Accelerating digital transformation in manufacturing

Digital transformation in manufacturing has the potential to increase annual global economic value by $4.5 trillion according to the IDC MarketScape.i With so much upside, manufacturers are looking at how technologies like IoT, machine learning, and artificial intelligence (AI) can be used to optimize supply chains, improve factory performance, accelerate product innovation, and enhance service offerings.

Digital transformation starts by collecting data from machines on the plant floor, assets in the supply chain, or products being used by customers. This data can be combined with other business data and then modeled and analyzed to gain actionable insights.

Let’s take a look at three manufacturers—Festo, Kao, and AkzoNobel—and see how each one is using technologies like IoT, machine learning, and AI to accelerate their digital transformation.

Providing predictive maintenance as a service

Based in Germany, Festo sells electric and pneumatic drive solutions to 300,000 customers in 176 countries. The company’s goal is to increase uptime for customers by providing predictive maintenance offerings as software as a service (SaaS) offerings. Festo’s strategy is to connect machines to the cloud with Azure IoT and then enable customers to visualize data along the entire value chain.

One of the first SaaS offerings is Festo Dashboards built on Azure. Festo Dashboards provides a clear and intuitive status of equipment like sensor temperatures and valve switches. With Festo Dashboards, manufacturers can more easily monitor energy consumption, quickly diagnose faults, and optimize production availability.

Anticipating consumer trends for better manufacturing forecasting

Kao, one of Japan’s leading consumer brands, sees the consumer market evolving. Today, consumers prioritize their product experience over product quality. They also look to social media for purchasing guidance. These behaviors lead to forecasting challenges. To keep up with these changes, Kao sought to better understand individual customers and categorize trends into micro-segments. The company terms this approach “small mass marketing.” Kao designed a data analysis platform using Microsoft Azure Synapse Analytics and Microsoft Power BI to predict consumer trends for their detergent, cosmetic, and toiletry products. The Kao team combined data from real-time purchases, social media, and historical sales. Kao competes more effectively using predictive models, and chain store employees are empowered with real-time information for selling.

Reducing the development time of new paint colors

Dutch paint and coatings leader, AkzoNobel, is active in more than 100 countries. The company has honed the art of color matching for two centuries for cars, buildings, and interiors. One of the company’s businesses is developing the paint to repair cars when drivers have an accident. Manufacturers in the car and other industries constantly dream up new finishes to give their models an edge on the competition.

To keep up with rapid rate of change, AkzoNobel introduced Azure Machine Learning into its color prediction process. Previously, scientists labored painstakingly in labs to adjust, recalibrate, and tweak a color until it was just right. The company worked with its scientist and technicians to integrate machine mearning into their development process. The main impact is seen in the lab, where teams are now able to create more color recipes, more accurately, in less time. Previously, it could take up to two years to get a car color ready. Now AkzoNobel is seeing new paint colors ready in one month.

Next steps

For ideas on accelerating your digital transformation journey download, The Road to Intelligent Manufacturing: Leveraging a Platform, co-authored by Microsoft and Capgemini.

i IDC MarketScape: Worldwide Industrial IoT Platforms in Manufacturing 2019 Vendor Assessment
Quelle: Azure

Solutions and guidance to help content producers and creators work remotely

The global health pandemic has impacted every organization on the planet—no matter the size—their employees, and the customers they serve. The emphasis on social distancing and shelter in place orders have disrupted virtually every industry and form of business. The Media & Entertainment (M&E) industry is no exception. Most physical productions have been shut down for the foreseeable future. Remote access to post-production tools and content is theoretically possible, but in practice is fraught with numerous issues, given the historically evolved, fragmented nature of the available toolsets, vendor landscape, and the overall structure of the business

At the same time, more so today than ever before, people are turning to stories, content, and information to connect us with each other. If you need help or assistance with general remote work and collaboration, please visit this blog.

If you’d like to learn more about best practices and solutions for M&E workloads, such as VFX, editorial, and other post-production workflows—which are more sensitive to network latency, require specialized high-performance hardware and software in custom pipelines, and where assets are mostly stored on-premises (sometimes in air-gapped environments)—read on.

First, leveraging existing on-premises hardware can be a quick solution to get your creative teams up and running. This works when you have devices inside the perimeter firewall, tied to specific hardware and network configurations that can be hard to replicate in the cloud. It also enables cloud as a next step rather than a first step, helping you fully leverage existing assets and only pay for cloud as you need it. Solutions such as Teradici Cloud Access Software running on your artists’ machines enables full utilization of desktop computing power, while your networking teams provide a secure tunnel to that machine. No data movement is necessary, and latency impacts between storage and machine are minimized, making this a simple, fast solution to get your creatives working again. For more information, read Teradici’s Work-From-Home Rapid Response Guide and specific guidance for standalone computers with Consumer Grade NVIDIA GPUs.

Customers who need to enable remote artists with cloud workstations, while maintaining data on-premises, can also try out an experimental way to use Avere vFXT for Azure caching policies to further reduce latency. This new approach optimizes creation, deletion, and listing of files on remote NFS shares often impacted by increased latency. 

Second, several Azure partners have accelerated work already in progress to provide customers with new remote options, starting with editorial.

Avid has made their new Avid Edit on Demand solution immediately available through their Early Access Program. This is a great solution for broadcasters and studios who want to spin up editorial workgroups of up to 30 users. While the solution will work for customers anywhere in the world, it is currently deployed in US West 2, East US 2, North Europe, and Japan East so customers closest to those regions will have the best user experience. You can apply to the Early Access Program here, and applications take about two days to process. Avid is also working to create a standardized Bring Your Own License (BYOL) and Software as a Service (SaaS) that addresses enterprise post-production requirements.
Adobe customers who purchase Creative Cloud for individuals or teams can use Adobe Premiere Pro for editing in a variety of remote work scenarios. Adobe has also extended existing subscriptions for an additional two months. For qualified  Enterprise customers who would like to virtualize and deploy Creative Cloud applications in their environments, Adobe wanted us to let you know, “it is permitted as outlined in the Creative Cloud Enterprise Terms of Use.” Customers can contact their Adobe Enterprise representative for more details and guidance on best practices and eligibility.
BeBop, powered by Microsoft Azure, enables visual effects artists, editors, animators, and post-production professionals to create and collaborate from any corner of the globe, with high security, using just a modest internet connection. Customers can remotely access Adobe Creative Cloud applications, Foundry software, and Autodesk products and subscriptions including Over the Shoulder capabilities and BeBop Rocket File Transfer. You can sign up at Bebop’s website.
StratusCore provides a comprehensive platform for the remote content creation workforce including industry leading software tools through StratusCore’s marketplace; virtual workstation, render nodes and fast storage; project management, budget and analytics for a variety of scenarios. Individuals and small teams can sign up here and enterprises can email them here.

Third, while these solutions work well for small to medium projects, teams, and creative workflows, we know major studios, enterprise broadcasters, advertisers, and publishers have unique needs. If you are in this segment and need help enabling creative—or other Media and Entertainment specific workflows for remote work—please reach out to your Microsoft sales, support, or product group contacts so we can help

I know that we all want to get people in this industry back to work, while keeping everyone as healthy and safe as possible!

We’ll keep you updated as more guidance becomes available, but until then thank you for everything everyone is doing as we manage through an unprecedented time, together.
Quelle: Azure

Using Azure Monitor source map support to debug JavaScript errors

Azure Monitor’s new source map support expands a growing list of tools that empower developers to observe, diagnose, and debug their JavaScript applications.

Difficult to debug

As organizations rapidly adopt modern JavaScript frontend frameworks such as React, Angular, and Vue, they are left with an observability challenge. Developers frequently minify/uglify/bundle their JavaScript application upon deployment to make their pages more performant and lightweight which obfuscates the telemetry collected from uncaught errors and makes those errors difficult to discern.

Source maps help solve this challenge. However, it’s difficult to associate the captured stack trace with the correct source map. Add in the need to support multiple versions of a page, A/B testing, and safe-deploy flighting, and it’s nearly impossible to quickly troubleshoot and fix production errors.

Unminify with one-click

Azure Monitor’s new source map integration enables users to link an Azure Monitor Application Insights Resource to an Azure Blob Services Container and unminify their call stacks from the Azure Portal with a single click. Configure continuous integration and continuous delivery (CI/CD) pipelines to automatically upload your source maps to Blob storage for a seamless end-to-end experience.

Microsoft Cloud App Security’s story

The Microsoft Cloud App Security (MCAS) Team at Microsoft manages a highly scalable service with a React JavaScript frontend and uses Azure Monitor Application Insights for clientside observability.

Over the last five years, they’ve grown in their agility to deploying multiple versions per day. Each deployment results in hundreds of source map files, which are automatically uploaded to Azure Blob container folders according to version and type and stored for 30 days.

Daniel Goltz, Senior Software Engineering Manager, on the MCAS Team explains, “The Source Map Integration is a game-changer for our team. Before it was very hard and sometimes impossible to debug and resolve JavaScript based on the unminified stack trace of exceptions. Now with the integration enabled, we are able to track errors to the exact line that faulted and fix the bug within minutes.”

Debugging JavaScript demo

Here’s an example scenario from a demo application:

Get started

Configure source map support once, and all users of the Application Insights Resource benefit. Here are three steps to get started:

Enable web monitoring using our JavaScript SDK.
Configure a Source Map storage account.

End-to-end transaction details blade.
Properties blade.

Configure CI/CD pipeline.

Note: Add an Azure File Copy task to your Azure DevOps Build pipeline to upload source map files to Blob each time a new version of your application deploys to ensure relevant source map files are available.

 

Manually drag source map

If source map storage is not yet configured or if your source map file is missing from the configured Azure Blob storage container, it’s still possible to manually drag and drop a source map file onto the call stack in the Azure Portal.

 

Submit your feedback

Finally, this feature is only possible because our Azure Monitor community spoke out on GitHub. Please keep talking, and we’ll keep listening. Join the conversation by entering an idea on UserVoice, creating a new issue on GitHub, asking a question on StackOverflow, or posting a comment below.
Quelle: Azure

Detect large-scale cryptocurrency mining attack against Kubernetes clusters

Azure Security Center's threat protection enables you to detect and prevent threats across a wide variety of services from Infrastructure as a Service (IaaS) layer to Platform as a Service (PaaS) resources in Azure, such as IoT, App Service, and on-premises virtual machines.

At Ignite 2019 we announced new threat protection capabilities to counter sophisticated threats on cloud platforms, including preview for threat protection for Azure Kubernetes Service (AKS) Support in Security Center and preview for vulnerability assessment for Azure Container Registry (ACR) images.

Azure Security Center and Kubernetes clusters 

In this blog, we will describe a recent large-scale cryptocurrency mining attack against Kubernetes clusters that was recently discovered by Azure Security Center. This is one of the many examples Azure Security Center can help you protect your Kubernetes clusters from threats.

Crypto mining attacks in containerized environments aren’t new. In Azure Security Center, we regularly detect a wide range of mining activities that run inside containers. Usually, those activities are running inside vulnerable containers, such as web applications, with known vulnerabilities that are exploited.

Recently, Azure Security Center detected a new crypto mining campaign that targets specifically Kubernetes environments. What differs this attack from other crypto mining attacks is its scale: within only two hours a malicious container was deployed on tens of Kubernetes clusters.

The containers ran an image from a public repository: kannix/monero-miner. This image runs XMRig, a very popular open source Monero miner.

The telemetries showed that container was deployed by a Kubernetes Deployment named kube-control.

As can be shown in the Deployment configuration below, the Deployment, in this case, ensures that 10 replicas of the pod would run on each cluster:

In addition, the same actor that deployed the crypto mining containers also enumerated the cluster resources including Kubernetes secrets. This might lead to exposure of connection strings, passwords, and other secrets which might enable lateral movement.

The interesting part is that the identity in this activity is system:serviceaccount:kube-system:kubernetes-dashboard which is the dashboard’s service account.
This fact indicates that the malicious container was deployed by the Kubernetes dashboard. The resources enumeration was also initiated by the dashboard’s service account.

There are three options for how an attacker can take advantage of the Kubernetes dashboard:

Exposed dashboard: The cluster owner exposed the dashboard to the internet, and the attacker found it by scanning.
The attacker gained access to a single container in the cluster and used the internal networking of the cluster for accessing the dashboard (which is possible by the default behavior of Kubernetes).
Legitimate browsing to the dashboard using cloud or cluster credentials.

The question is which one of the three options above was involved in this attack? To answer this question, we can use a hint that Azure Security Center gives, security alerts on the exposure of the Kubernetes dashboard. Azure Security Center alerts when the Kubernetes dashboard is exposed to the Internet. The fact that this security alert was triggered on some of the attacked clusters implies that the access vector here is an exposed dashboard to the Internet.

A representation of this attack on the Kubernetes attack matrix would look like:

 

Avoiding cryptocurrency mining attacks

How could this be avoided?

Do not expose the Kubernetes dashboard to the Internet: Exposing the dashboard to the Internet means exposing a management interface.
Apply RBAC in the cluster: When RBAC is enabled, the dashboard’s service account has by default very limited permissions which won’t allow any functionality, including deploying new containers.
Grant only necessary permissions to the service accounts: If the dashboard is used, make sure to apply only necessary permissions to the dashboard’s service account. For example, if the dashboard is used for monitoring only, grant only “get” permissions to the service account.
Allow only trusted images: Enforce deployment of only trusted containers, from trusted registries.

Learn more

Kubernetes is quickly becoming the new standard for deploying and managing software in the cloud. Few people have extensive experience with Kubernetes and many only focuses on general engineering and administration and overlook the security aspect. Kubernetes environment needs to be configured carefully to be secure, making sure no container focused attack surface doors are not left open is exposed for attackers. Azure Security Center provides:

Discovery and Visibility: Continuous discovery of managed AKS instances within Security Center’s registered subscriptions.
Secure Score recommendations: Actionable items to help customers comply with security best practices in AKS as part of the customer’s Secure Score, such as "Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster."
Threat Detection: Host and cluster-based analytics, such as “A privileged container detected."

To learn more about AKS Support in Azure Security Center, please visit the documentation here.
Quelle: Azure

Introducing incremental enrichment in Azure Cognitive Search

Incremental enrichment is a new feature of Azure Cognitive Search that brings a declarative approach to indexing your data. When incremental enrichment is turned on, document enrichment is performed at the least cost, even as your skills continue to evolve. Indexers in Azure Cognitive Search add documents to your search index from a data source. Indexers track updates to the documents in your data sources and update the index with the new or updated documents from the data source.

Incremental enrichment is a new feature that extends change tracking from document changes in the data source to all aspects of the enrichment pipeline. With incremental enrichment, the indexer will drive your documents to eventual consistency with your data source, the current version of your skillset, and the indexer.

Indexers have a few key characteristics:

Data source specific.
State aware.
Can be configured to drive eventual consistency between your data source and index.

In the past, editing your skillset by adding, deleting, or updating skills left you with a sub-optimal choice. Either rerun all the skills on the entire corpus, essentially a reset on your indexer, or tolerate version drift where documents in your index are enriched with different versions of your skillset.

With the latest update to the preview release of the API, the indexer state management is being expanded from only the data source and indexer field mappings to also include the skillset, output field mappings knowledge store, and projections.

Incremental enrichment vastly improves the efficiency of your enrichment pipeline. It eliminates the choice of accepting the potentially large cost of re-enriching the entire corpus of documents when a skill is added or updated, or dealing with the version drift where documents created/updated with different versions of the skillset and are very different in shape and/or quality of enrichments.

Indexers now track and respond to changes across your enrichment pipeline by determining which skills have changed and selectively execute only the updated skills and any downstream or dependent skills when invoked. By configuring incremental enrichment, you will be able to ensure that all documents in your index are always processed with the most current version of your enrichment pipeline, all while performing the least amount of work required. Incremental enrichment also gives you the granular controls to deal with scenarios where you want full control over determining how a change is handled.

Indexer cache

Incremental indexing is made possible with the addition of an indexer cache to the enrichment pipeline. The indexer caches the results from each skill for every document. When a data source needs to be re-indexed due to a skillset update (new or updated skill), each of the previously enriched documents is read from the cache and only the affected skills, changed and downstream of the changes are re-run. The updated results are written to the cache, the document is updated in the index and optionally, the knowledge store. Physically, the cache is a storage account. All indexes within a search service may share the same storage account for the indexer cache. Each indexer is assigned a unique cache id that is immutable.

Granular controls over indexing

Incremental enrichment provides a host of granular controls from ensuring the indexer is performing the highest priority task first to overriding the change detection.

Change detection override: Incremental enrichment gives you granular control over all aspects of the enrichment pipeline. This allows you to deal with situations where a change might have unintended consequences. For example, editing a skillset and updating the URL for a custom skill will result in the indexer invalidating the cached results for that skill. If you are only moving the endpoint to a different virtual machine (VM) or redeploying your skill with a new access key, you really don’t want any existing documents reprocessed.

To ensure that that the indexer only performs enrichments you explicitly require, updates to the skillset can optionally set disableCacheReprocessingChangeDetection query string parameter to true. When set, this parameter will ensure that only updates to the skillset are committed and the change is not evaluated for effects on the existing corpus.

Cache invalidation: The converse of that scenario is one where you may deploy a new version of a custom skill, nothing within the enrichment pipeline changes, but you need a specific skill invalidated and all affected documents re-processed to reflect the benefits of an updated model. In these instances, you can call the invalidate skills operation on the skillset. The reset skills API accepts a POST request with the list of skill outputs in the cache that should be invalidated. For more information on the reset skills API, see the documentation.

Updates to existing APIs

Introducing incremental enrichment will result in an update to some existing APIs.

Indexers

Indexers will now expose a new property:

Cache

StorageAccountConnectionString: The connection string to the storage account that will be used to cache the intermediate results.
CacheId: The cacheId is the identifier of the container within the annotationCache storage account that is used as the cache for this indexer. This cache is unique to this indexer and if the indexer is deleted and recreated with the same name, the cacheid will be regenerated. The cacheId cannot be set, it is always generated by the service.
EnableReprocessing: Set to true by default, when set to false, documents will continue to be written to the cache, but no existing documents will be reprocessed based on the cache data.

Indexers will also support a new querystring parameter:

ignoreResetRequirement set to true allows the commit to go through, without triggering a reset condition.

Skillsets

Skillsets will not support any new operations, but will support new querystring parameter:

disableCacheReprocessingChangeDetection set to true when you want no updates to on existing documents based on the current action.

Datasources

Datasources will not support any new operations, but will support new querystring parameter:

ignoreResetRequirement set to true allows the commit to go through without triggering a reset condition.

Best practices

The recommended approach to using incremental enrichment is to configure the cache property on a new indexer or reset an existing indexer and set the cache property. Use the ignoreResetRequirement sparingly as it could lead to unintended inconsistency in your data that will not be detected easily.

Takeaways

Incremental enrichment is a powerful feature that allows you to declaratively ensure that your data from the datasource is always consistent with the data in your search index or knowledge store. As your skills, skillsets, or enrichments evolve the enrichment pipeline will ensure the least possible work is performed to drive your documents to eventual consistency.

Next steps

Get started with incremental enrichment by adding a cache to an existing indexer or add the cache when defining a new indexer.
Quelle: Azure

Accelerating innovation: Start with Azure Sphere to secure IoT solutions

From agriculture to healthcare, IoT unlocks opportunity across every industry, delivering profound returns, such as increased productivity and efficiency, reduced costs, and even new business models. And with a projected 41.6 billion IoT connected devices by 2025, momentum continues to build.

While IoT creates new opportunities, it also brings new cybersecurity challenges that could potentially result in stolen IP, loss of brand trust, downtime, and privacy breaches. In fact, 97 percent of enterprises rightfully call out security as a key concern when adopting IoT. But when organizations have a reliable foundation of security on which they can build from the start, they can realize durable innovation for their business versus having to figure out what IoT device security requires and how to achieve it.

Read on to learn how you can use Azure Sphere—now generally available—to create and accelerate secure IoT solutions for both new devices and existing equipment. As you look to transform your business, discover why IoT security is so important to build in from the start and see how the integration of Azure Sphere has enabled other companies to focus on innovation. For a more in-depth discussion, be sure to watch the Azure Sphere general availability webinar.

Defense in depth, silicon-to-cloud security

It’s important to understand on a high level how Azure Sphere delivers quick and cost-effective device security. Azure Sphere is designed around the seven properties of highly secure devices and builds on decades of Microsoft experience in delivering secure solutions. End-to-end security is baked into the core, spanning the hardware, operating system, and cloud, with ongoing service updates to keep everything current.

While other IoT device platforms must rely on costly manual practices to mitigate missing security properties and protect devices from evolving cybersecurity threats, Azure Sphere delivers defense-in-depth to guard against and respond to threats. Add in ongoing security and OS updates to help ensure security over time, and you have the tools you need to stay on top of the shifting digital landscape.

Propel innovation on a secure foundation

Azure Sphere removes the complexity of securing IoT devices and provides a secure foundation to build on. This means that IoT adopters spend less time and money focused on security and more time innovating solutions that solve key business problems, delivering a greater return on investment as well as faster time to market.

Connected coffee with Azure Sphere 

A great example is Starbucks, who partnered with Microsoft to connect its fleet of coffee machines using the guardian module with Azure Sphere. The guardian module helps businesses quickly securely connect existing equipment without any redesign, saving both time and money.

With IoT-enabled coffee machines, Starbucks collects more than a dozen data points such as type of beans, temperature, and water quality for every shot of espresso. They are also able to perform proactive maintenance on the machines to avoid costly breakdowns and service calls. Finally, they are using the solution to transmit new recipes directly to the machines, eliminating manual processes and reducing costs.

Azure Sphere innovation within Microsoft

Here at Microsoft, Azure Sphere is also being used by the cloud operations team in their own datacenters. With the aim of providing safe, fast and reliable cloud infrastructure to everyone, everywhere, it was an engineer’s discovery of Azure Sphere that started to make their goal of connecting the critical environment systems—the walls, the roof, the electrical system, and mechanical systems that house the datacenters—a reality.

Using the guardian module with Azure Sphere, they were able to move to a predictive maintenance model and better prevent issues from impacting servers and customers. Ultimately it is allowing them to deliver better outcomes for customers and utilize the datacenter more efficiently. And even better, Azure Sphere is giving them the freedom to innovate, create and explore—all on a secure, cost-effective platform.

Partner collaborations broaden opportunities

Throughout it all, enabling this innovation, is our global ecosystem of Microsoft partners that enable us to advance capabilities and bring Azure Sphere to a broad range of customers and applications.

Together, we can provide a more extensive range of options for businesses—from the single chip Wi-Fi solution from MediaTek that meets more traditional needs to other upcoming solutions from NXP and Qualcomm. NXP will provide an Azure Sphere certified chip that is optimized for performance power, and Qualcomm will offer the first cellular-native Azure Sphere chip.

Register today

Register for the Azure Sphere general availability webinar to explore how Azure Sphere works, how businesses are benefiting from it, and how you can use Azure Sphere to create secure, trustworthy IoT devices that enable true business transformation.
Quelle: Azure

New Azure RTOS collaborations with leaders in the semiconductor industry

IoT is reaching mainstream adoption across businesses in all market segments. Our vision is to enable Azure to be the world’s computer, giving businesses real-time visibility into every aspect of their operations, assets, and products. Businesses are harnessing signals from IoT devices of all shapes and sizes, from the very smallest microcontroller units (MCUs) to very capable microprocessor units (MPUs). This presents a great opportunity for collaboration between semiconductor manufacturers with extensive expertise in MCUs/MPUs and Azure IoT, an industry leader in IoT.

It has been nearly one year since we acquired Express Logic and their popular ThreadX RTOS, and last year we announced Azure RTOS that provides customers those capabilities with the leading real-time operating system (RTOS) in the industry.

Today, we’re announcing additional collaborations with industry leaders, which together represent the vast majority of the market for 32-bit MCUs. Their MCUs are embedded into billions of devices from sensors, streetlights, and shipping containers to smart home appliances, medical devices, and more.

STMicroelectronics, Renesas, NXP, Microchip, and Qualcomm will all offer embedded development kits featuring Azure RTOS ThreadX, one of the components of the Azure RTOS embedded application development suite. This allows embedded developers to access reliable, real-time performance for resource-constrained devices, and seamless integration with the power of Azure IoT to connect, monitor, and control a global fleet of IoT assets.

We will also be releasing the full source code for all Azure RTOS components on GitHub, allowing developers to freely explore, develop, test, and adapt Azure RTOS to suit their needs. When developers are ready to take their code into production, the production license will be included automatically if they deploy to any of the supported MCU devices from STMicroelectronics, Renesas, NXP, Microchip, or Qualcomm. If they prefer to use a different device in production, they may contact Microsoft for direct licensing details.

As we work with our semiconductor partners to implement best practices for connected devices, Azure RTOS will include easy-to-use reference projects and templates for connectivity to Azure IoT Hub, Azure IoT Central, Azure IoT Edge Gateways as well as first-class integration with Azure Security Center. Azure RTOS will soon ship with an Azure Security Center module for monitoring threats and vulnerabilities on IoT devices.

When combined with Azure Sphere, Azure RTOS enables embedded developers to quickly build real-time, highly-secured IoT devices for even the most demanding environments—robust devices that offer real-time performance and protection from evolving cybersecurity threats. For MCUs and system on chips (SoCs) that are smaller than what Azure Sphere supports, Azure RTOS and Azure IoT Hub Device Management enable secure communications for embedded developers and device operators who have the ability to implement best practices to protect devices from cybersecurity attacks.

For partners wishing to deliver reliable, real-time performance on highly-secured connected devices that stay secured against evolving cybersecurity threats over time, we recommend Azure RTOS and Azure Sphere together for the most demanding environments.

Here are more details on our collaboration with industry leaders.

STMicroelectronics (ST)

STMicroelectronics (ST) is a renowned world leader in ARM® Cortex®-M MCUs with its STM32 family, providing their OEM and mass-market customers with a wide portfolio of simple-to-use MCUs, coming with a complete development environment and best-in-class ecosystem.

“We are delighted to be collaborating with Microsoft to address even better our customers’ needs,” said Ricardo de Sa Earp, Group Vice-President, Microcontrollers Division General Manager, STMicroelectronics. “Leveraging our installed base of more than five billion STM32 MCUs shipped to date to the global embedded market, we see Azure RTOS ThreadX and middleware as a perfect match to both our mass-market and OEM IoT strategies, complementing our development environment with industry-proven, reliable, high-quality source code.” 

Renesas Electronics Corporation

Renesas Electronics Corporation is a premier supplier of advanced semiconductor solutions. Last October, we announced that Azure RTOS will be broadly available across Renesas' products, including the Synergy and RA MCU families. Renesas is also working to build Azure RTOS into their broader set of MCUs and MPUs.

“Our Synergy and RX cloud kits combined with Azure RTOS and other Azure IoT building blocks offer MCU customers a quick and secure end-to-end solution for cloud connectivity,” said Sailesh Chittipeddi, Executive Vice President, General Manager of Renesas’ IoT and Infrastructure business unit. “We are excited to expand our collaboration with Microsoft and look forward to bringing Microsoft Azure to our MCU and MPU customers, including solutions that will support Azure IoT Edge Runtime for Linux on our RZ MPUs.”

NXP Semiconductors 

NXP Semiconductors is a world leader in secure connectivity solutions for embedded applications, serving customers in the automotive, industrial and IoT, mobile, and communication infrastructure sectors. Microsoft has been collaborating with NXP to extend intelligent cloud computing to the intelligent edge, from adding voice control directly to devices to offering machine learning solutions for edge devices, to device security with Azure Sphere. They plan to integrate Azure RTOS into their evaluation kits and some of the most popular IoT processor families in the industry.

“Edge computing reduces the latency, bandwidth and privacy concerns of a cloud-only Internet of Things," said Jerome Schang, Head of Cloud Partnership programs at NXP. “Enabling Azure RTOS on NXP’s MCUs is yet another step to provide edge computing solutions that unlock the benefits of edge to Azure IoT cloud interaction.”

Microchip Technology, Inc.

Microchip Technology Inc. is a leading provider of smart, connected, and secure embedded control solutions. Their solutions serve customers across the industrial, automotive, consumer, aerospace and defense, communications, and computing markets. Microchip plans to incorporate support for Azure RTOS and Azure IoT Edge across their product families.

“Microchip is building on its already comprehensive portfolio of tools and solutions to enable quick, easy development of secure IoT applications across the full spectrum of embedded control devices and architectures,” said Greg Robinson, associate vice president of Microchip’s 8-bit microcontroller business unit. “Our partnership with Microsoft Azure extends our dedication to developing innovative solutions.”

Qualcomm Technologies, Inc.

Qualcomm is a pioneer of wireless technology and powers the cellular connection of smartphones and tablets all over the planet. Qualcomm will be offering a cellular-enabled Azure Sphere certified chip and will be bringing Azure RTOS to cellular-connected device solutions found inside asset trackers, health monitors, security systems, smart city sensors, and smart meters, as well as a range of wearables.

”Qualcomm is a leader in wireless compute and connectivity technologies – not just in mobile, but in emerging markets like the Internet of Things as well,” said Jeff Torrance, Vice President, IoT, Qualcomm. “We’re proud to continue to work closely with Microsoft on solutions like Azure RTOS and Azure Sphere to jointly advance the IoT industry around the world.”

Learn more

We continue to work diligently with industry-leaders to create a rich, robust ecosystem that serves the world’s unique and diverse needs. Our collective aim is to enable customers to easily bring their ideas to life and truly unlock the opportunities available on the intelligent edge and the intelligent cloud. Find out more about why so many IoT industry leaders are excited about the benefits that Azure RTOS brings to their device solutions.
Quelle: Azure

Announcing server-side encryption with customer-managed keys for Azure Managed Disks

Today, we're announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers already benefit from SSE with platform-managed keys for Managed Disks enabled by default. SSE with CMK improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.

Today, customers can also use Azure Disk Encryption, which leverages the Windows BitLocker feature and the Linux dm-crypt feature to encrypt Managed Disks with CMK within the guest virtual machine (VM). SSE with CMK improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your VMs by encrypting data in the Azure Storage service.

SSE with CMK is integrated with Azure Key Vault, which provides highly available and scalable secure storage for your keys backed by Hardware Security Modules. You can either bring your own keys (BYOK) to your Key Vault or generate new keys in the Key Vault.

About the key management

Managed Disks are encrypted and decrypted transparently using 256-bit Advanced Encryption Standard (AES) encryption, one of the strongest block ciphers available. The Storage service handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using 256-bit AES-based data encryption keys, which are, in turn, protected using your keys stored in a Key Vault.

The Storage service generates data encryption keys and encrypts them with CMK using RSA encryption. The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new CMK.

Full control of your keys

You are in full control of your keys in your Key Vault. Managed Disks uses system-assigned managed identity in your Azure Active Directory (Azure AD) for accessing keys in Key Vault. An administrator with required permissions in the Key Vault must first grant access to Managed Disks in Key Vault to use the keys for encrypting and decrypting the data encryption key. You can prevent Managed Disks from accessing your keys by either disabling your keys or by revoking access controls for your keys—doing so for disks attached to running VMs will cause the VMs to fail. Moreover, you can track the key usage through Key Vault monitoring to ensure that only Managed Disks or other trusted Azure services are accessing your keys.

Availability of SSE with CMK

SSE with CMK is available for Standard HDD, Standard SSD, and Premium SSD Managed Disks that can be attached to Azure Virtual Machines and VM scale sets. Ultra Disk Storage support will be announced separately. SSE with CMK is now enabled in all the public and Azure Government regions and will be available in the regions in Germany (Sovereign) and China in a few weeks.

You can use Azure Backup to back up your VMs using Managed Disks encrypted with SSE with CMK. Also, you can choose to encrypt the backup data in your Recovery Services vaults using your keys stored in your Key Vault instead of platform-managed keys available by default. Refer to documentation for more details on the encryption of backups using CMK.

You can use Azure Site Recovery to replicate your Azure virtual machines that have Managed Disks encrypted with SSE with CMK to other Azure regions for disaster recovery. You can also replicate your on-premises virtual machines to Managed Disks encrypted with SSE with CMK in Azure. Learn more about replicating your virtual machines using Managed Disks encrypted with SSE with CMK.

Get started

To enable the encryption with CMK for Managed Disks, you must first create an instance of a new resource type called DiskEncryptionSet and then grant the instance access to the key Vault. DiskEncryptionSet represents a key in your Key Vault and allows you to reuse the same key for encrypting many disks, snapshots, and images with the same key.

Let’s look at an example of creating an instance of DiskEncryptionSet:

1. Create an instance of DiskEncryptionSet by specifying a key in your Key Vault.

keyVaultId=$(az keyvault show –name yourKeyVaultName –query [id] -o tsv)

keyVaultKeyUrl=$(az keyvault key show –vault-name yourKeyVaultName –name yourKeyName –query [key.kid] -o tsv)

az disk-encryption-set create -n yourDiskEncryptionSetName -l WestCentralUS -g yourResourceGroupName –source-vault $keyVaultId –key-url $keyVaultKeyUrl

2. Grant the instance access to the Key Vault. When you created the instance, the system automatically created a system-assigned managed identity in your Azure AD and associated the identity with the instance. The identity must have access to the Key Vault to perform required operations such as wrapkey, unwrapkey and get.

desIdentity=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName –query [identity.principalId] -o tsv)

az keyvault set-policy -n yourKeyVaultName -g yourResourceGroupName –object-id $desIdentity –key-permissions wrapkey unwrapkey get

az role assignment create –assignee $desIdentity –role Reader –scope $keyVaultId

You are ready to enable the encryption for disks, snapshots, and images by associating them with the instance of DiskEncryptionSet. There is no restriction on the number of resources that can be associated with the same DiskEncryptionSet.

Let’s look at an example of enabling for an existing disk:

1. To enable the encryption for disks attached to a VM, you must stop(deallocate) a virtual machine.

az vm stop –resource-group MyResourceGroup –name MyVm

2. Enable the encryption for an attached disk by associating it with the instance of DiskEncryptionSet.

diskEncryptionSetId=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName –query [id] -o tsv)

az disk update -n yourDiskEncryptionSetName -g yourResourceGroupName –encryption-type EncryptionAtRestWithCustomerKey –disk-encryption-set $diskEncryptionSetId

3. Start the VM.

az vm start -g MyResourceGroup -n MyVm

Refer to the Managed Disks documentation for detailed instructions on enabling server side encryption with CMK for Managed Disks.

Send us your feedback

We look forward to hearing your feedback for SSE with CMK. Please email us here. 
Quelle: Azure

General availability of new Azure disk sizes and bursting

Today marks the general availability of new Azure disk sizes, including 4, 8, and 16 GiB on both Premium and Standard SSDs, as well as bursting support on Azure Premium SSD Disks.

To provide the best performance and cost balance for your production workloads, we are making significant improvements to our portfolio of Azure Premium SSD disks. With bursting, even the smallest Premium SSD disks (4 GiB) can now achieve up to 3,500 input/output operations per second (IOPS) and 170 MiB/second. If you have experienced jitters in disk IOs due to unpredictable load and spiky traffic patterns, migrate to Azure and improve your overall performance by taking advantage of bursting support.

We offer disk bursting on a credit-based system. You accumulate credits when traffic is below the provisioned target and you consume credit when traffic exceeds it. It can be best leveraged for OS disks to accelerate virtual machine (VM) boot or data disks to accommodate spiky traffic. For example, if you conduct a SQL checkpoint or your application issues IO flushes to persist the data, there will be a sudden increase of writes against the attached disk. Disk bursting will give you the headroom to accommodate the expected and unexpected change in load.

Disk bursting will be enabled by default for all new deployments of burst eligible disks with no user action required. For any existing Premium SSD Managed Disks (less than or equal to 512GiB/P20), whenever your disk is reattached or VM is restarted, disk bursting will start to take effect and your workloads can then experience a boost on disk performance. To read more about how disk bursting works, refer to this Premium SSD bursting article.

Further, the new disk sizes introduced on Standard SSD disk provide you the most cost-efficient SSD offering in the cloud, providing consistent disk performance at the lowest cost per GiB. We've also increased the performance target for all Standard SSD disks less than 64GiB (E6) to 500 IOPS. It is an ideal replacement of HDD based disk storage from either on-premises or cloud. It is best suited for hosting web servers, business applications that are not IO intensive but require stable and predictable performance for your business operations.

In this post, we’ll be sharing how you can start leveraging these new disk capabilities to build your most high performance, robust, and cost-efficient solution on Azure today.

Getting started

You can create new managed disks using the Azure portal, Powershell, or command-line interface (CLI) now. You can find the specifications of burst eligible and new disk sizes in the table below. Both new disk sizes and bursting support on Premium SSD Disks are available in all regions in Azure Public Cloud, with support for sovereign clouds coming soon.

Azure Premium SSD Managed Disks

Here are the burst eligible disks including the newly introduced sizes. Disk bursting doesn’t apply to disk sizes greater than 512 GiB (above P20) as the provisioned target of these sizes are sufficient for most workloads.  To learn more details on the disk sizes and performance targets, please refer to this "What disk types are available in Azure?" article.

30 mins

Burst capable disks
Disk size
Provisioned IOPS per disk
Provisioned bandwidth per disk
Max burst IOPS per disk
Max burst bandwidth per disk
Max burst duration at peak burst rate

P1—New
4 GiB
120
25 MiB/second
3,500
170 MiB/second
30 minutes

P2—New
8 GiB
120
25 MiB/second
3,500
170 MiB/second
30 minutes

P3—New
16 GiB
120
25 MiB/second
3,500
170 MiB/second

30 minutes

P4
32 GiB
120
25 MiB/second
3,500

170 MiB/second

30 minutes

P6
64 GiB
240
50 MiB/second
3,500

170 MiB/second

30 minutes

P10
128 GiB
500
100 MiB/second
3,500

170 MiB/second

30 minutes

P15
256 GiB
1,100
125 MiB/second
3,500
170/MiB/second
30 minutes

P20
512 GiB
2,300
150 MiB/second
3,500

170 MiB/second

30 minutes

Standard SSD Managed Disks

Here are the new disk sizes introduced on Standard SSD Disks. The performance targets define the max IOPS and bandwidth you can achieve on these sizes. Unlike Premium Disks, Standard SSD does not offer provisioned IOPS and bandwidth. For your performance-sensitive workloads or single instance deployment, we recommend leveraging Premium SSDs.    

 
Disk size
Max IOPS per disk
Max bandwidth per disk

E1—New
4 GiB
500
25 MiB/second

E2—New
8 GiB
500
25 MiB/second

E3—New
16 GiB
500
25 MiB/second

Visit our service website to explore the Azure Disk Storage portfolio. To learn about pricing, you can visit the Azure Managed Disks pricing page. 

Your feedback

We look forward to hearing your feedback; please reach out to us here with your comments.
Quelle: Azure

Microsoft partners with the industry to unlock new 5G scenarios with Azure Edge Zones

Cloud, edge computing, and IoT are making strides to transform whole industries and create opportunities that weren't possible just a few years ago. With the rise of 5G mobile connectivity, there are even more possibilities to deliver immersive, real-time experiences that have demanding, ultra-low latency, and connectivity requirements. 5G opens new frontiers with enhanced mobile broadband up to 10x faster, reliable low-latency communication, and very high device density up to 1 million devices per square kilometer.

Today we’re announcing transformative advances to combine the power of Azure, 5G, carriers, and technology partners around the world to enable new scenarios for developers, customers, and partners, with the preview of Azure Edge Zones.

New 5G customer scenarios with Azure Edge Zones

Azure Edge Zones and Azure Private Edge Zones deliver consistent Azure services, app platform, and management to the edge with 5G unlocking new scenarios by enabling:

Development of distributed applications across cloud, on-premises, and edge using the same Azure Portal, APIs, development, and security tools.
Local data processing for latency critical industrial IoT and media services workloads.
Acceleration of IoT, artificial intelligence (AI), and real-time analytics by optimizing, building, and innovating for robotics, automation, and mixed reality.
New frontiers for developers working with high-density graphics and real-time operations in industries such as gaming.
An evolving platform built with customers, carriers, and industry partners to allow seamless integration and operation of a wide selection of Virtual Network Functions, including 5G software and SD-WAN and firewalls from technology partners such as Affirmed, Mavenir, Nuage Networks from Nokia, Metaswitch, Palo Alto, and VeloCloud By VMware.

Building on our previous work with AT&T, we’re announcing the preview of Azure Edge Zones with carriers, connecting Azure services directly to 5G networks in the carrier’s datacenter. This will enable developers to build optimized and scalable applications using Azure and directly connected to 5G networks, taking advantage of consistent Azure APIs and tooling available in the public cloud. We were the first public cloud to announce 5G integration with AT&T in Dallas in 2019, and now we're announcing a close collaboration with AT&T on a new Edge Zone targeted to become available in Los Angeles in late spring. Customers and partners interested in Edge Zones with AT&T can register for our early adopter program.

“This is a uniquely challenging time across the globe as we rethink how to help organizations serve their customers and stakeholders,” said Anne Chow, chief executive officer, AT&T Business. “Fast and intelligent mobile networks will be increasingly central to all of our lives. Combining our network knowledge and experience with Microsoft’s cloud expertise will give businesses a critical head start.”

These new zones will boost application performance, providing an optimal user experience when running ultra-low latency, sensitive mobile applications, and SIM-enabled architectures including:

Online gaming: Every press of the button, every click is important for a gamer. Responsiveness is critical, especially in multi-player scenarios. Game developers can now develop cloud-based applications optimized for mobile, directly accessing the 5G network at different carrier sites. They can achieve millisecond latency and scale to as many users as they want.
Remote meetings and events: As the prevalence of digital-forward experiences continue to rise in response to global health challenges, we can help bring together thousands of people to enjoy a real-time shared experience. Enabling scenarios like social engagement, mobile digital experiences, live interaction, and payment and processing require ultra-low latency to provide an immersive, responsive experience.
Smart Infrastructure: With the rise of IoT, organizations are looking to create efficiency, savings, and immersive experiences across residential and commercial buildings, or even citywide. With 5G and cloud computing, organizations can reliably connect millions of endpoints, analyze data, and deliver immersive experiences.

With Azure Edge Zones we’re expanding our collaboration with several of our carrier partners to bring the Azure Edge Zones family to our mutual customers later this year.

In addition to partnering with carriers, we'll also deliver standalone Azure Edge Zones in select cities over the next 12 months, bringing Azure closer to customers and developers in highly dense areas.

Azure Private Edge Zones

We’re also announcing the preview of Azure Private Edge Zones, a private 5G/LTE network combined with Azure Stack Edge on-premises delivering an ultra-low latency, secure, and high bandwidth solution for organizations to enable scenarios, like with Attabotics, accelerating e-commerce delivery times by using 3D robotic goods-to-person storage, retrieval, and real-time order fulfillment solutions. This solution leverages Azure Edge Zones and IoT technologies such as Azure IoT Central and Azure Sphere.

 

“In collaboration with Microsoft, Rogers is delivering new and innovative solutions with our Private LTE capabilities combined with Azure Edge Zones,” said Dean Prevost, President, Rogers for Business. “Working with Attabotics, we’re enabling Canadian businesses to transform the traditional supply model with a retail e-fulfillment solution that showcases the exciting possibilities of today and opens the door to our 5G future.”

Partnering with the broad industry of carriers, systems integrators, and technology partners, we're launching a platform to support orchestration and management of customers' private cellular networks to enable scenarios such as:

Smart Factory/IoT: Off-shore operations or security isolated facilities can now take advantage of the power of edge computing. Connecting everything, from silicon to sensors, leveraging security to AI at the edge, deploying Digital Twins or using mixed reality, with a secure and private connection.
Logistics and operations: Retail customers have high expectations today in online and retail shopping, creating a need for appealing advertising before a potential customer looks away from a product on-line or in an aisle at the store. Wide selection, tailored offers, convenience, and availability are musts for success. The combination of cloud and distributed edge computing, efficiently working together is a game changer for the industry.
Medicine: From remote surgeries to complicated diagnostics that rely on cross-institutional collaboration, efficient compute and storage at the edge, with AI and minimal latency, enables these and multiple other scenarios that will save lives. Private mobile connections will work as smart grids for hospitals, patient data, and diagnostics that will never have to be exposed to the internet to take advantage of Azure technologies.

A consistent Edge Zone solution

Together, Azure, Azure Edge Zones, and Azure Private Edge Zones unlock a whole new range of distributed applications with a common and consistent architecture companies can use. For example, enterprises running a headquarters’ infrastructure on Azure, may leverage Azure Edge Zones for latency sensitive interactive customer experiences, and Azure Private Edge Zones for their remote locations. Enterprise solution providers can take advantage of the consistent developer, management, and security experience, allowing developers to continue using Github, Azure DevOps, and Kubernetes Services to create applications in Azure and simply move the application to either Azure Edge Zones or Private Edge Zones depending on the customer's requirements.

“By combining Vodafone 5G and mobile private networks with Azure Private Edge Zones, our customers will be able to run cloud applications on mobile devices with single-digit millisecond responsiveness. This is essential for autonomous vehicles and virtual reality services, for example, as these applications need to react in real-time to deliver business impact. It will allow organizations to innovate and transform their operations, such as the way their employees work with virtual reality services, high speed and precise robotics, and accurate computer vision for defect detection. Together, we expect Vodafone and Microsoft to provide our customers with the capabilities they need to create high performing, innovative and safe work environments.” – Vinod Kumar, CEO of Vodafone Business

New possibilities for the telecommunication industry with Azure

For the last few decades, carriers and operators have pioneered how we connect with each other, laying the foundation for telephony and cellular. With cloud and 5G, there are new possibilities by combining cloud services, including compute and AI, with mobile high bandwidth and ultra-low latency connections. Microsoft is partnering with carriers and operators to bring 5G to life in immersive applications built by organizations and developers.

Carriers, operators, and networking providers can build 5G-optimized services and applications for their partners and customers with Azure Edge Zones, taking advantage of Azure compute, storage, networking, and AI capabilities. For organizations that want an on-premises, private mobile solution, partners and carriers can deploy, manage, and build offers with Azure Private Edge Zones. Customers need help understanding the complexities of the cellular spectrum, access points, and overall management. Carrier partners can help such enterprises manage these scenarios including manufacturing, robotics, and retail.

In addition to new business application opportunities, we're looking to transform 5G infrastructure with cloud technology. Today, most 5G infrastructure is built on specialized hardware with high capital expenditures and little flexibility. Microsoft will be working to help operators reduce costs and build capacity for their network workloads in new and innovative ways. Last week, we announced the signing of a definitive agreement to acquire Affirmed Networks, a leader in fully virtualized cloud-native mobile network solutions. We look forward to building on their great work and technology expertise to do even more to create new opportunities for customers, technology partners, and operators in virtual mobile networks

As we continue to innovate and discover new, interesting ways to provide unique scenarios built with 5G and our Edge Zone platforms we will be sure to keep you updated. Please visit our page to learn more and keep track of the latest news here.
Quelle: Azure