Secure by Default with Microsoft: “Without IoT security people will be reluctant to innovate.”
In the second of our two #beyondthenow podcast episodes with Microsoft, we take a deep dive into IoT security with Eustace Asanghanwa (Principal Program Manager for Security, Azure IoT, Microsoft). Eustace and David discuss the challenges of IoT security, how to implement it and how resources like protection profiles can help. They also discuss how Microsoft Azure’s PSA Certified Level 1 certification is helping to facilitate better collaboration with the ecosystem.
How Azure RTOS achieving PSA Certified Level 1 addresses the ‘trilemma’ of IoT security.
How securing devices will give the industry confidence and will ultimately unlock innovation.
The elements that must be considered if you want to have a ‘secure by default’ approach.
Discover Key Talking Points in this Episode
- Introductions to Eustace and Microsoft. [01:24]: “I’m the principal program manager for security on the Microsoft Azure IoT engineering team. And there my role is really focused on security, especially on the client-side, making sure that security is designed in from the get-go, building systems that are secured by design. I know these are buzz words, but when you really put it into practice, it means a lot. It means working on the platform itself, but working in collaboration with the rest of the ecosystem. I’ve been with Microsoft for about five years now and before joining Microsoft, I spent 20 years in the semiconductor industry in different roles, but all of it around security. From design applications to business development, and that exposure gave me an opening to see what security really means in the industry. From a technology point of view, from a commercial point of view. For example, how do people make decisions about building insecurity in their systems? Working at Microsoft and still keeping that connection with the industry that is where we can work together in order to make sure that systems are designed to be secured from the get-go.”
- The Azure RTOS is PSA Certified Level 1 and how this addresses the ‘trilemma’ of IoT security. [03:56]: “We are very excited that AzureRTOS is PSA Certified. It’s a very big deal. When I think of IoT, I think of this trilemma of things you must balance:
- How to scale the platform across different hardware.
- How to address hardware with different compute resources. I’m thinking rich hardware, in terms of processing power and memory and all the components that go into that compute, as opposed to constraint hardware.
- The other pillar is the availability of resources. When it comes to the problem of scale, for example, it is easy to build a software development kit (SDK) that would work with just any hardware or any compute resource out there. However, the result is an very big SDK, and it may not fit hardware constrained in resources.
- This balance is a problem, as developers have to make a decision. Either go in and scale down the SDK or build their systems from scratch. When developers develop their implementation, they often lose security robustness as they suddenly only use one source of knowledge instead of having an ecosystem collaborate on a platform.”
We are very excited that the AzureRTOS is PSA Certified, it is important to us because it is a nod that we are moving in the right direction and being recognized for that.
- PSA Certified is also helping to facilitate collaboration between the AzureRTOS and the ecosystem. [06:56]: “A big benefit of working with the larger community is collaborating on security to ensure systems are secured. So on a platform like AzureRTOS, the team has done an incredible job in integrating with individual hybrid components. They know what it takes to do that and securely so that they take advantage of all this hardware security as offered by the hardware platforms- the MCUs and all the processors- they know how to do that. They have done a good job in that. Still, at the same time, they recognize that if you work collaboratively on a joint project in an open ecosystem, you heighten the value of security because you benefit from the oversights of everybody collaborating on that platform. So PSA Certified is important to us because of that and is a nod that we are moving in the right direction and being recognized for that.”
- People value IoT security but they don’t always know what it means. [09:41]: “We are all going into a connected world where our fates are joined together, whether we like it or not. Security is end-to-end and only as strong as the weakest link. We are all one ecosystem because the world is connected, and we have to be secured from every angle and any vulnerability at any point, whether it is the devices themselves but also related to devices is the processes that the devices go through.”
- Securing the IoT will encourage new innovations [10:44]: “The piece that I think is also important, that may not come to the forefront, is without security, people will be reluctant to innovate. You want to innovate when you know that your innovations will pay off and they will not be subverted. By securing IoT, you are helping people to innovate, which is the essence of IoT: bringing innovations in technology to build a better world. “
- The autonomy of IoT devices is removing the ‘human companion’ and the IoT security protection that provides. [12:01]: “There was always a human companion to a device and that human companion provided some level of security to that device. So, a laptop, for example, the way you secure it, you consider that laptop being in possession of somebody who also adds to the security profile of the laptop, by making sure that that laptop is only in their possession and not in the possession of some malicious person. Now moving into IoT, we have a lot more devices being autonomous, making intelligent decisions, being on their own. They don’t have any human companions anymore. What that means is that the security profile of the device needs to be raised.
Secure by default is recognizing the fact that it is important to think of security upfront rather than try to add security at the end. The general notion is this, if somebody or an organization wants to build a product, they want to get a functional product before adding security. And when they do it like that, they miss many opportunities to incorporate security into the product. Security ends up being disjointed additions to the product, and exploiters are very savvy at exploiting those disjoints. So it is important that when building security, you have to build the solution to be secured from the get-go.
- When you design-in security you need to consider the product’s entire lifecycle. [18:52]: “Thinking of it end to end means building countermeasures in order to make sure that every aspect of security is addressed, from the supply and manufacturing chain to onboarding, to operation, to transfer of ownership to retirement. When you think of it this way, it influences how you build a product itself, the kinds of software platforms or the kinds of hardware platforms that you choose, and the way you collaborate with the rest of the ecosystem. Because what you realize is that in the ecosystem, there are many contributors of value to this. It is not just the chip makers, the hardware security module (HSM) makers, or the device manufacturers (OEMs). You have public key infrastructure (PKI) providers, you have other value providers like update services, all of those have to be thought through and make sure that the entire solution is working cohesively.”
- People are willing to invest in IoT security because they understand the value of the IoT and digital transformation. [22:10]: “The good news is that IoT is a new area that many people are seeing the value of. There are some new technologies or new paradigms where people scratch their heads to see, where is this going? What is the value of this? Fortunately, IoT is one of those where companies directly see the value in it. They see how it adds value to their systems, to their operations, or their organizations. And they see the value of security and they’re willing to work towards enhancing the security of IoT. And in this sense, like any other technology or any other up-and-coming new area, we learn as we go.”
- Microsoft Azure’s Blueprint approach to IoT security. [27:39]: “The efforts that we’ve been working on with ecosystem partners is this blueprint approach to IoT security. One of them is the zero-touch provisioning blueprint approach, working with the domain experts like the OEMs, the HSM providers, and the PKI providers for certificates. Which involves all the services that are required to make sure that the devices that are built are customized. So that when the system integrator receives the device, you have high confidence that all the technologies going into it, have been properly composed, securely composed, and the device is ready to connect. All they have to do is power the device, turn it on, and a device autonomously knows how to onboard and then get into their systems. Recently we also announced a blueprint for enclave devices and enclave has to do with confidential computing, which is solving another area of security that has to do with protecting privacy and also protecting safety, especially in terms of safe remote operation. What we see now is that these intelligent devices are making more and more decisions and making common and control decisions at the edge and we want to make sure that the environment where the compute is happening is protected confidentially. One of the big and upcoming areas is autonomous control of systems and subsystems in vehicles, like driverless vehicles. So you wouldn’t want any of those environments to be tampered with when a vehicle is moving. That is an example just to bring out the kind of safety we’re talking about here and absolutely the importance of it.”
- Confidential Compute and the edge. [31:47]: “The confidential computing part of it is making sure that for companies that have sensitive intellectual property, they are reluctant to move to the edge, but this is where the technology itself is of its highest value. If it’s being operated at the edge, that is where the first and foremost proposition of confidential computing brings value, to protect that IP. But the way we approach confidential computing means that you give safe isolations to perform executions. And these isolations are isolations from even the operating system itself. There are hardware isolations that are isolated from everything else inside of the device. It gives the highest assurance that there is no visibility into that environment, giving a guarantee that there is nothing that is going to go in and tamper with the activities of that environment. So that brings in the safety aspect of it.”
- Protection profiles help us to answer the question ‘Is this device secured?’ [33:21]: “Protection profiles bring a lot of value. And we learned this again through experience. So if you think of the very early days of IoT, we’re talking maybe six, seven, eight years ago, it was more machine to machine and things like that. But if you think of it six years ago, it was cloud service providers, solution builders would bring their devices, they do a connection and everything connects. The solution builders get their devices from OEMs to build the devices and say “my device can connect, you know, to this endpoint or this cloud”. And sometimes they even take the step to put in the requirements of connecting to specific clouds, like an SDK, for example. So by the time the solution builder is buying the device, it is already capable of connecting and talking to specific clouds, depending on how they put together the devices. Now over and over, one question keeps coming up from the solution builders. And the question is, ‘is the device secured?’ And that is a question they’re asking to the device providers, which are largely OEMs and ODMs. Typically the answer would be yes, of course it is secured. But then when you dig deeper into it, what does that mean? What is secure? And the justification usually comes in saying, ‘yeah, I implemented TLS, which is transport layered security, meaning that the communication is secured from end to end, or it has a TPM, which is a kind of trusted platform module secured chip to provide a trust anchor’. But at the same time, it says nothing about whether the TLS is implemented in such a way that it cannot be subverted or whether the root of trust is actually present inside of the device. You realize that to claim that a device is secured, some foundational things must be in place. I just mentioned secured communication. I mentioned having a root of trust. In order to answer, ‘is this device secured?’ it takes a long checklist of things that must be in place foundationally, like a baseline, in order to even make that claim.”
- Protection profiles create a baseline of requirements for specific devices to be secured. [36:20]: “When the system integrators ask whether the device is secured, they haven’t really spent time understanding what this long list is. Part of it is probably because they just want to focus on building the application that they want to build, or they may not have the knowledge to do that. OEMs on the other side, they do understand what this list is, but unfortunately, to have all the checkmarks it means putting a lot of resources in. The OEMs together with the HSMs (hardware security modules), the root of trust providers, have the deepest knowledge in these areas, but they are not going through that because there is no way for them to monetize all this effort. Devices traditionally have been valued by the CPU speed or how much RAM, or how much hard drive, but nothing about security. There is no way to measure this, to show the added value of the engineering that goes into security. So there hasn’t been a way to communicate device security. So we actually worked with members of industry, big names, to create a protection profile for IoT devices, for intelligent edge devices. We call this the edge compute node protection profile using the common criteria framework. A protection profile is a way of defining a list, a baseline for what it means for a device to be secured. It gives a standard that if an OEM says that this device is secured and is secured according to this protection profile, which is backed by measurements from this lab, and also operating under the auspices of this certification body, it gives confidence to this system integrator that this means something. So protection profiles are that means of communicating. And also for the OEMs to be able to say that we did invest engineering into the security of this device so we can command some margins to compensate us for that engineering.”
- We expect to see a more cohesive composition between IoT security certification schemes that target different functionalities and markets. [41:27]: “You may have a certification that deals with the root of trust. You may also have a certification that deals with the different services: attestation, updates, and many things like that. However, there are also certifications that market-specific. For example, if that device is operating in the medical industry in the US, you might want to say that this device is also HIPAA certified– which is one of the regulations regulating patient content in medical devices in the US. Or if you’re in the industrial space, which is something that is coming up a lot and many people are asking questions about, they want to know whether the device is IEC62443 certified. Each of these certifications- they work together. In my opinion, they should work together in composition where they are built in such a way that this composition can happen, and this composition continues to mature.”
Right now, it seems like many organizations still look at security as a cost line item. They must decide whether to invest in this particular component of security or not, and they’re looking at it only from a cost point of view. I’m thinking that in five years, that is going to go away, people will be more willing to invest in the value that the product provides
- Eustace’s predictions for the IoT in 5 years’ time. [46:02]: “Right now it seems like many organizations still look at security as a cost line item. They have to decide whether to invest in this particular component of security or not, and they’re looking at it only from a cost point of view. I’m thinking that in five years, that is going to go away, people will be more willing to invest in the value that the product provides. And that value is not just the application value, but the stability of that application and the security of that application. So what that means is that the solution builders are more willing to invest in services that provide security rather than the components that want to manage the security. And what that means to OEMs for example, instead of trying to see how they can build, sell, and forget, and hope that it doesn’t come back for recall or anything like that. They should be thinking of devices as offering a service. So, they build a device, they sell, or they lease a device, and then they provide security because security has to be renewed continually. I’m thinking in five years, the tension of the cost of security, which is tied to the cost on the bill of materials is going to change into more of this service dynamic. Where everybody wins. Right now OEMs feel like they’re in a position where they can build secure devices, but they are not rewarded for the engineering and the effort that they put into security. When we have this service industry going, it’s more of a sharing model where they are participating in the sharing of the monetization that comes from the services and security is going to be truly uniform. So, it’s not a new technology, it’s just a maturity of thinking, a maturity of culture and I believe that is going to be ubiquitous in the next five years.”
- Eustace’s top piece of IoT security advice. [50:26]: “For any listener that has been listening up to this point, I want to thank them because security can be a very dry topic to listen to! I want to encourage them to recognize that when we have a secure world, we are not only trying to prevent malicious activity, we are trying to provide the environment to empower innovators to innovate even more in the future without fear of their efforts being undercut. If they have the confidence that IoT is secured, they are more encouraged to bring forth even more innovations at a higher rate than what the IoT has been delivering so far. Also, achieving security does not mean that you must be an expert in cryptography, or be an expert in different security protocols. You don’t have to be an expert in security in order to benefit from security or encourage a secured world, just participating in the right processes and moving towards a service model will bring us there.”
More About Your Podcast Host David Maidment
David Maidment (Senior Director of the Secure Device Ecosystem at Arm- a PSA Certified Co-founder) leads our discussions on the latest trends and developments from the world of IoT security.
Based in Cambridge UK, David brings over 25 years of experience in the embedded and IoT industry. He specializes in the intersection between device security and business assurance to drive best practice security adoption across the electronics industry. In his role at Arm, David leads device security ecosystem activities including the widely adopted PSA Certified initiative.