Azure IoT Security vs. AWS IoT Defender – How AWS does its job?

Following the #Gossipiece Azure IoT Security vs. AWS IoT Defender – How Azure does its job? , today we are going to look at AWS IoT and its IoT device defender!

Before we jump into IoT Device Defender, let’s take a look at how AWS IoT authenticate your devices and manage accesses.

IoT AWS Core – securely provision devices

AWS uses x.509 certificate, i.e., the PKI (public key infrastructure) to identify and secure each device.

AWS provide different ways of using your certificate

After the creation of the device, some policies need to be assigned to the device, that will define what this device can do and can not do. This is similar to AWS policies, you can refer to this Gossipiece.

In a nutshell, AWS IoT uses certificate and policies (permission) to securely manage your IoT devices. As simple as that. But,

A question I asked them, and now to myself again:

How do you manage all these certificates and keys….

Last year, the answer is AWS IoT Device Management, but it’s just an indexing functionality + SDK that you can use to find your device and act upon on them. Looking at the market, I don’t see any good solution on device management in AWS. All you can find are those big platforms like PTC Thingworx, Siemens mindsphere, etc. They offer an end-to-end IoT platform. But for most small companies, it’s an overkill. Device management is the core, and I can live without SaaS service for big data, machine learning. But a SaaS service for device management is critical for success.

My calling is: please can someone build a simple, light-weighted, Device Management SaaS software that I can plugin and use?

IoT Device Defender

Architecture of AWS IoT

After the device is registered in IoT Core, AWS IoT Device Defender is able to fetch the metrics and provide useful data to IoT device management and other services (cloud watch, SNS, etc).

Last year, I did the assessment on AWS IoT. I need to manually set up a Cloud Watch service, configure the metrics to monitor the status. I told AWS that their device status/health monitoring functionality is missing, at least not convenient to use. IoT Device Defender comes for the rescue.

Four key features IoT device defender offers to keep your fleet secure (the definition from AWS).

4 key functions of IoT Device Defender
  • Auditing checks best practices on certificate, device policies, device connection, account settings. Audit can be run on schedule or ad-hoc.
  • Anomalies detection looks at both the cloud and device behavior, customer can define some behavior profile to define the abnormal behavior.
  • Alerts are just alerts…
  • Mitigate security issues is just getting recommendations and execute certain actions to stop the violations of your device.

Auditing function

Detecting anomaly

IoT Device Defender to create custom Security Profile, you can define you own metric to monitor.

Let’s compare a bit the metrics you can monitor in Azure and AWS

Azure has 19 metrics vs. AWS has 17 metrics. There is no good or bad, they are metrics anyway. The way you set the monitoring logics actually matters.

metrics you can add in Azure IoT Security

custom metrics you can add in AWS IoT Device Defender
Set up alert in SNS

Mitigation actions

AWS IoT Device Defender also provide a new mitigation option, it’s one step beyond the monitoring, you can define permission for IoT Core to take actions to revoke your device or certificate. It supports Mitigation Actions for Audit Results. This feature enables customers to use predefined mitigation actions or customize them and apply them at scale.

add mitigation plan

A quick summary:

AWS offers similar security monitoring service compare to Azure (metrics monitoring and recommendations, etc). Although Mitigation Actions sounds a little one step further than Azure, AWS will never guarantee your security of the entire IoT solution you built. By the time I wrote this #Gossipiece, CapitalOne has a big data leakage from their AWS platform…. Seems it’s a misconfiguration from CapitalOne itself, but sounds very negative, not just for AWS, but for the entire Cloud computing market. And there are lawsuit has been filed, to BOTH of them! https://www.geekwire.com/2019/amazon-capital-one-face-lawsuits-massive-hack-affects-106m-customers/

Stay tuned, I will provide a thorough matrix to compare these two solutions in my next AWS vs. Azure #Gossipiece.