Microsoft Picks Linux to Secure the Internet of Things
Thoughts about digital transformation for legal & compliance advisors
These posts represent my personal views or occasionally those of colleagues working on legal and regulatory compliance issues related to enterprise digital transformation. Unless otherwise indicated, they do not represent the official views of Microsoft.
When I first joined Microsoft 17 years ago, Linux was a dirty word. In fact, one of my early assignments was working on a campaign to persuade our customers that Linux was inferior to Windows in every respect. But all that belongs to ancient history now. We don't think that way anymore. One of the first things Satya Nadella did after becoming CEO of Microsoft in 2014 was to tell the world that Microsoft now loves Linux.
Last week Brad Smith, the President of Microsoft and also its Chief Legal Officer, showed up at San Francisco's giant RSA security show to prove that Satya really meant what he said about Linux. Brad announced that for the first time in its 43-year history Microsoft is actually going to start distributing its own custom version of this famous open source operating system.
But don't worry. We're not replacing Windows with Linux. Hundreds of millions of laptops, desktops, and servers around the world will continue to run on the world's best general-purpose operating system. What Brad announced is a little bit different. We're going to be using Linux for a very specialized but critically important use case where Windows just isn't a good fit.
At Microsoft we've been worried for a number of years about the growing security risk posed by the Internet of Things—also known as IoT. When billions of ordinary devices and appliances get connected to the Internet—and that's something that's going to happen in the very near future—those devices will be able to inflict incredible damage if hackers get control of them. We knew that the tiny microprocessors that control IoT devices needed to become much more secure. Our engineers realized that a custom Linux kernel could combine the intelligence needed to defeat hackers with the small footprint needed to fit on chips that will end up costing only a few dollars apiece.
This custom Linux is actually only one leg of the three-legged secure IoT platform called Azure Sphere that Brad announced at RSA. Here's how it works:
1. Each IoT chip (known as a microcontroller unit or MCU) will have a secure "vault" where cryptographic passwords are generated and stored. The chip will also have separate microprocessor cores to run application code. These cores will be as powerful as those in a typical smartphone, meaning that they will endow IoT devices with an amazing amount of intelligence. But the hardware in Azure Sphere chips will block these application processors from using the on-chip WiFi or Bluetooth to talk to the outside world without the permission of the security processor in the “vault.” We're not going to make these chips ourselves. Instead, we're going to license the designs royalty-free to any chip maker that wants to use them. We're already working with partners like MediaTek, ARM, and Qualcomm.
2. Each chip will run our custom Linux kernel, which leverages security lessons we've learned from Windows to provide a layered in-depth defense, including secure containers to isolate applications from each other. That way if one application or component on the chip gets infected by malware, the others will still be protected.
3. Last but not least, we are launching a turnkey cloud service called the Azure Sphere Security Service. This service regularly checks the status of every Azure Sphere IoT chip via a secure, cryptographically authenticated communication channel over the Internet. The cloud can push mandatory security updates and patches to the chips and detect malware attacks as well as device failures. Naturally we hope that companies building and deploying IoT devices will choose to use our Azure services to run their IoT ecosystems. But we will of course also let customers use any cloud service they want, including AWS, Google, IBM, Oracle, or Alibaba.
The Internet of Things is only getting started. This year about 9 billion MCUs will ship, but most of them are not really very intelligent. In fact, fewer than 1% of current MCUs are connected to the Internet. But that is going to change very quickly. The time is rapidly approaching when we will be surrounded by billions of Internet-connected devices that can transmit information and act intelligently on our behalf. Every device in our daily lives will be connected—refrigerators, thermostats, cars, elevators, smoke alarms, patient monitoring devices in hospitals, transformers in the power grid—really just about any device you can imagine that runs on electricity.
The potential for abuse of these devices by hackers is only too apparent. The 2016 Mirai botnet attack gave us a small taste of what could happen if we don't take precautions. In that attack, a piece of malware took control of 100,000 home Internet routers to launch distributed denial of service (DDoS) attacks and essentially knocked the entire east coast of the U.S. off the Internet for a day. So it's clear that we need to design security into the Internet of Things from the ground up. And that's the story of how Microsoft came to launch its first ever Linux distribution with Azure Sphere. If you want a brief introduction, I suggest you watch this short video.
Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including the Internet of Things. It explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy (https://aka.ms/Digital-Transformation-in-the-Cloud). Kindle version available as well here.