Security recommendations for Azure Internet of Things (IoT) deployment
3 minutes to read
This article contains security recommendations for IoT. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model. For more information on what Microsoft does to fulfill service provider responsibilities, read Shared responsibilities for cloud computing.
Some of the recommendations included in this article can be automatically monitored by Azure Security Center. Azure Security Center is the first line of defense in protecting your resources in Azure. It periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to address them.
Use the latest versions of supported platforms, programming languages, protocols, and frameworks.
Keep authentication keys safe
Keep the device IDs and their authentication keys physically safe after deployment. This will avoid a malicious device masquerade as a registered device.
Use device SDKs when possible
Device SDKs implement a variety of security features, such as, encryption, authentication, and so on, to assist you in developing a robust and secure device application. See Understand and use Azure IoT Hub SDKs for more information.
IoT Hub secures the connection to the devices using Transport Layer Security (TLS) standard, supporting versions 1.2 and 1.0. Use TLS 1.2 to ensure maximum security.
Secure service communication
IoT Hub provides endpoints to connect to backend services such as Azure Storage or Event Hubs using only the TLS protocol, and no endpoint is exposed on an unencrypted channel. Once this data reaches these backend services for storage or analysis, make sure to employ appropriate security and encryption methods for that service, and protect sensitive information at the backend.
Supported by ASC
Protect access to your devices
Keep hardware ports in your devices to a bare minimum to avoid unwanted access. Additionally, build mechanisms to prevent or detect physical tampering of the device. Read IoT security best practices for details.
Build secure hardware
Incorporate security features such as encrypted storage, or Trusted Platform Module (TPM), to keep devices and infrastructure more secure. Keep the device operating system and drivers upgraded to latest versions, and if space permits, install antivirus and antimalware capabilities. Read IoT security architecture to understand how this can help mitigate several security threats.
Supported by ASC
Monitor unauthorized access to your devices
Use your device operating system's logging feature to monitor any security breaches or physical tampering of the device or its ports.
Closely watch your operations by logging events in your solution, and then sending the diagnostic logs to Azure Monitor to get visibility into the performance. Read Monitor and diagnose problems in your IoT hub for more information.
For advanced scenarios involving Azure IoT, you may need to consider additional security requirements. See IoT security architecture for more guidance.