What Is Azure Sphere Security Service?

Azure Sphere provides more than just a hardware and software platform for building Internet of Things (IoT) solutions. The third component to the mix is the cloud services that Microsoft offers as part of the Azure Sphere platform. The Azure Sphere Security Service (also referred to as AS3) is the cloud component Microsoft offers for integrating the full circle of IoT security in the Azure Sphere platform. This provides an integration of hardware microcontroller (MCU), a Microsoft customized Linux operating system, and the cloud based Azure Sphere Security Service to provide a platform for building more highly secured IoT solutions.

The Azure Sphere Security Service provides services like remote attestation to authenticate the device and ensure it hasn’t been tampered with, and securely pushing down Azure Sphere OS and other software updates to Azure Sphere devices.

The Microsoft Azure Sphere Security Service (AS3) is a trusted authority for all Azure Sphere devices. The AS3 service provides services like remote attestation to authenticate the device and ensure it hasn’t been tampered with, and securely pushing down Azure Sphere operating system (OS) and other software updates to Azure Sphere devices. The Azure Sphere device connects to the AS3 service to authorize the device and ensure that only an authorized version of genuine, approved software runs on the device. By integrating with the AS3 service, the Azure Sphere device will automatically download and install OS updates without any action required on the part of either the device manufacturer or the end-user of the device.

The above diagram shows the overall architecture and role that the Azure Sphere Security Service plays within a larger IoT scenario that you might be building and deploying with hundreds, thousands, or even millions of Azure Sphere devices.

Here’s the description of the different pieces and numbered steps of the scenario outlined in the diagram:

• Microsoft releases an update to the Azure Sphere OS and publishes it through the Azure Sphere Security Service. This enables the update to be available for all Azure Sphere devices, across all customers using Azure Sphere.
• Your product engineering team releases a software update for your DW100 product built with Azure Sphere. The software update is released to the Azure Sphere Security Service so auto-update and deployment to all your deployed devices can be performed.
• The Azure Sphere Security Service communicates securely with devices and deploys both the Azure Sphere OS and your engineering team’s software updates to the Azure Sphere devices. These devices could be running at your company locations, or at customer sites anywhere in the world where they have an Internet connection to receive the updates and communicate with the Azure Sphere Security Service.
• Your product support team can communicate with the Azure Sphere Security Service to monitor which version of the Azure Sphere OS and your engineering team’s software should be running on reach of the products built with Azure Sphere.
• Your product support team can also communicate with the other enterprise cloud services that the IoT solution is built with; along with your Azure Sphere devices communicating with those cloud services as you’ve built them to as part of the IoT solution.
• The Azure Sphere devices (wherever they are in the world) will download the Azure Sphere OS update, and the update for your engineering team’s software using the connection to the Azure Sphere Security Service. These devices will also be communicating with any other cloud services that comprise the overall IoT solution.

All communications with the Azure Sphere Security Service (AS3) takes place over secured, authenticated connections. The engineering team pushing out software updates will need to authenticate and communicate securely with the Azure Sphere Security Service when rolling out new software updates to deploy to devices. The Azure Sphere devices on the receiving end of these updates, will also communicate securely in a “per-device authentication” model to ensure that only authorized devices are able to communicate with AS3 and they receive the correct software updates.

All communications with the Azure Sphere Security Service takes place over secured, authenticated connections.

In addition to the secure communication methods with Azure Sphere Security Service, the Azure Sphere devices are only able to run authorized software. This is done by the security measures built into the Azure Sphere OS, along with the Azure Sphere Security Service, are setup to only allow cryptographically signed and verified software updates to be installed on Azure Sphere devices.

The features of providing certificate-based authentication and secure software update deployment to Azure Sphere devices are the two primary features of the Azure Sphere Security Service. Monitoring and failure reporting features are also very useful features of the service. These features enable the other features to function, as it’s important to know which software updates were successfully deployed to devices. It’s also important to know about crash reports of deployed software updates as well.

Hopefully, this article provided you with a better understanding and explanation of what the Azure Sphere Security Service is, and what role it plays in building more highly secured IoT solutions. Building highly secure IoT solutions is very important, and Azure Sphere provides hardware, software, and cloud components to help make this a more easily achievable task for any IoT engineering team building the next great IoT product.