Secure by Default with Microsoft: “Without IoT security people will be reluctant to innovate.”

In our second #beyondthenow podcast episode with Microsoft, we take a deep dive into IoT security with Eustace Asanghanwa (Principal Program Manager for Security, Azure IoT, Microsoft). Eustace and David explore IoT security challenges, what we mean by a secure by default approach, and the benefits of protection profiles. They also discuss Microsoft Azure's PSA Certified Level 1 certification, how it is helping to facilitate better collaboration with the ecosystem, and why we need to see more cohesion between different security certification schemes.

• Introductions to Eustace and Microsoft. [01:24]
• The Azure RTOS is PSA Certified Level 1 and how this addresses the ‘trilemma’ of IoT security. [03:56]
• PSA Certified is also helping to facilitate collaboration between the AzureRTOS and the ecosystem. [06:56]
• People value IoT security but they don’t always know what it means. [09:41]
• Securing the IoT will encourage new innovations [10:44]
• The autonomy of IoT devices is removing the ‘human companion’ and the IoT security protection that provides. [12:01]
• What is a ‘secure by default’ approach to security? [16:11]
• A Secure by default approach enables a threat modeling mindset. [17:08]
• When you design-in security you need to consider the product’s entire lifecycle. [18:52]
• People are willing to invest in IoT security because they understand the value of the IoT and digital transformation. [22:10]
• Securely deploying the IoT requires an ecosystem approach. [23:00]
• It's unrealistic to expect system integrators to become experts in all areas of IoT development and deployment. [24:53]
• As an ecosystem, we need to work together on the solutions to reduce the burden on system integrators. [26:29]
• Microsoft Azure’s Blueprint approach to IoT security. [27:39]
• Confidential Compute and the edge. [31:47]
• Protection profiles help us to answer the question ‘Is this device secured?’ [33:21]
• Protection profiles create a baseline of requirements for specific devices to be secured. [36:20]
• Multiple certifications help us target security at different levels of granularity. [39:36]
• We expect to see a more cohesive composition between IoT security certification schemes that target different functionalities and markets. [41:27]
• Eustace’s predictions for the IoT in 5 years’ time. [46:02]
• Blockchains might lower the cost of security infrastructure. [49:01]
• Eustace’s top piece of IoT security advice. [50:26]