Securing the edge: 5 best practices
- 17 September, 2020 15:27
For a growing number of companies, the “edge” of the enterprise network is an increasing focal point of IT investments. This is where they are aiming to bolster data storage, processing, and analytics capabilities to generate business insights from data gathered from connected devices and systems.
Optical and photonic products manufacturer Lumentum has employed an edge strategy with local compute and storage arrays to deal with the large volume of data generated during the manufacturing and testing process.
“Edge computing allows us to process and store data coming off the line in real time,” says Ralph Loura, senior vice president and CTO. “We also employ an aggregation strategy to stream that data into public cloud platforms for data aggregation, processing, long-term storage, and secure partner access.”
The primary security risk is the sensor and tester network and how data gets from those sources to the edge platform, Loura says. “Edge platforms sit in remote locations, and local teams don’t always follow global standards,” he says. “It takes discipline, and good tools, to ensure that standards are adhered to consistently."
Understanding the risks
Edge’s promise is a performance increase for connecting many things on the outside to data center or cloud services that are on the inside, creating "a big security challenge and a lucrative target for attackers,” says John Pescatore, director of emerging security trends at the SANS Institute, a provider of technology training programs.
Indeed, the edge can be difficult terrain from a data security standpoint for a variety of reasons.
“The obvious risks an organization should consider before embarking on an edge project have to do with the sheer number of devices and supporting infrastructure that populates the edge, and the massive amount of data being generated at the edge,” says Matt Kimball, senior analyst, data center, at advisory firm Moor Insights & Strategy.
“Hundreds to thousands of network-connected, data generating devices connected to infrastructure ‘in the wild’ makes the edge a rich target for bad actors,” Kimball says. “And the more important that data becomes to an organization, the more it becomes a target for hackers or groups to exploit for gain.”
The diversity of internet of things (IoT) devices and systems sitting at the edge also creates security challenges, “especially in the industrial verticals, where decades old machinery and supporting systems that comprise OT [operational technology] are being merged with IT systems,” Kimball says. “The criticality of many OT environments—power plants, water treatment, refineries—make them targets.”
Another primary concern in edge computing lies in the scale of deployment locations. “Instead of securing a majority of resources in a handful of core locations, the distributed nature of edge computing means that infrastructure, data, and applications could be spread across hundreds or thousands of locations,” says Dave McCarthy, a research director with IDC's worldwide infrastructure practice focusing on edge strategies.
“To amplify this concern, these edge locations often lack local IT staff and do not share the same physical security as their data center counterparts,” McCarthy says. “Edge locations range from remote offices to places like factories, warehouses, retail stores, and schools.”
Adding to the security challenge is the breadth and complexity of what the edge entails. Research firm IDC is tracking edge solutions in several categories: enterprise IT (such as remote office and branch office systems); industrial operational technology (such as systems used in manufacturing); cloud edge offerings (such as Snowcone from Amazon Web Services); and “IT to the carrier edge” offerings from telecommunications providers that might include 5G and multi-access edge computing (MEC).
Any of the solutions in any of those categories represents a potential entry point for an attacker, and many of the products and services for edge computing are relatively new, which means they’re somewhat untested.
“The immaturity of the technology and the wide range of vendors providing various forms of edge computing hardware [and] software services is by far the biggest issue,” says John Pescatore, director of emerging security trends at the SANS Institute, a provider of technology training programs.
“For established vendors like Cisco, Google, AWS, Dell, etc., the software is still immature, and we are seeing [a] continuing stream of critical vulnerabilities exposed even in mature products at the edge,” Pescatore says. “Then there are dozens of startup vendors in the market that have no track record in secure products at all.”
The lack of maturity with edge offerings means they are “chock full of vulnerabilities, either via built-in faults or mistakes by [systems administrators] not familiar with the new technology.”
For edge computing to be less of a risk, vendors need to demonstrate extensive security testing of the products and services, Pescatores says. Another step in the right direction: standardization of what an edge server and service really is as well as standards for secure architectures and system configurations from third parties such as the Center for Internet Security. “None of that has happened yet.”
5 best practices for better protection
When considering a move from a traditional, single-site data center architecture to edge computing technology, “it is critical to understand that you are expanding and dispersing your company’s exposure to cyber attack,” says Steve Maki, executive vice president of IT at AEI Consultants, a property and environmental consulting firm. The following best practices will help mitigate the risks.
Integrate edge into your security strategy
Businesses should think of edge security in the same way they think of the rest of their cyber security strategy, McCarthy says. “It should not feel like a bolted-on appendage but rather an integrated part of overall security processes, procedures, and technology,” he says.
“From a security standpoint, each edge node will require the same level of security, redundancy, and service visibility that you engineered into your central data center,” Maki says. “User and device management across a geographically disperse topology of edge nodes will also present a significant challenge if not designed and deployed correctly.”
AEI has deployed multiple layers of security to protect its edge business assets, Maki says. This includes multi-factor authentication, malware protection, endpoint protection, end-user training, and others.
Think zero trust
Edge locations naturally lend themselves to a zero-trust security model, McCarthy says. “In addition to hardening edge resources from attacks, it is important to enforce encryption of data both in transit and at rest,” he says. “Edge requires a greater emphasis in certificate-based identity management for both users and the endpoints themselves.”
Know what normal looks like
It’s possible to analyze the flow of communication to establish a baseline of “normal” and then evaluate future data flows for abnormal behavior, McCarthy says. “This is an area where machine learning and AI [artificial intelligence] techniques come together to proactively improve the overall security profile.”
Consider security in the buying process
Another good practice is to require edge product vendors to demonstrate security capabilities when responding to requests for proposals, Pescatore says.
“Microsoft didn’t pay attention to security in Windows until enterprises started telling them, ‘we are going to use Netscape and Linux because these internet worms are killing us,’” Pescatore says. “Twenty years later, Zoom’s CEO had to apologize and also say ‘security is job 1’ when all the lack of security in Zoom got exposed. Products only get more secure when the market demands it.”
Because the technology is still immature, Pescatore says, those companies that actually adopt it should develop their own secure configuration standards and prioritize monitoring and patching of the devices or services, until there are more industry standards.
For Lumentum, a key to robust security for edge environments is constant updates of security software. “We are aggressive about patch management,” Loura says. The company uses centralized configuration management and monitoring tools to ensure that systems in the field are configured and managed per the company’s central design.
The use of edge computing is likely to rise, as organizations look to exploit IoT and other edge-related opportunities. They will continue to face daunting security challenges.
“The edge is becoming more of a security risk for the simple reason that more enterprises are implementing applications at the edge,” says Bob Gill, research vice president at Gartner. “With greater numbers, the odds of a ‘failure’ of course rise.”
Another factor in the rising risk of edge computing is that applications are becoming far more ambitious and well connected to other assets in the enterprise, including back-end systems in the cloud and on-premises, Gill says. “Not only are the attack surfaces growing in size, but the blast radius in the event of a security failure is growing as well,” he says.
But experts see reasons for hope. “As the concepts surrounding edge continue to mature, technology suppliers, service providers, and enterprises have developed strategies to mitigate most common concerns,” McCarthy says.
They will need to continue those efforts if the edge is to become a more secure place to do business.