What is IoT Edge?
Azure IoT Edge is an Internet of Things (IoT) service that builds on top of IoT Hub and enables users to carry out edge computing. Edge computing is when data is analysed on devices, that is, at the edge of the network, rather than in the cloud itself. With edge computing, you can avoid transferring raw data by carrying out data cleaning, aggregation and analysis on the device itself, and then send the insights gained to the cloud. This will result in reduced bandwidth costs, quicker response times and reduced traffic.
Artificial Intelligence on the Edge
Azure also offers services such as Azure Functions, Azure Stream Analytics and Azure Machine Learning which can all be run via Azure IoT Edge. This means that you can deploy AI, including image recognition, machine learning and complex event processing without having to write the code in-house.
Azure IoT Edge's Components
Azure IoT Edge has three components: IoT Edge modules, the IoT Edge runtime and a cloud-based interface.
IoT Edge Modules
These are containers that run Azure services, 3rd party services, or your own code. IoT Edge modules are deployed and execute locally on IoT Edge devices. Multiple modules can be configured to communicate with each other. You can also package Azure services into modules or develop custom modules. If you want to deploy your own code to your devices, Azure IoT Edge supports both Linux and Windows and Java, .NET Core 2.0, Node.js, C, and Python.
The IoT Edge Runtime
This runs on each IoT Edge device and manages the modules deployed there. It performs a number of functions including monitoring and managing the device and facilitating communications between the modules, the device, other devices and the cloud. Runtime supports both Linux and Windows operating systems.
This interface allows you to remotely monitor and manage IoT Edge devices. Cloud services allow users to create and configure a workload to be run on a specific type of device, send a workload to a set of devices and to monitor workloads running on devices in the field.
Using an IoT Edge Device as a Gateway
There are three patterns for using an IoT Edge device as a gateway:
- Protocol translation
- Identity translation
Devices are connected to a gateway device instead of IoT Hub. The gateway passes communications between the devices and IoT Hub. Both the devices themselves and a user interacting with the devices do not know that they are communicating with the cloud via a gateway.
If a device doesn't support MQTT, AMQP, or HTTP, then it uses a gateway device to send data to IoT Hub. All the information will look like it's coming from one device, the gateway device. If cloud applications want to analyse the data on a per device basis, then additional identifying information must be embedded in their messages.
If a device cannot connect to IoT Hub, then it connects to a gateway device instead. The gateway is able to understand the protocols used by downstream devices and provide them identity.
All three gateway patterns provide the following benefits:
- Edge analytics – the data coming from downstream devices is processed locally using AI services and only a subset of data is sent to IoT Hub.
- Downstream device isolation – With this gateway device, all downstream devices are protected from exposure to the internet. Also, it can be placed between an IT network which provides access to the internet and an OT network which is not connected to the internet.
- Traffic smoothing – In the case of IoT Hub throttling, the IoT Edge device will automatically implement exponential backoff. As a result, you’ll be able to cope better with spikes in traffic.
- Limited offline support – If messages can’t be delivered to IoT Hub, then the gateway device will store the message locally.
Devices on the edge produce data;, however, some of these devices may not have been designed with cloud connectivity in mind, but opaque gateways make it possible for the data which they generate to be accessed and used. A gateway which does identity translation also allows downstream devices to bully managed from the cloud. However, regardless of the protocol used, all your devices show up in IoT Hub.
Azure IoT Edge runs on most operating systems that can run containers; however, not all operating systems are equally supported. Operating systems are grouped into tiers depending on the level of support available.
For Tier 1 systems, Microsoft:
- has these operating system in automated tests
- provides installation packages for them
Tier 2 are generally compatible with Azure IoT Edge and can be used relatively easily.
Edge computing means that data and thus value are concentrated in the edge, and not just in the cloud. A device in the edge can also be physically accessed and is thus vulnerable to many types of threats. Therefore, devices in the edge need to be kept as secure as the cloud itself.
Azure IoT edge used certificate-based authentication. This mechanism is based on the standards governing Public Key Infrastructure (PKiX) by the Internet Engineering Task Force (IETF).
The Azure IoT Edge security framework requires unique certificate identities for all devices, modules and actors which interact, either physically or through network connection, with the Azure IoT Edge device.
Controlling access to resources and data is a fundamental part of security. Devices, modules and actors are only allowed to access resources and data within their permission scope, and only if this architecturally allowable. Other authorization schemes include certificate signing rights, and role-based access control (RBAC). Other authorization schemes can also be used, depending on your needs.
The integrity of software bits is ensured using attestation and in Azure IoT edge it is divided into three main categories.
- Static attestation
- Runtime attestation
- Software attestation
Static attestation is also referred to as secure boot. It involves the verification of the integrity of all the software, operating systems, runtimes and configuration information when the device is powered up. Azure IoT Edge’s security framework includes hardware engrained capabilities to ensure static attestation.
This is when a system detects malware or unauthorized configuration changes that occur after the boot process, and takes counter measures against them. Some of these attacks are warded off by the device’s hardware; however, extensions are also needed to combat runtime threats.
All systems need patches and upgrades. However, update processes require security as otherwise, they may be a vector which allows malware into a system. Azure IoT Edge updates are done through measured and signed packages in order to check the integrity of the patches and upgrades and to authenticate their source, thus preventing them from becoming threat vectors.
Hardware Root of Trust
Intelligent edge devices are often deployed in places where malicious actors may have access to them. Therefore, security offered by the device hardware is important. Azure IoT Edge works together with silicon hardware vendors to develop tamper resistant hardware for a variety of deployment scenarios.
Azure IoT Edge security allows extensibility into different areas including:
- First party security services like the Device Provisioning Service for Azure IoT Hub
- Third-party services such as managed security services
- Legacy systems which need to be retrofitted with alternative security arrangements
- Secure hardware
In the end, the highest success in securing the intelligent edge results from collaborative contributions from an open community driven by the common interest in securing IoT. These contributions might be in the form of secure technologies or services. The Azure IoT Edge security framework offers a solid foundation for security that is extensible for the maximum coverage to offer the same level of trust and integrity in the intelligent edge as with Azure cloud.