June 8, 2021

Microsoft’s latest acquisition of Refirm Labs is an important marker for the IoT security market


Microsoft’s latest acquisition of Refirm Labs is an important marker for the IoT security market. As published in the most recent IoT competitive analysis by ABI Research report, Microsoft is a clear leader in cloud based IoT deployments with Azure services like IoT Hub, IoT Central, and IoT Edge. But despite the ever-increasing number of vendors addressing security vulnerabilities for IoT devices, from secure chipsets like Azure Sphere, to Detect and Respond technologies, there still exists many critical gaps in the majority of enterprise IoT deployments which serve to delay the progression of IoT projects post-pilot and in to production, where companies can actually recognize the business benefits.

One of the major stumbling blocks is how do companies even know which devices are putting them most at risk, and where might data encryption need to be applied to protect critical information? Refirm Labs, as a firmware analysis tool can help find vulnerabilities and expose security holes. For example, if a connection does not use proper authentication – or if data should be encrypted before being transmitted or stored. This is an important addition to Microsoft’s Azure IoT offering as it will allow their customers to plan more accurately secure deployments. Interestingly, Edge compute has become a much more mature deployment model recently, driven by market demand and requirement. Localised AI/ML and device management solutions are a mainstream requirement these days with a lot of Enterprises shifting to local / private network deployments. For rogue attackers this type of solution is attractive. Security at the Edge needs to have the highest priority, perhaps interestingly with the Refirm labs acquisition, Microsoft are also building increasing amounts of defence in depth for IoT Edge deployments to thwart the would-be attacker.

Firmware analysis is one layer of the “security onion” to which there are many layers. For instance, how do you automate security processes at scale? Once a series of IoT devices are determined as needing enhanced security, how does a customer safely authenticate, provide credentials, apply policy, encrypt the data, and rotate encryption keys as needed? There is a full lifecycle for IoT devices which must be managed over time in a zero-touch environment. Even for edge compute gateways on a private network, with no cloud connectivity, the same security operations and management are needed.

Device Authority’s KeyScaler platform accompanies the analysis provided by tools like Refirm Labs and helps manage the full security lifecycle of the devices determined to be at risk. As we like to say, “a rising tide floats all boats”, and Microsoft’s latest acquisition certainly is helping accelerate the tide of IoT deployments.

Tyler Gannon