturers, such as ARM, have worked on microcontrollers. But Microsoft may be alone in its attempt to target IoT security concerns at every layer of the IoT application stack.

Paul MillerPaul Miller

"What's interesting is the way they've assembled a set of partners to offer all three together and tightly lock these pieces together," said Paul Miller, an analyst with Forrester Research.

Microsoft has headed in this direction for some time, according to industry observers, and it's a more natural transition for Microsoft than for Google or AWS.

"Microsoft intrinsically has a lot more pieces of the puzzle," said Ezra Gottheil, an analyst with Technology Business Research, in Hampton, N.H. "It wasn't a huge leap of faith to make software that's outside their cloud because that's what they've always done."

It can be incredibly time-consuming to test new hardware and then manage and update devices once they're operational, so pulling those steps together with Azure Sphere could accelerate that process, said Sam Vanhoutte, CTO at Codit, an IT services company in Belgium and Microsoft partner that uses Azure IoT services.

These things have to play well with others and comply with all the standards. ... No one is trying to do lock-in in IoT.
Ezra Gottheilanalyst, Technology Business Research

Devices are at the heart of many IoT security concerns. The inability to update devices can create significant vulnerabilities, so Azure Sphere would put the onus on the device manufacturer to ensure its products can be patched with the latest software, Vanhoutte said.

Azure Sphere is likely best suited for consumer devices, as opposed to larger devices that may be better served by Azure's edge services, Vanhoutte said.

Still, these chips are relatively high-spec and likely expensive, so don't expect Azure Sphere to take over the entire controller market, Miller said.

"If you're in a market where you can sensibly charge customers a premium for some of these capabilities, then that will make a lot of sense," he added.

Microsoft extends its embrace of Linux

While Azure Sphere aims to tackle IoT security concerns, the service is notable for another reason: It's not Windows-based. The decision to build an OS with a Linux kernel would have been shocking just a few years ago, but, today, there are examples of Linux usage throughout the Microsoft ecosystem, from the ability to run Windows databases on Linux to the fact that 40% of Azure VMs run on Linux.

In this case, it likely made more sense for Microsoft to build something from the ground up with Linux rather than trying to scale down Windows, Gottheil said.

"They've tried to make versions of Windows that are smaller and smaller for a variety of applications, but that's like whittling a canoe down from a battleship," Gottheil said.

The most recent example of this was Windows Nano Server, which was stripped down for containers and released for Windows IoT before it was ultimately scuttled in 2017.

The custom Linux kernel isn't the only bit of tech strategy that would have seemed out of sorts for Microsoft in the past. The silicon security technologies in Azure Sphere are available to manufacturers royalty-free. And while Microsoft would like users to use its cloud-based security to tether these devices to Azure, they will be able to connect to competitor's public clouds, too. Conversely, data from private data centers or other public clouds can be sent to Azure Sphere security service.

This is more Microsoft pragmatism. More companies use multiple clouds, particularly market leader AWS, and these devices must talk to far too many systems to take a siloed approach.

"These things have to play well with others and comply with all the standards," Gottheil said. "No one is trying to do lock-in in IoT."

Dig Deeper on Cloud provider platforms and tools