We are pleased to announce the release of Waterstream 1.6.0, focused on three strategic areas: native integration with the Microsoft Azure identity ecosystem, hardening of the SSL security posture, and a more versatile and verifiable container infrastructure. Here is what changes in detail.

Zero-Trust Authentication with Azure Event Hubs

A major change in the new version concerns the authentication plane. Waterstream 1.6.0 introduces native support for the OAUTHBEARER mechanism, enabling authentication towards Azure Event Hubs via Azure Active Directory (Entra ID). No static passwords, no connection strings to rotate manually: Entra ID OAuth2 tokens are time-limited and tied to the service identity.

For companies operating on Azure, this translates into a tangible reduction in operational risk: eliminating static credentials means eliminating one of the main causes of data breaches in enterprise IoT systems.

The Waterstream broker running on VMs or Azure Kubernetes can authenticate to Event Hubs using Managed Identity, with no credentials configured at the application level. In practice, the entire chain — MQTT device → broker → Event Hubs — operates with Azure AD tokens, eliminating the attack surface associated with static credentials.

The flow is as follows: the IoT device connects to Waterstream via MQTT, the broker obtains an OAuth2 token from Entra ID via Managed Identity, and uses it to authenticate to Event Hubs before forwarding each message. Every connection is validated through Entra ID, ensuring a comprehensive audit trail integrated with Azure AD conditional access policies.

It is worth noting that OAUTHBEARER support for MQTT clients themselves, meaning the ability for a device to connect directly to Waterstream by presenting an Entra ID token, is currently in development and will arrive with version 1.7.0, along with MFA integration and enterprise compliance.

Docker Multi-Arch and Supply Chain Security

Waterstream 1.6.0 publishes a unified Docker manifest-list that includes both x86_64 and ARM64 architectures.

For teams deploying on AWS Graviton, Raspberry Pi, or heterogeneous edge devices, this means a single docker pull instruction, without having to specify separate tags or registries per architecture. The runtime automatically selects the correct image.

On the supply chain security front, images are now signed by digest: before any production deployment, it is possible to cryptographically verify that the image has not been altered compared to the published one. This meets SLSA requirements and enterprise container security policies, an increasingly common requirement in regulated environments.

The release also includes critical security patches for networking and cryptography libraries, keeping the entire container surface aligned with the latest hardening standards.

Multi-arch support reduces operational complexity and lowers the management cost of the image lifecycle. Furthermore, signed images are now an explicit requirement in many enterprise vendor assessment processes and security audits.

Upgrading from previous versions does not require any changes: the manifest-list is transparent upon pull for existing users, with zero downtime.

SSL Hardening and Security Updates

Waterstream 1.6.0 adds a new configuration option for hostname verification in client SSL connections. In deployments with custom or self-signed certificates, this feature prevents man-in-the-middle attacks that could go unnoticed without explicit hostname validation.

In addition, the internal code has undergone a cleanup cycle, removing dead code and replacing deprecated APIs, thereby improving long-term stability and maintainability.

In regulated environments, the ability to demonstrate that every broker component is up to date is an integral part of compliance requirements. Waterstream 1.6.0 addresses this point systematically, reducing verification effort during audit phases.

Security, Versatility, and New Opportunities

The direction is clear: Waterstream 1.6.0 lays the foundation for an even deeper integration with the Azure ecosystem.

The next release will complete OAUTHBEARER support on the MQTT client side, allowing any compatible device to connect directly to the broker by presenting an Entra ID token, without intermediate proxies and adapters.

Native integration with conditional access policies, MFA, and Azure AD audit logs will also be added, opening doors to regulated environments in the finance and healthcare sectors.

Explore all features in the official documentation and contact us for a more detailed evaluation of your specific use case.