In a bid to boost the security of so-called Internet of Things devices, Microsoft will licence royalty-free a powerful and upgradable chip design, the heart of an ecosystem it promises will boost protection for millions of network-connected devices expected to be sold in the future.
Even bigger news: Rather than a Windows operating system, the OS is based on a custom Linux kernel.
Called the Azure Sphere MCU (for microcontroller unit), the design has already been picked up by chip-maker MediaTech and will ship to device manufactuers later this year. No customers were announced.
Microsoft president Brad Smith made the announcement Monday at the beginning of the annual RSA Conference in San Francisco.
He showed one of the chips, about the size of a fingertip, but one Smith said is five times more powerful than other processors on the market.
“The researchers at Microsoft Research have made advances to strengthen the power of these chips and to put that power to work to protect people’s security,” Smith said.
According to Wikipedia a microcontroller is similar to a system on a chip, with a processor, memory and programmable input/output peripherals. MCUs are designed for low-power embedded systems.
What makes the Azure Sphere MCU different from others, Smith said, are its hardware and software security features: There are several layers that prevent hardware attacks, including so-called side-channel attacks that Intel desktop and server chips are vulnerable to; certificate-based authentication, which is hard to crack, is used to communicate to the manufacturer or other devices, with private keys stored in a hardware-protected vault inaccessible to hardware; the ability to report to a manufacturer or enterprise through the trusted link of a security failure; and the ability to receive security patches.
Microsoft offered this video for more information on the platform’s protections:
The chip design includes networking secured with silicon technologies Microsoft pioneered in its Xbox game console, and includes what Smith called “cross-over processing capabilities that enable ambient intelligence in an MCU package for the first time.”
The Azure Sphere OS is based on a custom Linux kernel, optimized for IoT environment “and has been re-worked with security innovations pioneered in Windows. Of course, we are a Window company,” Smith said, “but what we realized is the best solution for a computer is this size … is not a full-blown version of Windows.”
“It will enable us to stand behind the technology the way I believe the world needs, because what we will do is ensure these devices are secure throughout their lifetime with the continuing improvements and updating of the Azure Sphere operating system” through a Microsoft Azure-based security system — or competitors, including clouds from Amazon AWS, Google Cloud, Oracle and IBM.
Azure Sphere is in private preview. Developer kits will be available in the summer.
In an email Microsoft said pricing will be a onetime fee that includes the Azure Sphere MCU plus access to the Azure Sphere Security Services and on-device security updates for 10 years. Pricing will vary depending on factors such as the Azure Sphere certified chip used and volume.
In an email Gartner analyst Saniye Alaybeyi called it “great news …. Cheap security for all sorts of IoT devices including cheap toys.” Microsoft chose Linux because most devices in the cloud are based on the open source operating system. “For increased Azure adoption,” she added, “they had to go with Linux.”
Forrester Research analyst Merritt Maxim said in an interview that any time a major company like Microsoft shows a commitment to IoT security is generally positive. “Like anything else,” he added “it’s all about execution. It sounds good in a press release … but six or nine months from now can they deliver on the things they promised?”
He also noted that Microsoft has more than just improving security on its mind. It also wants to increase enterprise use of its Azure cloud platform.
Microsoft has tried to get into this market with standalone OS versions called Windows Embedded and Windows 10 IoT.
The promise of the Azure Sphere platform depends on how many chip makers deliver the MCUs based on the design, and how many manufacturers put it in their devices. Manufacturers face conflicting pressures: Device buyers want security, but buyers are also price-conscious.
In his remarks Smith stayed away from suggesting the Azure Sphere platform could be used in industrial/automotive/medical systems, where BlackBerry’s QNX and Intel’s VxWorks operating systems for embedded systems are known. The implication is it’s more for homes and offices. Eric Byres, a Nanaimo, B.C.-based industrial control system (ICS) expert said in an interview that manufacturers of ICS device are likely to stick to specialty OSs for the next decade. However, he added, many new makers of small industrial embedded devices that monitor or optimize a process may find Azure Sphere attractive.
“This is kind of cool,” he said of the Microsoft effort. “It should be an interesting play on their part. It looks like a fairly powerful MCU and it runs Linux, yet integrates into their platform. I’d look at it as a developer.”
IoT devices range from smart phones to product counters in refrigerators, smart thermometers in homes and network-connected sensors in pipelines. Smith said some 9 billion controllers will ship this year. However, other than smart phones, few systems can receive security updates. As a result, hackers can build botnets of thousands of vulnerable digital video cameras and home routers to launch massive DDoS attacks and distribute malware. The Murai botnet is a prime example, but there are others.
Cyber security experts worry these vulnerable devices will be with us for years, unless they’re replaced, so will be a long-term constant threat. That led security expert Bruce Schneier to tell last year’s SecTor conference in Toronto that government safety regulation of the Internet of Things is coming.
Some enterprises recognize the problem. Earlier this year Trustwave released a survey of 137 people knowledgeable about and/or responsible for their organization’s IoT-related security practices. Almost 60 per cent of respondents said security concerns are a barrier to the adoption of IoT devices in their organization, with another 25 per cent saying lack of standards is also a barrier.
Only 10 per cent of those surveyed were “very” confident that they can detect and protect against IoT-related security incidents, while 62 per cent are only “somewhat” or “not” confident that they can do so.
It was one of several security-related announcements made by Microsoft. It also released two ways CISOs can measure and improve their security status:
–Microsoft Secure Score, which can score an organization’s security environment by analyzing users’ regular activities and security settings. It’s similar to Office 365 Secure Score, which ranks and compares the productivity suite’s set-up and offers recommendations for improvement;
–Attack Simulator, a part of Office 365 Threat Intelligence, lets security teams run simulated attacks — including mock ransomware and phishing campaigns — to test their employees’ responses.
Both of these are free for companies subscribing to Microsoft 365, a cloud solution that includes Windows 10 Pro, Office 365, data and cyber threat protection.
The upcoming Windows 10 update for the enterprise gives Windows Defender Advanced Threat Protection (ATP) the ability to include threat protection and remediation spanning Office 365, Windows and Azure. The update will also include new automated investigation and remediation capabilities in Windows Defender ATP, which Microsoft says will leverage artificial intelligence and machine learning to quickly detect and respond to threats on endpoints.
There’s also announcing a new Microsoft Intelligent Security Association for tech firms to contribute to Microsoft security products. Members will be able to create more integrated solutions for customers. Palo Alto Networks and Anomali join PricewaterhouseCoopers and other existing partners as founding members of the new association.