IoT Security Gets a Market Adoption Boost with ARM & Microsoft Announcements

Two interesting announcements surfaced this week at the RSA Conference being held in San Francisco. The first was put out by Arm and concerns the launch of the SDK-700 System Design Kit, built on the firm’s recently released Platform Security Architecture (PSA). The SDK is targeted at developers building SoC for IoT devices, notably nodes, gateways, and embedded applications. The solution offers a computer architecture that combines processor capabilities from two families: Cortex-A (high-performance powerful processors) and Cortex-M (low-power processors, optimized for deterministic real-time embedded microcontroller applications). The hardware security base is leveraged with the TrustZone technology, and the secure development design is based on the PSA, which requires the inclusion of device identity, trusted boot sequence, secure OTA updates, and certificate-based authentication.

The second announcement is a new security offering by Microsoft, the Azure Sphere, a solution for creating highly secured, Internet-connected MCU devices. The offering is composed of three elements: certified MCUs, a purpose-built OS that combines RTOS and IoT features, and a security service for brokering trust for device-to-device and device-to-cloud communication. The service will include certificate-based authentication, online failure reporting, software updates, and threat detection, across the entire Azure Sphere ecosystem.

Both announcements are linked. Arm’s SDK-700 SoC solution will fit the requirements for the certified MCU piece in Microsoft’s Azure Sphere offering. Microsoft’s announcement is perhaps the most interesting of the two, as it simultaneously declares its foray into the IoT edge-computing space and leverages the chip-to-cloud security issues that are largely unresolved in the industry (despite increasing commercial solutions in the space), tying it all in nicely with its core offering, the Azure cloud. While many will see the life-cycle device management piece as a lock-in with its cloud business, it dangles the carrot of royalty-free MCU design and security (and reading between the lines, specifically anti-counterfeiting and anti-piracy).

The Azure Sphere could be considered a direct competitor to Arm’s Mbed Cloud offering. However, the Redmond firm has managed to massage away some of that competitive angst by leveraging Arm processors (Cortex A and M) into its Azure Sphere MCU design, enabling Arm to contribute with the SDK-700. More specifically, the Azure Sphere MCU will include two Arm cores (A and M), as well as a Cortex-M-based security coprocessor called Pluton designed by Microsoft, which will be separated from the rest of the SoC with hardware IO firewalls. However, it is unclear if TrustZone is part of the Pluton security subsystem. Certainly, TrustZone is an intrinsic part of both Cortex A and M, but Microsoft has traditionally been a TPM backer. To what extent a lightweight TPM is also leveraged is unknown to date.

Regardless, Microsoft has a solid strategy here. Once it can actively tie in IoT devices to its cloud service through the hardware, it can leverage its long-standing experience in combating cybercrime, collecting and analyzing threat intel, sinkholing botnets, and bringing whole cybercriminal organizations to their feet. While the Arm Mbed offering is a tool for better managing IoT devices, Microsoft can offer that and more with its prolific cybersecurity expertise, which includes policymaking and compliance assurance.

All of this ties in rather well with a third announcement made at RSA. Arm and Microsoft have formally committed to IoT security, from silicon to cloud, in a new Cybersecurity Tech Accord. Under this accord, the companies agree to adhere to four basic principles: create stronger defenses, deter offensive cyberattacks, build security capacities, and engage in collective action. More than 30 other companies have signed on, including ABB, Bitdefender, Cisco, BT, Cloudflare, Avast, CA Technologies, Dell, HPE, SAP, Facebook, Juniper Networks, Symantec, LinkedIn, Telefonica, FireEye, Tenable, F-Secure, Trend Micro, Nokia, VMware, Oracle, and RSA.

This effort fits right in with the broader, global industry efforts to combat cybercrime. Although the main question is, how much better will this effort fare than the myriad of other cybersecurity partnerships that have been announced in the last decade? The commitment, while laudable, doesn’t really provide any specific details on actual requirements or action items, offering a rather generic call-to-arms to fight cybercrime, which few would condemn in any case. Perhaps the integration of IoT-specific commitments will give it a more defined purpose and provide the accord with more substantive results.

In any case, all the announcements bode well for IoT security, and in particular for boosting security-by-design efforts. Secure MCU design has only surfaced in the last few years, with a number of solutions offered by the likes of Secure Thingz, Samsung, Microchip, Rambus, Device Authority, Intertrust, Intel, etc. Microsoft has announced that MediaTek will be the first to offer an MCU based on Azure Sphere, the MT3620, with devices shipping by the end of 2018.

ABI Research expects secure MCU shipments to reach 19 million by the end of the year, in large part driven by industrial demand. However, that is only a small sliver of the 25 billion total MCU shipments expected this year for connectivity and sensor apps. The engagement of high-profile IT software giants should hopefully drive better awareness and usage by IoT players. Of course, the security imperative is not just about countering threats, but also about winning that cost-benefit analysis and risk management argument that remains at the core of security adoption decisions.

For semiconductors and silicon IP vendors, the Microsoft Azure Sphere is a direct assault on the life-cycle device management market that has been emerging around the secure hardware piece. Outfits such as Renesas, NXP, Verimatrix, Intel Wind River, and others have been pushing remote device provisioning, management, and monitoring across various industrial verticals. However, the availability of an effective cloud platform is likely to be the key driving factor for IoT OEMs and deployers. Both Amazon and Google have IoT management platforms, but neither have pulled in the secure hardware piece yet with a dedicated platform. They will need to move quickly if they want to be able to service those billions of connected IoT devices in the future. For the hardware players, they should ensure that they have a place in Microsoft’s vision, but importantly, should also be considering a cloud-agnostic design that fits in with offerings from other cloud and service providers in the longer term.