Microsoft with Azure Sphere Looks to Set Gold Standard in End-to-End IoT Security

Traditionally, security circled around securing network and software applications. However, as more devices get connected to the internet, and threats rise, there is an unprecedented need to secure hardware alongside the data flow from edge devices to the cloud. Hence, integrating security across all four layers (hardware, software, network, and cloud) becomes vital for a secure IoT deployment. We are already seeing this being adopted across data-centric devices such as smartphones.

What are the options to enable hardware security?

The key is to secure the hardware at the chipset (MCU/SoC) level to first secure the data flowing through the internal bus. This can be done by embedding Secure Elements (SE) such as Physical Unclonable Function PUFs, Trusted Platform Module (TPMs), or Hardware Security Module (HSM) to the system within the devices. Further, key injection in the secure enclave/PUF along with cryptographic key management to ensure the secure identity of the devices and to create secure tunneling of data flowing within the device and then from the device to the cloud.

How will secure hardware help Microsoft?

Microsoft is the leading end-to-end IoT platform provider globally connecting millions of edge IoT devices across tens of thousands of enterprises to its Azure cloud via its Azure IoT platform. Microsoft also has been offering Azure Edge IoT software to enable computing and intelligent decision making at the edge. As a result, Microsoft must ensure the millions of devices running its Azure instances are not compromised and securely connected to its cloud.

In light of this, Microsoft has been looking to build secure chips with silicon partners to create a “hardware-based root of trust”. This will help solve cloning and counterfeit issues and will also establish secure authentication with its IoT hub platform via a unique trusted identity.

To achieve this goal, back in 2018, Microsoft announced Azure Sphere to build multi-layered end-to-end security. Since then Microsoft Azure Sphere has evolved and constitutes three key elements:

Counterpoint Research Microsoft Azure

Source: Microsoft
  • Hardware: Azure Sphere embeds secure keys (public) within a secure MCU/MPU powered by its Pluton security subsystem.
    • Pluton includes a security processor unit with a random number generator (RNG)
    • Tamper and side-channel attack resistant
    • Other cryptography and encryption tools
    • Secure booting for remote attestation and certificate-based security

As an example, the MediaTek MT3620 contains an isolated security subsystem with its own Arm Cortex-M4F core that handles secure boot and secure system operation. This M4F security processor features a 128kB secured TCM and a 64kB secured mask ROM bootloader.

Counterpoint Research Microsoft Azure   Source: Microsoft
  • Software: Azure Sphere OS:
    • Azure Sphere OS is made up of a custom Linux kernel, which runs on 2.4MB code storage, which is carefully tuned for the flash and RAM footprint of the Azure Sphere MCU to reduce its attack surface.
    • The OS communicates with the Azure Sphere Security service in the cloud for secure device authentication, network management, application management for all outbound traffic.
    • It undertakes secure monitoring to protect memory, flash and other MCU resources limiting exposure.
    • The OS includes Microsoft-provided application runtime to restrict access to file I/O or shell access.
    • It also includes a high-level application platform which is signed by Microsoft Certificate Authority (CA) through a trusted pipeline to maintain all software other than the device-specific applications.
  • Cloud: Azure Sphere Security Service
    • Azure Sphere Security Service brokers trust for device-to-cloud communication, detects threats, and renews device security via CA based-authentication, failure reporting and automatic updates for OS.
    • Azure Sphere in the cloud thus embeds with a private key that enables asymmetric encryption and authenticates devices with paired public keys at the time of the manufacturing process.
    • Further, Azure Sentinel provides cloud security through Artificial Intelligence.

The integration of all three elements enables the hardware root of trust with asymmetric encryption. Further, it creates a secure tunnel for the secure flow of data from chip to cloud ensuring both the data security at rest and in transit.

Following chart depicts Azure Sphere running on a Guardian IoT module for a brownfield IoT deployment

Counterpoint Research Microsoft Azure

Source: Microsoft

Growing Partner Ecosystem:

  • Chipsets:
    • In 2018, ST Micro’s STM32, a secure MCU embed with a secure element and integrated with Azure IoT C SDK, which enables direct and secure connectivity to the Azure IoT Hub, as well as full support for Azure device management.
    • In mid-2019, NXP’sMX 8 series, integrates Microsoft’s Azure Sphere security architecture and Pluton Security Subsystem.
    • MediaTek MT3620 is Azure Sphere ready
    • At the end of 2019, Qualcomm’s 9205 LTE multimode modem supporting both LTE-M / NB-IoT was integrated with Microsoft’s Azure Sphere.
  • Modules
    • Avnet and qiio offer Avnet Guardian 100 and qiio q200 Guardian (add-on) modules for retrofitting on exiting brownfield devices which lack connectivity and security but need to be connected to the Internet.
    • Other modules include Avnet AES-MS-MT3620, AI-Link WF-M620-RSC1 and USI Wi-Fi module with Bluetooth option.

With this approach, Microsoft is building a highly scalable and secure approach to onboard, manage and connect IoT devices and ensure the data is securely transmitted from device to cloud. This eliminates the need for most IoT customers to hire expensive security professionals.

Case Study: Starbucks

Starbucks has deployed Azure Sphere across its stores in North America. Each Starbucks store has around ten to twelve pieces of equipment that are operational for more than fifteen hours a day and are needed to be connected to the cloud for beverage related data (10 to 12 data points worth 5MB generated per beverage), asset monitoring and any predictive maintenance to avoid disruptions. This is important as any equipment breakdown is directly proportional to the store’s performance, its business and customer dissatisfaction. Starbucks has therefore been using the guardian modules deployed by Azure Sphere with the help of Microsoft across all its brownfield equipment to securely connect and aggregate the data to the cloud.

Counterpoint Research Microsoft Azure

Source: Microsoft

Chip-to-Cloud Security is the Gold Standard

Security and privacy are global concerns around IoT, irrespective of country. Security is one of the major roadblocks for IoT. However, in the past two years, we have seen the adoption of chip-to-cloud security due to an increase in awareness of the threats and its scalable solution. The end-to-end security will be critical to the success of any future IoT deployments to protect the asset as well as the data which, in most cases, is even more valuable.

Counterpoint research is a young and fast growing research firm covering analysis of the tech industry. Coverage areas are connected devices, digital consumer goods, software & applications and other adjacent topics. We provide syndicated research reports as well as tailored. Our seminars and workshops for companies and institutions are popular and available on demand. Consulting and customized work on the above topics is provided for high precision projects.

Term of Use and Privacy Policy

Counterpoint Technology Market Research Limited


In order to access Counterpoint Technology Market Research Limited (Company or We hereafter) Web sites, you may be asked to complete a registration form. You are required to provide contact information which is used to enhance the user experience and determine whether you are a paid subscriber or not.
Personal Information When you register on we ask you for personal information. We use this information to provide you with the best advice and highest-quality service as well as with offers that we think are relevant to you. We may also contact you regarding a Web site problem or other customer service-related issues. We do not sell, share or rent personal information about you collected on Company Web sites.

How to unsubscribe and Termination

You may request to terminate your account or unsubscribe to any email subscriptions or mailing lists at any time. In accessing and using this Website, User agrees to comply with all applicable laws and agrees not to take any action that would compromise the security or viability of this Website. The Company may terminate User’s access to this Website at any time for any reason. The terms hereunder regarding Accuracy of Information and Third Party Rights shall survive termination.

Website Content and Copyright

This Website is the property of Counterpoint and is protected by international copyright law and conventions. We grant users the right to access and use the Website, so long as such use is for internal information purposes, and User does not alter, copy, disseminate, redistribute or republish any content or feature of this Website. User acknowledges that access to and use of this Website is subject to these TERMS OF USE and any expanded access or use must be approved in writing by the Company.
– Passwords are for user’s individual use
– Passwords may not be shared with others
– Users may not store documents in shared folders.
– Users may not redistribute documents to non-users unless otherwise stated in their contract terms.

Changes or Updates to the Website

The Company reserves the right to change, update or discontinue any aspect of this Website at any time without notice. Your continued use of the Website after any such change constitutes your agreement to these TERMS OF USE, as modified.
Accuracy of Information: While the information contained on this Website has been obtained from sources believed to be reliable, We disclaims all warranties as to the accuracy, completeness or adequacy of such information. User assumes sole responsibility for the use it makes of this Website to achieve his/her intended results.

Third Party Links: This Website may contain links to other third party websites, which are provided as additional resources for the convenience of Users. We do not endorse, sponsor or accept any responsibility for these third party websites, User agrees to direct any concerns relating to these third party websites to the relevant website administrator.

Cookies and Tracking

We may monitor how you use our Web sites. It is used solely for purposes of enabling us to provide you with a personalized Web site experience.
This data may also be used in the aggregate, to identify appropriate product offerings and subscription plans.
Cookies may be set in order to identify you and determine your access privileges. Cookies are simply identifiers. You have the ability to delete cookie files from your hard disk drive.