Microsoft’s commitment to leadership in IoT security continues with Azure IoT’s improving the level of trust and confidence in securing IoT deployments. Azure IoT now supports Device Identity Composition Engine (DICE) and many different kinds of Hardware Security Modules (HSMs). DICE is an upcoming standard at Trusted Computing Group (TCG) for device identification and attestation which enables manufacturers to use silicon gates to create device identification based in hardware, making security hardware part of the DNA of new devices from the ground up. HSMs are the core security technology used to secure device identities and provide advanced functionality such as hardware-based device attestation and zero touch provisioning.
In addition, Azure IoT team is working with standards organizations and major industry partners to employ latest in security best practices to deploy support for a wide variety of Hardware Secure Modules (HSM). HSMs offer resistant and resilient hardware root of trust in IoT devices. The Azure IoT platform transparently integrates HSM support with platform services like Azure IoT Hub Device Provisioning and Azure IoT Hub Device Management, thereby enabling customers and developers to focus more on identifying specific risks associated with their applications and less on security deployment tactics.
IoT device deployments can be remote, autonomous, and open to threats like spoofing, tampering, and displacement. In this case HSMs offer a major defense layer to raise trust in authentication, integrity, confidentiality, privacy, and more. The Azure IoT team is working directly with major HSM manufacturers to easily enable access to a wide variety of HSMs to accommodate deployment specific risks for customers and developers.
The Azure IoT team leverages open standards to develop best practices for secure and robust deployments. One of such upcoming standards is the Device Identity Composition Engine (DICE) from the Trusted Computing Group (TCG) which offers a scalable security framework that requires minimal HSM footprint to anchor trust from which to build various security solutions like authentication, secure boot, and remote attestation. DICE is a response to the new reality of constraint computing that continually characterizes IoT devices. Its minimalist approach is an alternate path to more traditional security framework standards like the Trusted Computing Group’s (TCG) and Trusted Platform Module (TPM), which is also supported on the Azure IoT platform. As of this writing the Azure IoT platform has HSM support for DICE in HSMs from silicon vendors like STMicroelectronics and Micron, as well as support for TPM 1.2. There is also support for HSMs with vendor specific protocols like Spyrus’ Rosetta.
Finally, a high-level guidance on risk assessment is to help solutions architects make the proper security decisions, including choice of HSM. While it is possible to overengineer a security solution that ends up being too expensive to adopt, it is also possible to shortcut the solution security engineering for cost reasons. There is therefore the need to understand this interplay between security and cost for an optimal solution. To this end the Azure IoT team offers the Security Program for Azure IoT to assist customers and solution architects access the security of their IoT infrastructure and help find the right security approach for their IoT deployments.
The security journey is one the Azure IoT team is committed to continually help customers and developers navigate to achieve the highest trust and confidence in securing their IoT deployments. This involves supporting a wide range of hardware base security and security standards to secure hardware root of trust for IoT devices
Quelle: Azure
Published by