Securing the edge of the network

Edge security is not just about securing edge computing, it is also potentially a new approach to defining user and enterprise security in the cloud-connected world.

As edge computing continues to grow exponentially, the global edge-computing market is expected to grow from USD 2.8 billion in 2019 to USD 9.0 billion by 2024, at a compound annual growth rate (CAGR) of 26.5 percent during the five-year period, secure edge computing requires a zero-trust approach. Taking the view that every person, device, workload, and the network is untrusted ensures that an organization can protect its technology environment and data proactively.

Security considerations in edge computing

Distributing data across a large network, containing numerous devices and data centers operating far from companies’ main locations, can create problems with network visibility and control. Each device represents another potentially vulnerable endpoint, and the Internet of Things (IoT) is notorious for its lack of robust security. Other devices used in edge computing have similar problems: They are smaller than traditional data center or server setups, not designed with security in mind, and are not always updated as often as they should be.

Loopholes in edge security can provide hackers easy access to the core of a network. This is of particular concern if edge devices are rushed to market before thorough testing is performed or companies race to adopt the technology without a full understanding of the security risks involved. The smaller size of edge devices also makes them more vulnerable to being stolen or otherwise physically manipulated.

Any network in which edge computing is a major player must be maintained in a unified manner to ensure all devices receive regular updates and proper security protocols are followed. Encryption, patching and the use of artificial intelligence to monitor for, detect, and respond to potential threats are all essential, and the responsibility for implementing these security measures falls squarely on companies, not end-users.

Can edge computing make networks safer?

In an interesting paradox, wider device distribution may offer security benefits. Reducing the distance data has to travel for processing means there are fewer opportunities for trackers to intercept it during transmission. With more data remaining at the edges of the network, central servers are also less likely to become targets for cyberattacks.

The challenge lies in incorporating security into device design. Companies are beginning to focus on this and other measures for making data safer, including the use of encryption and creating solutions to manage, update, and secure IoT devices. If inherent security features are built into more end-user devices and edge data centers, it should be possible to create expansive networks with minimal vulnerabilities. However, the technology has not yet reached a point where security can be considered reliable enough to prevent the majority of attacks.

Understanding edge security

As edge computing is a growing area, so too is edge security. There are several aspects involved in edge security, including:

Perimeter security. Securing access to edge compute resources via encrypted tunnels, firewall, and access control;

Application security. Beyond the network layer, edge compute devices run applications that must be secured;

Threat detection. As edge computing is by definition not centralized, it is critically important for providers to employ proactive threat-detection technologies to identify potential issues early;

Vulnerability management. There are both known and unknown vulnerabilities that need to be managed; and

Patching cycles. Automated patching to keep devices up to date is important for reducing the potential attack surface.

Secure access service edge

In 2019, a new term was coined by Gartner to define a category of hardware and services that helps enable edge security; that term is Secure Access Service Edge (SASE).

According to Gartner, SASE is an emerging offering, combining comprehensive WAN capabilities with comprehensive network security functions, such as secure web gateways (SWG), CASB, firewalls-as-a-service (FWaaS), and zero-trust network access (ZTNA) to support the dynamic secure-access needs of digital enterprises.

Even though the term SASE is new, in August 2019, Gartner forecast that by 2024, at least 40 percent of enterprises will have explicit strategies to adopt SASE, up from less than 1 percent at year-end 2018.

Top edge-security vendors

Though the term edge security is relatively new, there are multiple vendors in the space that have product offerings. The leading ones are Akamai, Cisco, Cloudflare, Fortinet, Palo Alto Networks, Cato Networks, VMware, and Zscaler. Not all the vendors fall into the SASE category, as some lack the WAN functionality and only provide a subset of edge-security needs.

Challenges

Securing the edge is further complicated by the fact that edge device use cases are so diverse, and that most devices work differently. Edge devices are designed with assorted capabilities, configurations, and versions that make tracking the threat landscape a challenge for security teams. Unfortunately, many devices also suffer from well-known shortcomings.

Additionally, the small physical size of many edge devices makes them vulnerable to theft or physical attack. This is because they are often deployed in exposed locations, such as cell towers or locations that are not actively monitored and secured as with a traditional data center.

For an edge deployment to be secure, all data – both at rest and in motion – must be encrypted. Requiring multifactor authentication for access is highly recommended. Turn on trusted platform-computing features, where available, to provide strong encryption and authentication. All traffic will need to travel over secure, hardened VPN tunnels, as data may travel over untrusted public networks. Encryption and access controls will also help mitigate some physical risks as any stolen data will be unreadable. For those devices not capable of strong encryption, security agents should be installed nearby to provide the computing power necessary to handle cryptographic security and provide protection against malicious activities.

Improving security

By definition, edge devices are connected to something else. As a result, there is no single or simple solution to securing a device because any attack can come from a multitude of sources, using a variety of attack vectors. The generally accepted best practices for security involve layers of security, as well as constant diligence in changing passwords and updating software.

Where weaknesses are known, they need to be addressed; where none are obvious, a multi-layered strategy is required. Edge devices have a wide range of sizes and compute power, and there is no one security solution that fits all. The optimal security solution will have to be tuned, based on the target application that has been chosen for that edge device, a good understanding of the threat environment, certification, regulation requirements, as well as power, performance, cost, and target. Security always needs to be like a toolbox that people need to draw from and choose the right scale of solutions for the appropriate edge device.

Part of this needs to be addressed at the earliest phases of semiconductor and system design, and carried throughout the design cycle. A security-oriented mindset needs to be employed at every stage of design, or else things could be let through. A verification-oriented mindset across the design flow is a must. The first thing is this chain of security, where every device and every team that contributes something to these devices needs to be thinking about security. How does my device influence the security of the overall system? IoT is a particularly difficult market to get security right. That means every team has to be thinking about it throughout the design flow. The chain, and the weakest link is going to be the downfall of overall IoT service. There is no partial credit for security. One has got to get it right everywhere. That said, it is almost impossible to get it right everywhere, all the time.

Perhaps even more daunting, as chips are developed for markets such as automotive and industrial IoT, they need to last for a decade or more. By that time, what is considered unhackable today may be simple to crack as new techniques emerge and the processing power required to break ciphers and encrypted keys increases by orders of magnitude. The only way to address that is through field upgrades.

One need to be reducing the device-attack surface by implementing security at the design phase, treating security as a primary design parameter rather than a tertiary afterthought. One also need early detection of compromised devices. Since no system is 100 percent secure, real-time detection of a compromise in an edge device can invoke patching and recovery of the infected device and other vulnerable devices, as well as device recoverability. Once a software vulnerability is discovered and identified, a quick action is crucial for limiting any damage to the edge device or any other devices connected to it. Fast recoverability can be achieved using over-the-air recoverability mechanisms where security updates are pushed to the device via the internet.

But edge-computing devices can be much more difficult to secure than other devices. Edge devices typically require performing complicated tasks not performed by other standalone IoT devices. Edge computing requires more CPU, memory, and flexibility, which typically results in a larger attack surface. In many cases, edge devices also aggregate and process data from multiple devices connected to them. A compromise of an edge device can result in a compromise of the data collected from multiple devices connected to it. The combination of a larger attack surface, and the access to multiple other connected end-devices, elevates even more the need to provide protection, detection, and recoverability. In addition, some edge devices might be required to handle data of two separated users who do not trust each other. This requires the edge device to implement a secure data separation to prevent data leak of one user to the other. The principles and security best practices of edge devices, such as routers, switches, or smartphones, are not different from the ones used in other areas, like the data center or cloud computing.

Software needs to be part of this security, solution, as well. Operating systems can provide a secure connection to the cloud, for example. And virtualization, which enables execution separation, can help when multiple users that do not know or trust each other, utilize a shared edge device. It is important to periodically check that the code that is being executed has not been modified by various means. It is equally important to ensure that while the device is running, while it is communicating with other devices or a network, it is done in a trusted manner.