Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure IoT Hub provides a central message hub for bi-directional communication between IoT applications and the devices they manage. When deploying this service, it's important to follow security best practices to protect data, configurations, and infrastructure.
This article provides guidance on how to best secure your Azure IoT Hub deployment.
Network security
Securing network access to your IoT Hub is crucial to prevent unauthorized access and protect the data flowing between your devices and the cloud.
Enable private endpoints: Eliminate public internet exposure by routing traffic through your virtual network with Azure Private Link, allowing devices to connect to your IoT hub without exposure to the public internet. See IoT Hub support for virtual networks with Azure Private Link.
Disable public network access: Prevent direct access from the public internet by disabling public endpoints when you can use private endpoints instead. See Managing public network access for your IoT hub.
Configure IP filtering: Restrict connections to your IoT Hub by allowing only specific IP addresses or ranges, limiting exposure to potential attacks. See IoT Hub IP filtering.
Enforce TLS 1.2 and strong cipher suites: Strengthen connection security by enforcing the use of TLS 1.2 and recommended cipher suites for all device and service connections. See Transport Layer Security (TLS) support in IoT Hub.
Identity and access management
Proper identity and access management is essential for controlling who can administer your IoT Hub and how devices authenticate to it.
Use Microsoft Entra ID authentication: Implement Microsoft Entra ID (formerly Azure AD) for authenticating and authorizing service API requests, enabling more granular access control than shared access policies. See Control access to IoT Hub by using Azure Active Directory.
Implement Azure RBAC for granular permissions: Assign least-privilege role-based access control to users and applications accessing IoT Hub management APIs, reducing the risk of unauthorized operations. See Manage access to IoT Hub by using Azure RBAC role assignment.
Use X.509 certificates for device authentication: Implement X.509 certificate-based authentication instead of SAS tokens for production environments to increase security and enable better credential management. See Authenticate identities with X.509 certificates.
Avoid shared symmetric keys across devices: Assign unique credentials to each device to prevent widespread compromise if a single key is leaked, limiting the impact of potential credential exposure.
Disable shared access policies when not needed: Reduce the attack surface by disabling shared access policies and tokens when using Microsoft Entra ID for authentication. See Enforce Microsoft Entra authentication.
Data protection
Protecting data both in transit and at rest is vital for maintaining the confidentiality and integrity of your IoT solution.
Implement device-level data encryption: Encrypt sensitive data on devices before transmission to IoT Hub to add an additional layer of protection beyond TLS, particularly for highly sensitive information. See Data protection at rest via standard encryption algorithms.
Use the latest SDK versions: Ensure you're using the most recent IoT Hub device SDKs which implement various security features including encryption and authentication.
Keep root CA certificates updated: Regularly update the trusted root certificates on your devices to maintain secure TLS connections, avoiding connection failures due to expired or revoked certificates. See IoT Hub TLS support.
Logging and monitoring
Comprehensive logging and monitoring is essential for detecting and responding to potential security issues in your IoT solution.
Enable resource logs for connections and device telemetry: Configure diagnostic settings to send IoT Hub resource logs to Azure Monitor Logs to track connection attempts, errors, and operations for security investigation. See Monitor and diagnose problems in your IoT hub.
Set up alerts for connectivity issues: Create alerts based on metrics and logs to detect unusual patterns like repeated authentication failures or unexpected disconnections that might indicate security problems. See Monitor, diagnose, and troubleshoot Azure IoT Hub device connectivity.
Monitor device SDK versions: Track the SDK versions used by connecting devices to ensure they're using secure and up-to-date versions that include the latest security patches. See Monitoring Azure IoT Hub.
Compliance and governance
Establishing proper governance and ensuring compliance with security standards are key aspects of maintaining a secure IoT solution.
Apply Azure Policy for IoT Hub: Implement Azure Policy to enforce and audit security configurations across your IoT hubs, ensuring consistent security standards are maintained. See Azure Policy built-in definitions for Azure IoT Hub.
Regularly audit access permissions: Review and validate the access permissions granted to users, applications, and devices regularly to ensure they adhere to the principle of least privilege.
Enable diagnostic settings for auditing: Configure diagnostic settings to capture and archive audit logs for your IoT Hub to support security investigations and compliance requirements. See Resource logs in IoT Hub should be enabled.
Implement network micro-segmentation: Logically separate IoT devices from other organizational resources by implementing network micro-segmentation, limiting the potential blast radius of a security incident.
Device security
Securing the devices that connect to your IoT Hub is critical for the overall security of your IoT solution.
Use renewable device credentials: Implement a process for regularly updating device credentials, such as rolling X.509 certificates, to limit the impact of compromised authentication.
Deploy update agents on devices: Ensure devices have update agents for receiving and applying security updates, keeping firmware and software secure throughout the device lifecycle.
Implement secure device provisioning: Use Azure IoT Hub Device Provisioning Service (DPS) for secure, zero-touch provisioning of devices at scale with appropriate authentication mechanisms.
Use Trusted Platform Modules: Deploy devices with hardware-based security features like Trusted Platform Modules (TPMs) to provide secure storage for cryptographic keys and protect against physical tampering.
Revoke access for compromised devices: Implement procedures to quickly revoke access for devices that show signs of compromise, preventing them from connecting to your IoT Hub and potentially impacting other devices.