Microsoft is making privacy and security of the Internet of things (IoT) a priority.
In a blog post on Data Privacy Day, Clemens Vasters, principal architect of Microsoft Azure IoT, spelled out some of Microsoft’s views on IoT security and privacy to help consumers and enterprises manage some of the risks involved with emerging technologies.
“Any serious discussion about IoT these days must include the overall security of connected ‘things’ and systems, in addition to data privacy,” Vasters said.
Vasters noted that since the release of Windows XP SP2 and the introduction of the Security Development Lifecycle, Microsoft has rallied around security with continued investment in security practices that are now key components of the company’s engineering practices.
“The Internet of Things takes IT to the heart of companies’ core businesses, into our homes, and—in the health industry—quite literally to our hearts,” he said. “We cannot make compromises in security here, as a company, as a partner ecosystem, as industry organizations or as a world community.”
Microsoft provides strong assurances for customer data stored in its Azure cloud data centers, and the company encourages its customers to respect the choices of their own customers as they build products and services that use the Microsoft platform as their foundation.
“The Internet of Things brings about the convergence of IT and the Internet on one hand, and commercial operational technology and consumer products on the other,” Vasters said. “Today’s Internet is an increasingly hostile environment, and the effort to create effective defenses in common hardware and software, as well as in server and cloud infrastructure, is enormous.
“There is reason to be concerned that effective security sometimes falls victim to cost considerations, and that established best practices and procedures for IoT products and services are sometimes left behind in the search for a ‘cheap’ path to security—a path that does not exist,” he said. “Even worse, we are seeing cases in which security is a purely secondary concern, and we hear, ‘Why would anyone ever want to hack this?’ Well, because they can.”
Microsoft participates in the development of many IoT projects and products, as the company’s technologies are leveraged and its advice sought by developers and implementers.
“Security, of course, is an essential component of strong data safeguards in all online computing environments,” Microsoft said in a white paper on Protecting Data and Privacy in the Cloud. “But security alone is not sufficient. Consumers’ and businesses’ willingness to use a particular cloud computing product also depends on their ability to trust that the privacy of their information will be protected, and that their data will only be used in a manner consistent with customer expectations.”
Microsoft’s approach to privacy and data protection in its cloud services is built on a commitment to empower organizations to control the collection, use and distribution of their information.
Indeed, when Microsoft envisions a new product or service, privacy and data protection are considered at each phase of development. This is part of the company’s approach to Privacy by Design, which describes not only how Microsoft builds products, but also how it operates its services and structures its internal governance practices. This comprehensive approach includes all of the people, processes and technologies that help to maintain and enhance privacy protections for Microsoft’s customers.
Microsoft Puts Focus on IoT Privacy and Security
Privacy considerations are embedded in the Microsoft Secure Development Lifecycle (SDL). The SDL is a software development process that helps developers build more secure software and address security and privacy compliance requirements while reducing development costs. All of Microsoft’s cloud services use the SDL to help ensure that the services and their features are secure and address data protections and privacy requirements.
The SDL is made up of seven phases, including training for developers and program managers in the foundational concepts, building secure software that protects privacy, and responding to security and privacy incidents when they occur. Those seven phases are: Response, Release, Verification, Implementation, Design, Requirements and Training.
One of the tools used to drive consistent privacy practices during development is the Microsoft Privacy Standards (MPS), which define standard privacy features and practices. Because security is critical to privacy, this alignment of complementary privacy and security processes helps minimize vulnerabilities in software code, guard against data breaches, and ensure that developers factor privacy considerations into Microsoft products and services from the outset, Microsoft said.
As part of the development process, privacy reviews are performed to verify that privacy requirements are adequately addressed. Additionally, as part of its Trustworthy Computing initiative, Microsoft employs more than 40 people full-time whose sole focus is protecting privacy. There are also more than 100 other employees whose job responsibilities include maintaining data privacy. Some of these employees reside in the cloud service product groups to help ensure each service meets corporate privacy requirements. These employees work in tandem with the Trustworthy Computing privacy group, which provides guidance, education and governance enforcement on privacy issues to employees throughout the company.
Microsoft has a longstanding commitment to help organizations build on their existing technology assets, devices and data to derive value from IoT in today’s mobile-first, cloud-first world. The company offers developers a range of technologies—from Windows and Azure to Visual Studio and even open-source technologies—to build IoT scenarios addressing the needs of a full spectrum of developers—from hobbyists and makers to enterprises—reflective of the diversity of their needs, interests and opportunities.
For devices, Microsoft leveraged its long history in the marketplace with Windows Embedded to introduce a number of developer offerings for IoT. These include the Windows Developer Program for IoT targeting makers announced last July. Also, Microsoft Azure enables developers to build rich IoT experiences across any device—Android, iOS and Windows—without sacrificing development productivity, and adapting to a developer’s unique needs, existing systems, skills and code.