Your browser is not supported. Please update it.

20 April 2018

Microsoft goes Linux, in IoT device-to-cloud security surge

Microsoft has done what many would have though unthinkable, just a few years ago – it has launched its own Linux OS as part of its new Azure Sphere security offering. Perhaps more importantly, Microsoft is now licensing chip designs, aiming to provide the silicon, OS, and then cloud systems that can work together to provide a very secure IoT platform. However, this screams of land-grab ambitions, and is likely to leave rivals concerned.

The new approach is being pitched at device manufacturers, across a number of markets, including white goods, agriculture, energy, and infrastructure. Microsoft says that it has been sharing its plans for Azure Sphere with a number of these companies, and that they have collectively identified security, productivity, and new market opportunities, as the key benefits.

Azure Sphere is a three-pronged approach, starting at the chip itself, with a new family of microcontrollers (MCUs). The chips are intended to provide hardware-based security, through secure enclaves for handling encryption keys, as well as the real-time and application processor requirements. It seems like these are meant to be standalone chips, to power devices, not add-ons or augmentations.

The next step up is the Azure Sphere OS, which is actually based on Linux – quite a departure for Microsoft. The company says that Azure Sphere OS houses a custom Linux kernel, as well as security innovations that were ‘pioneered in Windows,’ to provide a highly secure software environment to run trustworthy IoT devices and experiences.

The move to being more Linux friendly came into being after CEO Satya Nadella took charge. There has been a subtle rebranding of the cloud platform, shifting it from Windows Azure to Microsoft Azure, and parts of Windows itself have been opened up to Linux

The final component is the Azure Sphere Security Service, the cloud-based component that will be brokering the device-to-device and device-to-cloud relationships. It will be using all the data collected from Azure Sphere deployments to spot emerging security threats.

Azure Sphere is currently in private preview, with Microsoft saying that it is working closely with select device manufacturers to build future products. It expects the first wave of Azure Sphere devices to be on sale by the end of 2018, with developer kits available in the middle of the year.

MediaTek is the first confirmed supplier of Azure Sphere compliant chips. Its MT3620 is scheduled to arrive in volume this year, as the first certified chip. It will run the Azure Sphere OS, as well as Microsoft’s Pluton security subsystem. Notably, Microsoft is licensing its IP in a royalty-free fashion, hoping to drive scale. It says it has been partnering with other silicon providers, and that other designs are on the way.

The Azure Sphere approach has already garnered some fans. Sub-Zero’s Brian Jones, Director of Product Strategy and Marketing, said “Sub-Zero and Wolf have had a legacy of innovation in food preservation and preparation for over 70 years and we see significant opportunity in the connected devices market to create new and unique customer experiences. As our homes become more connected, we place significant value on the security of connected devices, so we can focus on continuing to deliver an exceptional customer experience. Microsoft’s approach with Azure Sphere is unique in that it addresses security holistically at every layer.”

Neil Naughton, Deputy Chairman of Glen Dimplex, added “Glen Dimplex is a leader in development of intelligent heating, renewable energy solutions and domestic appliances. We recognize that addressing security at every layer of connected devices is critical to shipping connected devices with confidence. The work Microsoft is doing with Azure Sphere uniquely addresses the security challenges of the connected microcontrollers shipping in billions of devices every year. We look forward to integrating Azure Sphere into our product lines later this year.”

In a similar vein to Azure Sphere’s main objective, a number of industry heavyweights have partnered to form the Cybersecurity Tech Accord. With 34 founding members, the group aims to protect consumers and businesses from cybercriminal enterprises and nation-state attacks. The CTA says that economic losses from cyberattacks are expected to reach $8tn by 2022.

The announcement is hard to gauge. Collectively, the CTA promises that its members won’t help governments launch cyberattacks against citizens and businesses, and that they will protect against tampering with or exploitation of their products – meaning, in theory, no backdoors (at least that they’re aware of).

But it’s unclear if there aren’t mechanism that could force them to comply with a nation-state’s demands, and a public declaration such as this announcement doesn’t seem like it will prevent such pressure. Perhaps, this is intended like the Canary Clauses, used in certain Terms and Conditions contracts.

The CTA says it could launch joint projects to improve their products and services, as well as build more formal and informal partnerships, so that they can better coordinate vulnerability disclosures and threat knowledge. ARM says that he CTA will help protect the trillion devices that it expects to see deployed over the next 20 years.

The full list of members reads: ABB, ARM, Avast, Bitdefender, BT, CA Technologies, Cisco, CloudFlare, Datastax, Dell, Docusign, Facebook, Fastly, FireEye, F-Secure, GitHub, GuardTime, HP Inc, HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, TrendMicro, VMware.

Notable absentees are Apple, Intel, Google, and Qualcomm. Speaking of Intel, the company has also announced new security features this week, revealing its Threat Detection Technology (Intel TDT) and its Intel Security Essentials (ISE). The TDT package is a set of silicon-level features that it says will help the Intel ecosystem detect new classes of threats. The ISE system is a framework that is meant to standardize the built-in security features across Intel’s portfolio of processors.

The company had a very bad year, suffering prolonged bad press from its handling of the Meltdown and Spectre vulnerabilities. Its slow patching cadence did it no favors, and if it had a competent rival that could scale to take advantage of the opportunity, it could have really lost some market share. Unfortunately, in the x86 marketplace, AMD was not able to take advantage. Intel is going to be spending a long time trying to improve its security image, and these announcements are part of that process.