Azure Sphere is Microsoft’s Internet of Things (IoT) platform for building more highly secured IoT solutions. Azure Sphere incorporates components of hardware, operating system, and cloud technologies to achieve greater security. It’s design provides the ability to build high-level applications, written in C, that run on the custom Azure Sphere OS Linux operating system. It also communicates securely to the Azure Sphere Security Service (AS3) that provides the cloud component of an IoT root of trust ecosystem. From there Azure Sphere can be integrated with any service of an IoT solution; such as Microsoft Azure, on-premises or even other cloud providers. This article walks you through the major components of Azure Sphere Development so you’re prepared with the fundamentals of building secure IoT solutions using the Microsoft Azure Sphere platform.

MCUs (Microcontroller Units) are used everywhere today! Many of them aren’t secured very well, or even unable to be updated securely over time. Without proper security, IoT devices can be exploited without the owner or manufacturer even being aware of it, or able to re-secure the device after the fact. A more secure IoT platform such as Azure Sphere enables much more highly secure IoT solutions and devices to be built more easily.

What is Azure Sphere?

Azure Sphere is a platform for building more highly secured IoT solutions that is made up of 3 primary components. These components include a vertical IoT platform stack that ensures everything in an IoT solution is built securely and in a manner that can be trusted throughout the IoT solution and IoT device lifecycle. It’s great to build IoT solutions that provide the value required, but doing it securely is extremely important.

Here are the three primary components that make up the Microsoft Azure Sphere IoT platform:

  • Azure Sphere crossover microcontroller unit (MCU) hardware
  • Azure Sphere OS; a custom Linux-based operating system (OS)
  • Azure Sphere Security Service (AS3); a cloud-based security service
Introduction to Azure Sphere - Secure IoT Development Platform 1
Azure Sphere end-to-end solution – Credit: Microsoft

Azure Sphere combines hardware, software, and cloud to create an end-to-end solution for building more highly secured Internet of Things solutions; with security as a primary feature of the entire platform.

Azure Sphere Crossover Microcontroller Unit (MCU)

At the foundation of Azure Sphere is the hardware design of the crossover microcontroller unit (MCU) and the custom silicon it’s built with. The Azure Sphere MCU is designed with security concepts from the ground up. It provides a secured computing base for building connected IoT devices, allowing you to focus more on your solution. The Azure Sphere MCU includes several integrated components, similarly to any other SoC (System on a Chip) architecture, with the addition of increased security and isolation.

Azure Sphere MCU Hardware Architecture
Azure Sphere MCU Hardware Architecture
  • Microsoft Pluton security subsystem
  • High-level application processor cores
  • Real-time processor cores
  • Integrated RAM, flash, and connectivity
  • Hardware Firewall providing component isolation

The MediaTek MT3620 was the first Azure Sphere MCU (microcontroller unit) available for purchase. There are a couple different Azure Sphere Development Kit boards available (like the Seeed Studio MT3620 Development Kit) for purchase using this chip. They are also available for use in your own custom Azure Sphere devices / boards, if you need to go that route as well to build your product. Microsoft is working with additional companies to build additional Azure Sphere MCUs that should be available soon; such as working with Qualcomm to build Azure Sphere MCUs with Cellular Connectivity!

Azure Sphere OS

The Azure Sphere OS is a custom Linux-based operating system (OS) built by Microsoft that includes Microsoft-written security components. This is the only operating system supported for running on Azure Sphere devices. It’s an integral component of the overall security architecture of building more highly secured IoT solutions with the Azure Sphere platform.

With the Azure Sphere OS being based on the Linux kernel, there are portions of the operating system that are Open Source. The Linux kernel for the Azure Sphere OS is licensed under the GPL license. There are also a few other components of the Azure Sphere OS that are released as open source from Microsoft to adhere to the open source licenses of the software they’ve used to create the operating system from.

The Azure Sphere OS (Operating System) combines a few security innovations pioneered within Microsoft Windows, a security monitor, and a custom Linux kernel to create a highly-secured environment and a trustworthy compute platform for building innovative IoT experiences. The design of the Azure Sphere OS includes defense in depth principles within the design that use multiple layers of security to ensure the highest device security possible.

The main components of the security layers that make up the Azure Sphere OS are as follows:

  • Hardware – Azure Sphere MCUs – This is the microcontroller unit (MCU) hardware silicon.
  • OS Layer 1 – Security Monitor – This is the low level service within the device that runs lower-level than the kernel to guard the overall integrity of the device, and guard access to critical resources.
  • OS Layer 2 – HLOS Kernel – This is the High-Level Operating System (HLOS) Linux kernel that runs the main operating system of the Azure Sphere device.
  • OS Layer 3 – On-chip Cloud Services – This is the service of the Azure Sphere OS that provides the ability for the device to authenticate and connect to the Azure Sphere Security Service (AS3); as well as provide updates.
  • OS Layer 4 – App Containers – This is where your high-level applications and real-time applications are executed on the Azure Sphere device.
Introduction to Azure Sphere - Secure IoT Development Platform 2
Azure Sphere OS Architecture – Credit: Microsoft

It’s common question from the community, whether Azure Sphere hardware can run other OS’s like Ubuntu. The customizations of the Linux kernel made for the Azure Sphere OS are meant to increase the security of the device by incorporating the necessary changes to support this multi-layer security model. Because of these changes, Azure Sphere devices are only supported to run the Azure Sphere OS, and no other Linux operating system distributions are supported on these devices. Also, the Azure Sphere OS kernel is tailored to run within 4 MB or RAM, so it’s extremely small to your normal Ubuntu kernel. This offers two big reasons that Azure Sphere OS is the only OS that can be used with Azure Sphere devices, and without the customizations of Azure Sphere OS then the device would just be a regular Linux device without any of the great security enhancements of the platform!

Related: If you’re interested in learning more about building Internet of Things solutions using Microsoft Azure cloud services, then we recommend you go check out the “Administrator’s Introduction to Azure IoT” article written by Chris Pietschmann.

Azure Sphere Security Service (AS3)

The Azure Sphere Security Service (AS3) is the cloud component of the Azure Sphere platform. It provides a root of trust for securely connecting IoT devices built with the Azure Sphere MCU and Azure Sphere OS. The AS3 service provides remote attestation to authenticate IoT devices, and functionality to push updates of the Azure Sphere OS firmware to devices. The AS3 service runs as the trusted authority for all Azure Sphere devices.

All Azure Sphere devices you build are registered with your own Azure Sphere Tenant within the Azure Sphere Security Service (AS3). This can be done at the time of manufacturing, and the device can be registered with a specific “product” (or your own application) that will be deployed to the device. This way, when the Azure Sphere device is powered on, it will connect and be authenticated with the AS3 service, then the AS3 service will securely push down an Azure Sphere OS firmware or custom application updates. All you devices get the application code deployed to them via the Azure Sphere Security Service.

Azure Sphere Security Service Diagram - Credit: Hackster.io
Credit: Hackster.io & Chris Pietschmann

Related: You can read more about what role the Azure Sphere Security Service (AS3) plays in a secured IoT solution in the “What is Azure Sphere Security Service?” written by Chris Pietschmann over on Hackster.io.

Microsoft Azure Sphere Leadership Vision

Microsoft has a grand vision of a more highly secured Internet of Things. This is an extremely important goal for all IoT developers and companies adopting IoT technologies. We need to ensure the security of our solutions so that we can offer the best privacy, security, and trust with out customers. Here’s a short video from Microsoft that lays out what their overall Leadership Vision is for Microsoft Azure Sphere.

The 7 Properties of Highly Secured Devices

In the effort to come up with key design principles for building secure IoT devices and solutions, Microsoft came up with “The 7 Properties of Highly Secured Devices”. These properties describe crucial security components to the proper design of highly secure IoT devices. These 7 principles were factored into the design of the Azure Sphere platform, and are what makes Azure Sphere unique than other less-secure IoT platforms.

  • Hardware Root of Trust – Is the device’s identity and software integrity secured by hardware?
  • Defense in Depth – Does the device remain protected even if some security mechanism is defeated?
  • Small Trusted Computing Base – Is the device’s security-enforcement code protected from bugs in application code?
  • Dynamic Compartments – Can the device’s security improve after deployment?
  • Certificate-based Authentication – Does the device authenticate itself using certificates?
  • Error Reporting – Does the device report back errors to give you in-field awareness?
  • Renewable Security – Does the device software update automatically?

You can read more about the 7 properties of highly secured devices in the official whitepaper from Microsoft that can be downloaded at: https://aka.ms/7properties

7 Properties of Highly Secured Devices
7 Properties of Highly Secured Devices – Credit: Microsoft

Wrap Up

Azure Sphere provides a more highly secured MCU (microcontroller) platform for building Internet of Things solutions that combines hardware, software, and cloud. The Azure Sphere platform integrates all three of these components into an innovative platform that raises the standard for building more highly secured IoT solutions. The 7 properties of highly secured devices is important to study as it will help you better understand why Microsoft has taken this approach to IoT security.

Microsoft MVP

Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
HashiCorp Ambassador Microsoft Certified Trainer (MCT) Microsoft Certified: Azure Solutions Architect