 All right, so I'm here today to talk to you a little bit about Azure Sphere. So my name is Carrie Payette, and I'm pleased to bring you this session on an introduction. This is going to be a light introduction to Azure IoT Sphere. So people that are potentially new to this will be able to pick it up and run with it. So what we're going to do today is talk a little bit about the architecture that is Azure Sphere, as well as how you would go about connecting an Azure Sphere device to an IoT Hub. So let's take a minute right now and talk briefly about IoT security, or in these cases, incidents with lack of security. So one of the first things that comes to mind is Wi-Fi enabled baby monitor. So this was one of those things that was released early on in the IoT boom as you would call it, where we started connecting anything and everything to the Internet. So many of these, especially early on, had a lot of problems. So consumers, they didn't know to change the default password on the equipment. They didn't have proper implementations. So backend traffic may not have been encrypted. Some of the websites back in websites weren't secured, so people could access different cameras by changing a URL on a query string. So hackers quickly took advantage of this, and they used it to creep on people, as well as holler obscenities at babies and their parents. So not a good thing. So on a much larger scale, multiple large cities in the US and abroad had implemented a connected traffic light system. This system, while the traffic lights themselves were pretty secure, what they didn't think about was the in-ground sensors that they would use. They basically had these in-ground sensors sending information up to like a data repeater with unencrypted data. So it wasn't the lights themselves, but the sensors on the ground were basically not secure. So hackers were able to pick up those messages, send a bunch of messy commands, and create traffic, traffic chaos. So this ended up being a very expensive fix because everything was embedded in the firmware, and the devices that they had used were not over-the-air update compatible. So they ended up having to dig up roads in order to issue a more secured replacement. So now in the age of everything being connected, like we have our fitness trackers, we have our light bulbs, we have smart devices, but one of the other things that we have to think about is that we're now putting kids toys in a connected environment. So we really, really, really need to think first about securing the systems and not thinking of using them like security as an afterthought. So development organizations don't necessarily have all the skills required to secure an IoT system. I know myself and not a security expert by any means. I know enough, but I would definitely consult with other people when it comes to developing a security architecture. So because this IoT boom is relatively new, experts, even experts like security experts, are scrambling to keep up on top of new and emerging attack vectors as soon as they arise. So Azure Sphere has been developed to take much of that security pressure off the shoulders of development teams and the product manufacturers. It provides that security architecture out of the box. So what's important to note here is that Azure Sphere is more than just a simple device. It's an entire ecosystem. So Microsoft developed Azure Sphere based on decades of connected IoT hardware and software and cloud services. So what I'm trying to get at here is in a nutshell, Azure Sphere brings us a truly secured end-to-end turnkey IoT solution. One of the fun facts I'd like to share with you is that many of the design considerations for Azure Sphere comes from the Xbox line of connected devices. So I thought that was pretty cool. So there's three main components to Azure Sphere, the first being the hardware. So Microsoft will only certify MCUs that adhere to a strict security model. So we're going to cover this in a little bit more detail in just a moment. The second aspect of Azure Sphere is the Azure Sphere OS. Now, this is a greatly, greatly pared down version of Linux. So it's been carefully produced. It's a custom kernel that's been pared down to reduce the threat surface of the device itself. So this means that yes, it is Linux-based but you're not going to be accessing or interacting with this OS directly. Well, for one, there is no shell. The kernel itself does run in a supervisor mode and is responsible for all the onboard drivers for things like Wi-Fi, the UART, SPI, I squared C, GPIO, and so forth. So the third component of Azure Sphere, come on number three, there it goes. So residing in the Cloud is the security service. So the Azure Sphere security service is responsible for all the authentication, the updates to the device, and failure reporting. One of the things that you will never, ever, ever see in an Azure Sphere space is a username and password. We all know that those are not the most secure things out of the box. So what Azure Sphere does is it uses everything via certificate-based authentication. So the security service does the remote attestation with certificates. It also validates that the devices are not being spoofed, the software is up to date, and that all updates that the Azure Sphere device itself is getting is provided by Microsoft. So failure reporting, this one is still kind of up and coming, but what it's going to do is provide a rich crash analysis to use in conjunction with your existing Azure subscriptions. So one of the reasons why updates are so critical for Azure Sphere is something that we touched on a little bit earlier, and that we only know how to defend ourselves against attacks and threats that we know today. So how do we defend ourselves from something that's discovered tomorrow? So by using Azure Sphere, you can remain confident that any updates are automatically pulled down to your device, and your systems will remain protected against threats today, tomorrow, or even 10 years from now, which brings me to another point is that licensing for the device, licensing for Azure Sphere is provided by the purchase of the MCU directly. So you're guaranteed updates from Microsoft for 10 years. So here's the hardware architecture. So you'll notice here that yes, it's called an MCU and this is just a term for it, but it really is what we call a crossover, meaning that there's more than one MCU on a single die. So there's multiple cores on a single die, which you'll see here. So you can see that we have the ARM Cortex A and the ARM Cortex B, and there's other subsystems available as well. So one of the things that I want to call out here is that there's compartmentalization of each subsystem on this MCU. So this is done on purpose. So everything that you see in blue, which on the diagram calls it Microsoft IO firewalls, don't have to think of it like an internet firewall, but what it does is it creates a boundary between each of these subsystems, and each component themselves treats the others as if they've been compromised and are unsafe. So Microsoft Pluton is the root of trust. This is the subsystem that provides hardware-based security. So Microsoft Pluton provides like the cryptography, the secured boot, the measured boot to support remote attestation as well as determining tampering countermeasures in case that the device has been compromised. The ARM Cortex A, which is sitting down in the lower left corner here, it's responsible for actually running the operating system, as well as any high-level applications that you would develop. So the ARM Cortex M is responsible for real-time processing, so the real-time OS, and it can communicate back to high-level applications, but it also maps peripherals, and it does not have any access to the internet directly. So the Azure Sphere team has defined seven properties of a highly secured device. The first one is that it must have a hardware-based root of trust. So what we're talking about here is essentially the Pluton system. It is hardware-based. It's not sitting on software that can be tampered with, and it's important because it provides ways of mitigating forgery and spoofing. It also needs a small trusted base, small trusted computing base. Again, back to Pluton. It's only Pluton and its security monitor that runs in the computing base. Everything else is treated as unsafe. Defense in depth. So there's multiple layers of security, meaning that at each point and communication between subsystems, there's different mitigation points, different security measures in place, so threats can be mitigated before they propagate too much. Compartmentalization, we touched on this as well. We have the compartmentalization, even if it's a very good, happy place right now where nothing is compromised, each of those compartments, those little boxes on that previous diagram, still treats each other as if they are compromised. So what the compartmentalization does is it makes sure that if something goes wrong, it doesn't propagate through the systems. Certificate-based authentication, again, no username and passwords. The Pluton system validates it with a unforgeable cryptographic key and every software element and cloud communication has to be signed back and forth with these keys in order to remain valid and not be rejected. Renewable security, we talked about the security service that would provide timely updates without intervention from a manufacturer or end users. So what this means is, like in the case of those in-road sensors, you wouldn't have to go out and dig up each of those devices to add an update, a security update to the OS or to the actual device itself. The Azure Sphere is completely implemented with over-the-air updates and it's done in a timely manner. So if there is a large security breach that's been discovered, Azure Sphere and Microsoft will update that and it'll automatically be downloaded by your devices and you don't have to worry about digging up any roads, for instance. And failure reporting, the Sphere will automatically report operational data and failures and so you can react to this and perform updates and service the device remotely. So from a high level here, you can see this is a diagram that I just pulled off of the Microsoft site, but you could see that we have these dishwashers and these are dishwasher 100, dishwasher, you can see the little devices in the corner. But basically what happens is the Azure Sphere will do all of its authentication to the Azure Sphere security service using those certificates. And by using those certificates, we can validate that the Azure Sphere's are definitely devices that are in our network so you don't have any being introduced and that they also possess the certificate that's required to access additional services. So you can see here the Azure Sphere security service does that attestation for you and it also provides any of the updates to the OS and through the security services. All right, so in order to get started with the hardware, the first thing that you're going to need to do is purchase the device. I think that's a little obvious. The second thing we're going to need is to download and install the Azure Sphere SDK. The third thing that we're going to need is to connect the device to your computer, open the Azure Sphere command line tool and claim the device. And lastly, you can use Visual, or sorry, prepare the device for debugging, which I'll show you how to do here in a moment. And we will also use Visual Studio project templates to create a C-based Azure Sphere application and deploy and debug as a normal application in Visual Studio. All right, so I guess we're all set and ready to see some devices. All right, so let me switch back to my camera here for a moment. Where is Skype? All right, I'm hoping you can see me again. So we have a couple devices that are available today. So the first one being is the SEED Studio Azure Sphere MT3620. The second one is the Avnet Azure Sphere MT3620 start a kit. So the SEED Studio device here has an available Grove sensor hat. So that's what this thing right here, this is an additional purchase. But what this allows you to do is essentially add plug and play sensors to it. So this is an example of one. So what it does is it's basically a standard Grove connector. It looks like a JST connector, but it really isn't. I'm having directional problems. All right, so that is that one there. So what the hats do essentially is allow you to do development without having to use a breadboard or do any soldering and all that. So there's over 280 Grove sensors available today that you can use in conjunction with this device as well as with the hat itself. All right, the second device is the Azure Sphere, the Avnet Azure Sphere starter kit. So this one here also has on this side, it also has a Grove sensor connection. This is an I squared C connection and that it also has two ports here. Sorry, one and two ports. I'm looking backwards available for you to add a clipboard to. And what a clipboard click, I keep saying clipboard clickboard does is it allows you to work essentially like the Azure Sphere device does with the Grove sensor hat. It allows you to plug and play these expansion boards and there's over 780 I think, sorry, 730 clickboards available today. So that is two of the devices. One of the things that you'll notice is both of these devices are currently running the MediaTek MT 3620. And this is because it's as of right now it's the only MCU available or like the only processor available to that implements the security standard set forth by Microsoft. All right, so the next thing I'm going to show you is actually a prerecorded video that I'm going to walk you through. And the reason why it is prerecorded is because one, we don't have time to wait for Azure resources to deploy. And two, that because I do a lot from the command line I had to blur out a lot of my secrets. So what I'm going to walk you through right now is the implementation of grabbing a device, claiming it and basically connecting it to Azure IoT Hub. So the first thing I did was I opened up the Azure Sphere developer. I guess I have to share my screen. All right, there we go. All right, so the first thing that I did here, I'll just move it back here for a second. You'll see that I'm opening the Azure Sphere developer command prompt window. And what I'm going to do now is log in to my Azure Sphere and I'm going to log in with my Microsoft account and this is my business account. So you either have to have a business or a school account, so a work or school account. You can see that I already have an Azure Sphere tenant. Now this tenant I had already created and it's recommended that you only have one Azure Sphere tenant per organization. So I had been using Azure Sphere previously. So I've already created my tenant but basically it would be Azure Sphere create tenant dash name and you would give it the name and it would essentially create that tenant on your Active Directory for your business. So the next thing I'm going to do and I do have my Azure Sphere connected to my machine through a USB cable. So the Azure Sphere developer command prompt will automatically pick up that device that is connected. So what I'm saying here is this was my brand new Avnet so I just recently procured the Avnet device and I'm going to go through the process here on video of how I went about claiming that device. So because I said Azure Sphere device claim it's automatically going to pick up that device that is connected to my machine and you'll see that it's claiming the device and it says here that it successfully claimed it and it moved it into my Trillium Sphere AD tenant with like a GUID ID. So anytime you see these blurbs like this is just a long string that looks like a GUID it's basically a series of numbers and characters and this one right here is a GUID. Azure Sphere device Wi-Fi. So what this is going to do is I'm adding connectivity to the device itself. So I'm adding it to my Wi-Fi here to read that along and you could see that the ad network succeeded. Now the CLI tools for the Azure Sphere provide you with a bunch of commands. So usually it's Azure Sphere device, Azure Sphere tenant. So whatever you're working with there's a bunch of different commands that you can use. You could see here that I've already added my Wi-Fi to the device itself. Now what I'm going to do is ask the device to show me what the current status of the Wi-Fi is. And we can see here that it successfully connected to my home Wi-Fi. So here we're going to go ahead and have it check what the current state of the operating system is. You could see here that it says my device is running an older version of the OS. It will automatically connect to the Wi-Fi and pull the over the air updates and update the device. In my case, I didn't have the patience for that. So I went ahead and I reset the device and pulled it down that way. So what Azure Sphere device recover does is say for instance, like if you have a really old device. So if you bought your device early on in the betas for Azure Sphere, chances are that over the air updates are not going to be an option for you. So what I'm doing here is showing you how you would go about grabbing that old device and it doesn't matter if it's already been claimed but basically connect it to your machine and perform a device recovery. So here's the Azure device recover and this is sped through. So this is not that fast but basically what it does is it erases the flash, pulls down a bunch of images for the OS and reboots the device. So you can see here that the device was recovered successfully. And then if I ran the OTA, like show OTA status again, it would show that I am running version 19.07 of the device. So now let's talk a little bit about adding Azure Sphere infrastructure onto Azure. So okay, the Azure Sphere device, it's fine and dandy but we need to connect it to Azure in order to perform like analytics or provider, you know, give our data to something so we can view it. So what good is the device if you can't do anything with the data? So what I'm doing here is I've already created just a resource group called Azure Sphere orientation. And what I'm gonna do is add an IoT Hub and I'm just gonna go through that a little quickly. So I created just a standard one because I already have a free one on my Azure subscription. So I just created a hub called Trillium Sphere Hub and it'll go ahead and create that. And then the next thing that we need to do is create an IoT Hub device provisioning service. And basically what this does is it allows you to essentially assign enrollment groups based on a certificate that's trusted to auto provision devices that hold that certificate. So we're gonna create Trillium Sphere provisioning service and you can see that they're there. Then I went and clicked into my provisioned Trillium Sphere provisioning service and I link my IoT Hub. So I'm gonna say add and then I'm gonna select the Azure, the Trillium Sphere Hub and select my IoT Hub owner policy. So basically what we did here was we created the hub, we created the provisioning service and then we linked the IoT Hub that we created to our provisioning service. So the next thing that we need to do is to basically define the certificate that we're gonna be using for attestation. So we're gonna go and use our command line again and say Azure Sphere Tenant Download CA Certificate and we can output the certificate to our hard drive. Once we have that certificate, we can move ahead and add that into our provisioning service. So you'll see that we'll go down to certificates and we'll add and we can give it any name that we want and select the certificate that we just generated from the command line tool and we'll say open and save it. So now you can see that we have the Trillium Sphere certificate added but the status is unverified and what we need to do now is verify the device so we can prove that in fact we are who we say we are. And the way to do that is through generating a verification code. So you can see the verification code here. I'll click that button and then I'll copy that value into my clipboard and then ask the tenant to download the validation certificate based on that verification code. So again, we're gonna be outputting this certificate to our hard drive. Let's speed up that. So you can see we're giving it the output and then we're giving it the verification code. So what it's telling Azure that I am who I said I am is because I can generate this code in Azure and then respond to it from my local machine. So we saved the certificate and now we have to go back and actually validate it. So what I did here was I clicked on this folder icon here. So we have the validate verification file. So I selected that verification and then we'll refresh it and then it's verified. Now what I did was I created an enrollment group and again, this is part of the Trilling Sphere provisioning service will manage enrollments in order to get devices to automatically update, automatically join the group based on that certificate. We need to have an enrollment group that uses that certificate that we just created and then we can save that. Now, in order to run the device, we'll have to prep the debug and there's also prep device field but for right now in order to do development you need to do azSphere device prep debug and it'll download the application development configuration and disable over the error updates. And the reason for that is you don't want it to be updating software when you're developing. So you can see that the device capability has been added. So now if I come back to... Hey, Carrie, just a heads up, we're right past time. Okay, I'll finish up, I'll wrap up. Thank you. All right, so with, let me go ahead and all right, so basically what I have right now is Visual Studio running Azure IoT and it's running on my Avnet device and you can see here that it's ready in Visual Studio. I deployed it just by hitting continue. If I can set break points and everything in here, so if I wanted to press a button you can see that my break points are being hit and essentially you can treat it just as any normal application that you would deploy in Visual Studio. So I guess I'll wrap that up for now. Let me stop my screen sharing. Okay. Can you hear us okay? We're running into Skype issues again. So everybody, thank you so much for taking it and we'll see if Carrie comes back here in a second. Thank you for all the questions. I know she's on Twitch so I'll have her join the chat room so she can ask those questions. What do you think of my cool HoloLens device here that I found just kind of laying around? They're all over the campus. Well, until you start pinching in the air I'm not gonna believe it's working. Just do it like this, I can do that. That's awesome. All right, yeah, I think we lost Carrie with Skype here so anyway we're gonna get Veronica up and going with ML and Chatbot so we will be doing the slide the whole thing here and we'll be right back.