You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot/iot-overview-security.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,19 +52,19 @@ Microsoft Defender for IoT can automatically monitor some of the recommendations
52
52
53
53
-**Select tamper proof hardware**: Select device hardware with built-in mechanisms to detect physical tampering, such as the opening of the device cover or the removal of a part of the device. These tamper signals can be part of the data stream uploaded to the cloud, which can alert operators to these events.
54
54
55
-
-**Select secure hardware**: If possible choose device hardware that includes security features such as secure and encrypted storage and boot functionality based on a Trusted Platform Module. These features make devices more secure and help protect the overall IoT infrastructure.
55
+
-**Select secure hardware**: If possible choose device hardware that includes security features such as secure and encrypted storage and boot functionality based on a [Trusted Platform Module](../iot-dps/concepts-tpm-attestation.md). These features make devices more secure and help protect the overall IoT infrastructure.
56
56
57
-
-**Enable secure upgrades**: Firmware upgrades during the lifetime of the device are inevitable. Build devices with secure paths for upgrades and cryptographic assurance of firmware versions to secure your devices during and after upgrades.
57
+
-**Enable secure updates**: Use services like [Device Update for IoT Hub](../iot-hub-device-update/understand-device-update.md) for over-the-air updates for your IoT devices. Build devices with secure paths for updates and cryptographic assurance of firmware versions to secure your devices during and after updates.
58
58
59
59
-**Follow a secure software development methodology**: The development of secure software requires you to consider security from the inception of the project all the way through implementation, testing, and deployment. The [Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) provides a step-by-step approach to building secure software.
60
60
61
61
-**Use device SDKs whenever possible**: Device SDKs implement various security features such as encryption and authentication that help you develop robust and secure device applications. To learn more, see [Azure IoT SDKs](iot-sdks.md).
62
62
63
63
-**Choose open-source software with care**: Open-source software provides an opportunity to quickly develop solutions. When you're choosing open-source software, consider the activity level of the community for each open-source component. An active community ensures that software is supported and that issues are discovered and addressed. An obscure and inactive open-source software project might not be supported and issues aren't likely be discovered.
64
64
65
-
-**Deploy hardware securely**: IoT deployments might require you to deploy hardware in unsecure locations, such as in public spaces or unsupervised locales. In such situations, ensure that hardware deployment is as tamper-proof as possible. For example, if the hardware has USB ports ensure that they're covered securely.
65
+
-**Deploy hardware securely**: IoT deployments might require you to deploy hardware in unsecure locations, such as in public spaces or unsupervised locales. In such situations, ensure that hardware deployment is as tamper-proof as possible, and only the necessary features are enabled to minimize physical attack footprint. For example, if the hardware has USB ports ensure that they're covered securely.
66
66
67
-
-**Keep authentication keys safe**: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe even after the deployment. A malicious device can use any compromised key to masquerade as an existing device.
67
+
-**Keep authentication keys safe**: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe and use [renewable credentials](../iot-dps/how-to-roll-certificates.md). A malicious device can use any compromised key to masquerade as an existing device.
68
68
69
69
-**Keep the system up-to-date**: Ensure that device operating systems and all device drivers are upgraded to the latest versions. Keeping operating systems up-to-date helps ensure that they're protected against malicious attacks.
70
70
@@ -74,15 +74,15 @@ Microsoft Defender for IoT can automatically monitor some of the recommendations
74
74
75
75
-**Follow device manufacturer security and deployment best practices**: If the device manufacturer provides security and deployment guidance, follow that guidance in addition to the generic guidance listed in this article.
76
76
77
-
-**Use a field gateway to provide security services for legacy or constrained devices**: Legacy and constrained devices might lack the capability to encrypt data, connect with the Internet, or provide advanced auditing. In these cases, a modern and secure field gateway can aggregate data from legacy devices and provide the security required for connecting these devices over the Internet. Field gateways can provide secure authentication, negotiation of encrypted sessions, receipt of commands from the cloud, and many other security features.
77
+
-**Use a field gateway to provide security services for legacy or constrained devices**: Legacy and constrained devices might lack the capability to encrypt data, connect with the Internet, or provide advanced auditing. In these cases, a modern and secure field gateway can aggregate data from legacy devices and provide the security required for connecting these devices over the Internet. An [IoT Edge device can be used as a gateway](../iot-edge/iot-edge-as-gateway.md) and provide secure authentication, negotiation of encrypted sessions, receipt of commands from the cloud, and many other security features. [Azure Sphere](/azure-sphere/product-overview/what-is-azure-sphere?view=azure-sphere-integrated) can be used as a guardian module to secure other devices, including existing legacy systems not designed for trusted connectivity.
78
78
79
79
## Connection security
80
80
81
81
-**Use X.509 certificates to authenticate your devices to IoT Hub or IoT Central**: IoT Hub and IoT Central support both X509 certificate-based authentication and security tokens as methods for a device to authenticate. If possible, use X509-based authentication in production environments as it provides greater security. To learn more, see [Authenticating a device to IoT Hub](../iot-hub/authenticate-authorize-x509.md) and [Device authentication concepts in IoT Central](../iot-central/core/concepts-device-authentication.md).
82
82
83
-
-**Use Transport Layer Security (TLS) 1.2 to secure connections from devices**: IoT Hub and IoT Central use TLS to secure connections from IoT devices and services. Three versions of the TLS protocol are currently supported: 1.0, 1.1, and 1.2. TLS 1.0 and 1.1 are considered legacy. To learn more, see [Authentication and authorization](iot-overview-device-connectivity.md#authentication).
83
+
-**Use Transport Layer Security (TLS) 1.2 to secure connections from devices**: IoT Hub and IoT Central use TLS to secure connections from IoT devices and services. Three versions of the TLS protocol are currently supported: 1.0, 1.1, and 1.2. TLS 1.0 and 1.1 are considered legacy. To learn more, see [Transport Layer Security (TLS) support in IoT Hub](../iot-hub/iot-hub-tls-support.md) and [TLS support in Azure IoT Hub Device Provisioning Service (DPS)](../iot-dps/tls-support.md).
84
84
85
-
-**Ensure you have a way to update the TLS root certificate on your devices**: TLS root certificates are long-lived, but they still might expire or be revoked. If there's no way of updating the certificate on the device, the device might not be able to connect to IoT Hub, IoT Central, or any other cloud service at a later date.
85
+
-**Ensure you have a way to update the TLS root certificate on your devices**: TLS root certificates are long-lived, but they still might expire or be revoked. If there's no way of updating the certificate on the device, the device might not be able to connect to IoT Hub, IoT Central, or any other cloud service at a later date. To learn more, see [How to roll X.509 device certificates](../iot-dps/how-to-roll-certificates.md).
86
86
87
87
-**Consider using Azure Private Link**: Azure Private Link lets you connect your devices to a private endpoint on your virtual network, enabling you to block access to your IoT hub's public device-facing endpoints. To learn more, see [Ingress connectivity to IoT Hub using Azure Private Link](../iot-hub/virtual-network-support.md#ingress-connectivity-to-iot-hub-using-azure-private-link) and [Network security for IoT Central using private endpoints](../iot-central/core/concepts-private-endpoints.md).
88
88
@@ -125,4 +125,4 @@ To learn more about IoT security, see:
125
125
-[Azure security baseline for Azure IoT Hub](/security/benchmark/azure/baselines/iot-hub-security-baseline?toc=/azure/iot-hub/TOC.json)
126
126
-[IoT Central security guide](../iot-central/core/overview-iot-central-security.md)
127
127
-[Security architecture for IoT solutions](iot-security-architecture.md)
128
-
-[Security in your IoT workload (Azure Well-Architected Framework)](/azure/well-architected/iot/iot-security)
128
+
-[Well-Architected Framework perspective on Azure IoT Hub](/azure/well-architected/service-guides/iot-hub)
0 commit comments