Azure IoT Security vs. AWS IoT Defender – How Azure does its job?

IoT security is not just to secure your device, but to secure your entire solution.

So….What is the goal of a hacker:

Steal your Data or Control your IoT device. In either case, they will choose to hack into your IoT core/IoT Hub instead of your IoT devices. Once taking over the control with your IoT Core/Hub, they can control everything! However, hacking into an IoT device may be much easier in most cases. If you just want to control the devices to do something bad. Hence, hacking is lot of fun and has endless possibilities πŸ˜›

Let’s take a look at Azure and AWS, how do they secure your IoT solutions, both from IoT Core/Hub’s side and device’s side!

Azure IoT Hub Security

How to protect your devices

There are two ways Azure use to protect your devices.

On one side, when you register a new device, you can either choose Symmetric keys or X509 certificate. The former is user-friendly and easy to set up, however, security is a concern. The latter is more secure but you will hate it to manage all the certificates. More details can be found in a blog from Microsoft itself. Pro and cons, good article: https://azure.microsoft.com/en-us/blog/iot-device-authentication-options/ . You will realize that it’s gonna be your biggest headache in the coming years. I can, seriously, tell you that in reality, you will see people send connection strings over Email, Skype, Slack, Teams…

On the other side, Azure has created a simple but useful access policy to allow the right users to control the devices and access services, more info can be referred to: https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security

5 different access policies to allow device or application to interact with IoT Hub to execute all different kinds actions

How to protect your IoT solution

Microsoft Azure recently announced the general availability of their IoT security https://azure.microsoft.com/en-in/blog/announcing-general-availability-for-the-azure-security-center-for-iot/ in Azure Security Center.

After taking a good look at it, and actually playing with it (I love hands-on stuff). I think I can safely summarize it as follows:

An end-to-end monitoring solution for pre-defined IoT metrics (with “intelligent” analytics) to provide actionable security recommendations.

a high level architecture how the end to end IoT flow looks like in Azure

The Key element from end-to-end IoT Threat Analysis

  1. Real-time monitoring on pre-defined IoT metrics
  2. Actionable recommendation by Microsoft to make things secure.
  3. Actionable alert.

quite simple, let’s take a look at how do they actually did it:

another architecture from Microsoft I found online

From all kinds of devices, they are sending telemetries to the IoT Hub in Azure. Microsoft developed a “security agent“, and you can think it as a module, a piece of software running on your device. It leverages the existing device SDK to pick up some critical metrics and send it to the cloud. You can also create your own “Agent” to send the data you believe is critical. Similar to Edge devices, you can deploy such module to report security information. After the data reaches the cloud, The “Threat Intelligence” start to analyze those logs to offer everything that we can see now in Security Center. Such as security dashboard, recommendations, alerts. log investigation tools, etc.

For IoT devices, they created a dashboard for IoT Hub and a tight integration of the logs for Device Twin, etc.

IoT Secure dashboard overview

Dashboard is the best thing to cheat your customers, we only need to deep dive a little bit to unveil the truth.

available custom alert metrics

By looking at the metric here, most of them are quite basic, 16 out of 19 metrics are just calculating a number of connections, devices. messages, direct methods. updates, etc. They are all normal behaviors. You have to have an intelligent algorithm to detect the pattern of these number to not generate too many false alerts. Only 3 metrics are measuring suspicious attempting activities.

Recommendations from the security center

Looking at the security center, to be honest, do you think it’s useful? enable MFA. A maximum of 3 owners should be designated to our subscription. I mean those are good practices but remind me something years back. Are we gonna be busy fixing all these recommendations? are we gonna be fully protected then?

Image result for antivirus software
Remember you spent hours doing update and patching for your Windows system? and got hacked in the end… shit… useless anti-virus software…

In summary. Azure protects you with their advanced metrics analytics tool (there is a team behind it, keep on updating the algorithm) to provide you real-time monitoring and recommendations. If you take actions, you will probably be safe. Assuming all works, the downside of such a system is its reactive design. The hackers are always one step ahead of you.

Stay Secure, Stay Connected πŸ˜‰