This document discusses Microsoft's Azure IoT services and how they can be used to connect, manage and secure IoT devices. It provides an overview of Azure IoT Hub for device connectivity and communication with the cloud, as well as related services for storage, analytics, notifications and more. It also addresses security considerations for IoT including authentication, authorization, encryption and managing access.
9. Windows 10 IoT Enterprise
1 GB RAM, 16 GB Storage
X86 Enterprise Manageability and Security
Rich user experience
Win32 & UWP
Handheld devices
Modern Shell & UWP
lockdown and multi-user support
Windows 10 IoT Mobile
512 MB RAM, 4 GB storage
ARM
Windows 10 IoT Core (OEM Pro Edition)
256MB RAM, 2GB storage
X86 or ARM
Windows 10 Enterprise for IoT devices
Windows 10 Mobile Enterprise for IoT devices
New Windows 10 version for IoT devices
10.
11. DISCOVER
nearby friendly devices
IDENTIFY
services running
on those devices
ADAPT
to devices coming
and going
MANAGE
diverse
transports
INTEROPERATE
across different OSes
EXCHANGE
information and services
SECURE
against nearby bad actors
12.
13. HTTPS
AMQPS
IoT Hub
Identity Registry
Device
Management
Provisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTT
Data and Command Flow
Per-device
command
queues
Event Hub
Self
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
MQTT
CoAP,
AllJoyn, ...
M
M
M
APIs
Management
Communication
Provisioning
14.
15. Harness
Connect technology assets to other devices, cloud-based services and
infrastructure
Address variable demand with scalable, efficient data
collection and storage in the cloud
Configure rules and executable scripts that define actions on devices
Connect
Configure
Extend
Administer Apply business rules to remotely manage and govern devices
Intelligent Systems ServiceAzure IOT Suite
Efficiently capture, store, visualize and analyze data to drive
meaningful business insights
26. Microsoft Azure IoT Services
Devices Device Connectivity Storage Analytics Presentation & Action
Event Hub SQL Database
Machine
Learning
App Service
IoT Hub
Table/Blob
Storage
Stream
Analytics
Power BI
Service Bus DocumentDB HDInsight
Notification
Hubs
External Data
Sources
3rd party
Databases
Data Factory Mobile Services
Data Lake BizTalk Services
{ }
27. STRIDE Threat Implementation
Spoofing How do we know we are talking to the right device Authentication
Secure Channels
Tampering How do we make sure that the device was not
tampered with (physically or environmentally)
Authorization
Secure Channels
Repudiation Modifying audit logs Authentication
Secure logging and auditing
Digital Signatures
Information Disclosure Eavesdropping on the communication Encryption
Authorization
Denial of Service DoS against service/device (resource exhaustion, power
drain,…)
Throttling
High Available design
Authorization
Controlling inbound connections
Elevation of Privilege Forcing the device/service to do something it was not
supposed to do
Authorization
Least privilege
28. Policies, Procedures, Guidance
Cloud Field Gateways Devices
Physical
Global Network
Identity and Access Control
Application
Data
Physical Physical
Local Network Local Network
EdgeApplication
Data Data
HostHostHost
Data Privacy Protection and Controls
People and Device Identity Federation,
Data Attestation
Trustworthy Platform Hardware, Signed
Firmware, Secure Boot/Load
Secure Networks, Transport and
Application Protocols, Segmentation
Tamper/Intrusion Detection
Physical Access Security
29. IoT Sweet Spot $1000 PCs$400 Phones
Cost
Computational Capabilities
Memory/Storage Capacity
Energy Consumption/Source
$1
Sensor
$10000
Server
Component Quality
31. http://azure.microsoft.com/en-us/support/trust-center/
ISO 27001/27002
SOC 1/SSAE 16/ISAE 3402
and SOC 2
Cloud Security Alliance
CCM
FedRAMP
FISMA
FBI CJIS (Azure
Government)
PCI DSS Level 1
United Kingdom G-Cloud
Australian Government
IRAP
Singapore MTCS Standard
HIPAA
CDSA
EU Model Clauses
Food and Drug
Administration 21 CFR Part
11
FERPA
FIPS 140-2
CCCPPF
MLPS
33. Internet
ISP
(Mobile) Network Operators
Personal
Environment
and Networks
Device
Device
Device
Device
Field
Gateway
Cloud Systems
Device
Cloud
Gateway
Device
Local
Interaction
MNO
Gateway
Cloud Portals and APIs
Mobile & Web
Interaction
Control
System
Analytics
Data Management
Watches, Glasses, Work Tools,
Hearing Aids, Robotic
Assistance, …
Homes, Vehicles,
Vessels, Factories, Farms, Oil
Platforms, …
Vehicle Fleets, Sea Vessels, LV
Smart Grids, Cattle, …
Local
Gateway
Local Portals and APIs
Control
System
Analytics
Data Management
Editor's Notes
Software industries have had to deal with Internet and Security, now the hardware industry is having to get to grips with what it means to be an internet connected device without necessarily the background to understand the threats.
The Unified Extensible Firmware Interface (UEFI, pronounced as an initialism U-E-F-I or like "unify" without the n[a]) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the Basic Input/Output System (BIOS) firmware interface.
Secure Boot – Secures against Boot Attack
Validates the firmware image before allowed to execute
Cryptographically validates all the boot components and drivers
Only authorised code can execute on the device
Measured Boot
Securely records on to the TPM a log/record of the boot process, drivers loaded, signatures etc
Available to administrators
Bitlocker – Secures against Offline Attack
1) Encrypts all data stored locally
When we launched, Windows 10 this July, we created an converged platform that can serve devices from desktops to PC to the IoT devices. We introduced 3 new editions for IoT Devices.
Windows 10 IoT Enterprise – This is the same Windows 10 Enterprise licensed for IoT devices market. It provides a rich set of functionalities to build powerful, high performance industry devices.
Windows 10 IoT Mobile Enterprise – This is the same Windows 10 Mobile Enterprise edition licensed for the IoT devices market to build ruggedized and industry handheld devices. With Windows 10, it gets on par experience with the Enterprise in a number of aspects and include a Modern shell and advanced lockdown capabilities
Windows 10 IoT Core – This is a new edition that we released for building small and low cost IoT devices that provides a single purpose device experience with modern UWP app support and low cost silicon support.
Windows 10 for IoT will be available initially on three boards:
Raspberry Pi 2
Minnowboard Max (essentially the guts of a tablet)
Dragonboard (essentially the guts of a phone) (coming soon)
All of these boards support universal apps and the new IoT APIs in UAP. All three have first-class developer experience in Visual Studio.
We also support other Windows 10 IoT SKUs for mobile and larger systems, all of which support the same UAP programming model and binaries.
Key points
The AllJoyn software framework is a collaborative open source project of the AllSeen Alliance. Microsoft has joined the AllSeen Alliance as a Premier member and is one of over a hundred members. AllJoyn enabled devices describe their capabilities via service interfaces on the virtual bus.
AllJoyn is integrated into Windows 10 core framework, so its available to all Windows 10 devices
Developers can easily create Universal Windows Apps for AllJoyn-Enabled Devices
Expose C & WinRT APIs for AllJoyn & Universal Windows App platform integration
Microsoft contributes Windows platform fixes back to the Alliance including improving AllJoyn security
AllJoyn solves challenges …in an open interoperable way
Find nearby devices
Painlessly connect to those devices, regardless of brand
Discover services running on those devices
Adapt to devices coming and going
Deal with different transports
Interoperate across different OSes
Exchange information and services
Provide reliable performance in wireless environments
Ensure no one nearby maliciously hacks into your phone
OPC UA - OPC Unified Architecture (OPC UA) is an industrial M2M communication protocol for interoperability developed by the OPC Foundation. It is the successor to Open Platform Communications (OPC). Although developed by the same organization, OPC UA differs significantly from its predecessor. The Foundation's goal for this project was to provide a path forward from the original OPC communications model (namely the Microsoft Windows only process exchange COM/DCOM) to a cross-platform service-oriented architecture (SOA) for process control, while enhancing security and providing an information model
Constrained Application Protocol (CoAP)
Key goal of slide:
Outline the key capabilities of Microsoft Azure Intelligent Systems Service.
Let’s spend a few minutes talking about some of the capabilities of Microsoft Azure Intelligent Systems Service…
Slide talk track:
Microsoft Azure Intelligent Systems Service supports the following capabilities in a highly secure manner
Connect your assets – Connect technology assets to other devices, cloud based services and infrastructure and extend to all technology assets regardless of form-factor, OS or intelligence
Configure your setup – Configure rules and executable scripts that define actions on devices
Harness your data -- Efficiently capture, store, join, visualize, analyze and share data to drive meaningful business insights
Administer your assets – Apply business rules to govern industry devices and edge devices, and manage remotely with configurable alarms and response options for pervasive predictive capability
Extend your solution – Address variable demands with scalable and efficient data collection and storage in the cloud. Innovate on top of ISS to create rich, customized experiences
These allow our customers to harness their machine-generated data - collecting, compiling, and sending packaged information to Microsoft assets like Power BI and HD Insight for analytics to drive meaningful business insights
We’re not going to use the Azure IoT Suite in this lab. Instead, we’re going to focus on core components so you can learn how to really connect with Azure and build up a solution from scratch.
Highlighted are the pieces of Azure IoT Services that we will use in this lab.
Additionally, we’ll use the Microsoft Azure Web App service to host a simple website showing data from our devices.