SECURITY SOLUTIONS TODAY02 Dec 2019
Don’t Let Edge Computing Security Concerns Derail Your Plans
Views: 229

The edge is a place where IT pros get nervous. Employees using mobile devices to perform work outside of the office are just the start of that anxiety. With IoT expected to change how organizations measure the efficiency of all sorts of machinery and with autonomous vehicles predicted to revolutionize driving, IT teams will certainly have their hands full keeping track of devices and sensors processing information on the edge.

While edge computing security worries shouldn't be dismissed, they also shouldn't prevent organizations from taking advantage of edge computing, according to several industry insiders. With proper deliberation, they say, the edge can be secured.

For example, when Neil MacDonald, vice president and distinguished analyst at Gartner, advises clients about edge security, he tells them, "There is risk in anything, whether it's your own data center or a public cloud, like AWS or Azure. There is always risk." Once an organization acknowledges that certainty about edge computing, it should "put out on the table what all those possible risks are and what are all of the possible mitigating controls."

It seems like simple advice, but sometimes, MacDonald said, organizations don't recognize the full value of their IT assets, including data. In turn, they don't always undertake necessary cybersecurity measures. But, if data is out on the edge -- vulnerable to attack -- organizations need to make a full assessment of its value and determine what it will take to protect it.

"What is the nature of the data being collected? What would be the business outcome if that data is stolen or tampered with? You need to focus on those bad outcomes and what the risks are," MacDonald said.

Edge computing isn't going away

Securing centralized computing seems a lot easier than securing the edge. There is familiarity and comfort in centralized computing. Users follow uniform system protocols, and it's easier for IT to monitor security, lessening the chance of data breaches and other incidents.

But, while central processing will continue to have a role in the enterprise, tantalizing business opportunities are increasingly out on the edge. The workplace efficiency of mobile devices, the possible safety gains from autonomous and computer-assisted driving, and the promise of enhanced efficiency through IoT have organizations jumping for joy as they envision all of those and even more technological possibilities.

By many indications, edge computing is poised to explode. Today, only about 20% of enterprise data is being produced and processed outside of centralized data centers, but by 2025, that is expected to increase to 75% and could reach 90%, according to Gartner.

Still, there's no escaping that edge computing is, after all, at a distance from centralized control and thus a great source of worry for the C-suite. Envision a transportation company with thousands of telemetric devices out in the field collecting troves of data on vehicle performance and driver safety. Or picture an energy company with thousands of IoT sensors on hundreds of windmills spread out on a desolate landscape. The possibility of physical and virtual tampering of such a large array of devices makes edge computing security an unshakable concern.

Alan Mindlin, technical manager for electronics manufacturing services provider Morey, advises worried organizations to first review the security strength of all edge-related devices that handle data at rest and in motion.

"There's already a fair amount of encryption in the storage of a device. So, a bad actor can't crack it open and read the memory, and there is encryption on data that is sent. Starting there helps determine your position," Mindlin said.

Essentially, follow the data trail on the edge by checking the effectiveness of data encryption on the application layer and storage layers, Gartner's MacDonald said. But that's just the beginning. Organizations also have to safeguard network connectivity, which, he said, is in many respects the same as securing a modern software-defined WAN.

"Whatever local devices there are at that location, ideally, there should be attestation … and some assurance of proof of identity" through network access control, MacDonald said.

Trust no one, not even the CSO

While most organizations would concur that identity management makes or breaks security, Brian Hopkins, VP and principal analyst at Forrester, said his firm views it as an entirely broken practice.

"The fundamental way we secure our systems is totally wrong," he said. "The way we think of it is there are a set of services we need and don't want anyone to hack into or shut down, and the way we secure it is draw a circle around it, put in layers of firewall so only the people who use it have access."

The problem is that, once cybercriminals assume an approved identity, they have the freedom to roam a system with impunity. Hopkins said that's why Forrester recommends implementing a severe-sounding but beneficial security philosophy for edge computing: zero-trust security. Trust no one, not even the CSO, unless her technology passes a daunting sniff test.

"Zero trust says that identity management is wrong because cybercriminals can bust down just about any firewall put up. Once they are verified, they're in the circle and can do harm," Hopkins said. "When you don't trust anyone, however, you look at everything, inspect every packet -- and very quickly -- and understand what is on that packet."

Zero trust calls for more precise network segmentation -- the creation of so-called microperimeters to prevent hackers from moving laterally throughout a network. Many organizations already have pieces in place to implement a zero-trust policy -- automation, encryption, identity and access management, mobile device management and multifactor authentication -- and those processes require software-defined networking, network orchestration and virtualization.

Yet, organizations have and will continue to hesitate to implement zero trust, Hopkins said, because "it's so fundamentally different and a big thing for companies to absorb."

Again, no one claims enhancing edge computing security will be a walk in the park. "The number of combinations behind network connectivity is staggering, so it's very challenging how we connect what's going on in the data center in cloud to what's going on in the physical world," Hopkins added. "It's tough to implement a zero-trust idea."

Setting a foundation for the edge

In a sign that edge computing has taken hold in mainstream business, the people behind the scenes of technology -- the developers -- see the need to form accepted industry standards for the edge. One such example is Project EVE (for Edge Virtualization Engine), a Linux Foundation umbrella organization that aims to establish open, interoperable frameworks for edge computing that are independent of hardware, silicon, cloud or OSes.

Zededa, an edge virtualization company based in California, donated the seed code to start Project EVE. Roman Shaposhnik, co-founder at Zedada, said the proper approach to edge is to treat it as something radically different from conventional computing. "No one is running just one cloud anymore," he said.

Virtualization, Shaposhnik said, gives companies full control over how they partition and secure computing resources. Project EVE, for instance, verifies updates and activity through an edge device's hardware root of trust, preventing spoofing, malware injection and other malicious actions, he said. By decoupling software from the underlying hardware through virtualization, EVE lets users make over-the-air software updates, which should prompt organizations to apply security patches quicker than they usually do.

No matter how an organization chooses to approach edge computing security, it needs to put a value on their data, Morey's Mindlin recommended. Value is usually commensurate with the money spent on and resources devoted to protecting that data.

"How much is your data worth, and how much are you willing to spend to protect it?" he said. "Sometimes, people don't understand what their data is worth, and that is a different problem."