Azure Sphere and the Seven Properties

The Azure Sphere platform aims to provide high-value security at a low cost, so that price-sensitive, microcontroller-powered devices can safely and reliably connect to the IoT. As network-connected toys, appliances, and other consumer devices become commonplace, security is of utmost importance. Not only must the device hardware itself be secured, its software and its cloud connections must also be secured. A security lapse anywhere in the operating environment threatens the entire product and, potentially, anything or anyone nearby.

Based on Microsoft’s decades of experience with internet security, the Azure Sphere team has identified seven properties of highly secured devices. The Azure Sphere platform is designed around these seven properties:

Hardware-based root of trust. A hardware-based root of trust ensures that the device and its identity cannot be separated, thus preventing device forgery or spoofing. Every Azure Sphere MCU is identified by an unforgeable cryptographic key that is generated and protected by the Microsoft-designed Pluton security subsystem hardware. This ensures a tamper-resistant, secured hardware root of trust from factory to end user.

Small trusted computing base. Most of the device’s software remains outside the trusted computing base, thus reducing the surface area for attacks. Only the secured Security Monitor, Pluton runtime, and Pluton subsystem—all of which Microsoft provides—run on the trusted computing base.

Defense in depth. Defense in depth provides for multiple layers of security and thus multiple mitigations against each threat. Each layer of software in the Azure Sphere platform verifies that the layer above it is secured.

Compartmentalization. Compartmentalization limits the reach of any single failure. Azure Sphere MCUs contain silicon counter-measures, including hardware firewalls, to prevent a security breach in one component from propagating to other components. A constrained, “sandboxed” runtime environment prevents applications from corrupting secured code or data.

Certificate-based authentication. The use of signed certificates, validated by an unforgeable cryptographic key, provides much stronger authentication than passwords. The Azure Sphere platform requires every software element to be signed. Device-to-cloud and cloud-to-device communications require further certificate-based authentication.

Renewable security. The device software is automatically updated to correct known vulnerabilities or security breaches, requiring no intervention from the product manufacturer or the end user. The Azure Sphere Security Service updates Azure Sphere OS and OEM applications automatically.

Failure reporting. Failures in device software or hardware are typical in emerging security attacks; device failure by itself constitutes a denial-of-service attack. Device-to-cloud communication provides early warning of potential failures. Azure Sphere devices can automatically report operational data and failures to a cloud-based analysis system, and updates and servicing can be performed remotely.