For a growing number of companies, the 'edge' of the enterprise network is an increasing focal point of IT investments. This is where they are aiming to bolster data storage, processing, and analytics capabilities to generate business insights from data gathered from connected devices and systems.
Optical and photonic products manufacturer Lumentum has employed an edge strategy with local compute and storage arrays to deal with the large volume of data generated during the manufacturing and testing process.
“Edge computing allows us to process and store data coming off the line in real time,” says Ralph Loura, senior vice president and CTO of Lumentum. “We also employ an aggregation strategy to stream that data into public cloud platforms for data aggregation, processing, long-term storage, and secure partner access.”
The primary security risk is the sensor and tester network and how data gets from those sources to the edge platform, Loura says. “Edge platforms sit in remote locations, and local teams don’t always follow global standards,” he says. “It takes discipline, and good tools, to ensure that standards are adhered to consistently."
Understanding the risks
Edge’s promise is a performance increase for connecting many things on the outside to data centre or cloud services that are on the inside, creating "a big security challenge and a lucrative target for attackers,” says John Pescatore, director of emerging security trends at the SANS Institute, a provider of technology training programs.
Indeed, the edge can be difficult terrain from a data security standpoint for a variety of reasons.
“The obvious risks an organisation should consider before embarking on an edge project have to do with the sheer number of devices and supporting infrastructure that populates the edge, and the massive amount of data being generated at the edge,” says Matt Kimball, senior analyst, data centre, at advisory firm Moor Insights & Strategy.
“Hundreds to thousands of network-connected, data generating devices connected to infrastructure ‘in the wild’ makes the edge a rich target for bad actors,” Kimball says. “And the more important that data becomes to an organisation, the more it becomes a target for hackers or groups to exploit for gain.”
The diversity of internet of things (IoT) devices and systems sitting at the edge also creates security challenges, “especially in the industrial verticals, where decades old machinery and supporting systems that comprise OT [operational technology] are being merged with IT systems,” Kimball says. “The criticality of many OT environments—power plants, water treatment, refineries—make them targets.”
Another primary concern in edge computing lies in the scale of deployment locations.
“Instead of securing a majority of resources in a handful of core locations, the distributed nature of edge computing means that infrastructure, data, and applications could be spread across hundreds or thousands of locations,” says Dave McCarthy, a research director with IDC's worldwide infrastructure practice focusing on edge strategies.
“To amplify this concern, these edge locations often lack local IT staff and do not share the same physical security as their data centre counterparts,” McCarthy says. “Edge locations range from remote offices to places like factories, warehouses, retail stores, and schools.”
Adding to the security challenge is the breadth and complexity of what the edge entails.
Research firm IDC is tracking edge solutions in several categories: enterprise IT (such as remote office and branch office systems); industrial operational technology (such as systems used in manufacturing); cloud edge offerings (such as Snowcone from Amazon Web Services); and “IT to the carrier edge” offerings from telecommunications providers that might include 5G and multi-access edge computing (MEC).
Any of the solutions in any of those categories represents a potential entry point for an attacker, and many of the products and services for edge computing are relatively new, which means they’re somewhat untested.
“The immaturity of the technology and the wide range of vendors providing various forms of edge computing hardware [and] software services is by far the biggest issue,” says John Pescatore, director of emerging security trends at the SANS Institute, a provider of technology training programs.
“For established vendors like Cisco, Google, AWS, Dell, etc., the software is still immature, and we are seeing [a] continuing stream of critical vulnerabilities exposed even in mature products at the edge,” Pescatore says. “Then there are dozens of startup vendors in the market that have no track record in secure products at all.”
The lack of maturity with edge offerings means they are “chock full of vulnerabilities, either via built-in faults or mistakes by [systems administrators] not familiar with the new technology.”
For edge computing to be less of a risk, vendors need to demonstrate extensive security testing of the products and services, Pescatores says. Another step in the right direction: standardisation of what an edge server and service really is as well as standards for secure architectures and system configurations from third parties such as the Centre for Internet Security. “None of that has happened yet.”
5 best practices for better protection
When considering a move from a traditional, single-site data centre architecture to edge computing technology, “it is critical to understand that you are expanding and dispersing your company’s exposure to cyber attack,” says Steve Maki, executive vice president of IT at AEI Consultants, a property and environmental consulting firm. The following best practices will help mitigate the risks.
1 - Integrate edge into your security strategy
Businesses should think of edge security in the same way they think of the rest of their cyber security strategy, McCarthy says. “It should not feel like a bolted-on appendage but rather an integrated part of overall security processes, procedures, and technology,” he says.
“From a security standpoint, each edge node will require the same level of security, redundancy, and service visibility that you engineered into your central data centre,” Maki says. “User and device management across a geographically disperse topology of edge nodes will also present a significant challenge if not designed and deployed correctly.”
AEI has deployed multiple layers of security to protect its edge business assets, Maki says. This includes multi-factor authentication, malware protection, endpoint protection, end-user training, and others.
2 - Think zero trust
Edge locations naturally lend themselves to a zero trust security model, McCarthy says. “In addition to hardening edge resources from attacks, it is important to enforce encryption of data both in transit and at rest,” he says. “Edge requires a greater emphasis in certificate-based identity management for both users and the endpoints themselves.”
3 - Know what normal looks like
It’s possible to analyse the flow of communication to establish a baseline of “normal” and then evaluate future data flows for abnormal behaviour, McCarthy says. “This is an area where machine learning and AI [artificial intelligence] techniques come together to proactively improve the overall security profile.”
4 - Consider security in the buying process
Another good practice is to require edge product vendors to demonstrate security capabilities when responding to requests for proposals, Pescatore says.
“Microsoft didn’t pay attention to security in Windows until enterprises started telling them, ‘we are going to use Netscape and Linux because these internet worms are killing us,’” Pescatore says. “Twenty years later, Zoom’s CEO had to apologise and also say ‘security is job 1’ when all the lack of security in Zoom got exposed. Products only get more secure when the market demands it.”
5 - Prioritise patching
Because the technology is still immature, Pescatore says, those companies that actually adopt it should develop their own secure configuration standards and prioritise monitoring and patching of the devices or services, until there are more industry standards.
For Lumentum, a key to robust security for edge environments is constant updates of security software. “We are aggressive about patch management,” Loura says. The company uses centralised configuration management and monitoring tools to ensure that systems in the field are configured and managed per the company’s central design.
Essential elements of an edge security strategy
An edge security strategy should include what Matt Kimball, senior analyst, data centre, at advisory firm Moor Insights & Strategy, calls the “five Ps”: people, policy/procedures, process, product (technology), and proof.
From a people perspective there’s a need for individual training and re-enforcement of training, as well as a cultural mindset. “I believe organisations become too reliant on technology to mitigate cyber security risks, forgetting people are the most susceptible assets,” Kimball says.
Policies and procedures are the governance that enables and reminds people to maintain vigilance.
Process includes the things people must do to fully mitigate risks.
Products might be the most challenging of the five Ps. “It’s hard for IT organisations to make sense of what an end-to-end cyber security solution looks like,” Kimball says. “From hardware to software, from device to server, from network access to infrastructure protection, and from OT to IT, there are literally thousands of [offerings] to choose from.”
Proof involves the regular testing of products, processes, policies and procedures, and people to ensure cyber risk is truly mitigated, or to find vulnerabilities and shore up those weaknesses. “Without this regular cadence of testing and remediation, cyber security strategies can and will quickly become outdated and ineffective,” Kimball says.
The use of edge computing is likely to rise, as organisations look to exploit IoT and other edge-related opportunities. They will continue to face daunting security challenges.
“The edge is becoming more of a security risk for the simple reason that more enterprises are implementing applications at the edge,” says Bob Gill, research vice president at Gartner. “With greater numbers, the odds of a ‘failure’ of course rise.”
Another factor in the rising risk of edge computing is that applications are becoming far more ambitious and well connected to other assets in the enterprise, including back-end systems in the cloud and on-premises, Gill says. “Not only are the attack surfaces growing in size, but the blast radius in the event of a security failure is growing as well,” he says.
But experts see reasons for hope. “As the concepts surrounding edge continue to mature, technology suppliers, service providers, and enterprises have developed strategies to mitigate most common concerns,” McCarthy says.
They will need to continue those efforts if the edge is to become a more secure place to do business.