Securing a Distributed Edge Network

July 1, 2020

Security for edge computing is ipso facto a large and complicated topic. In our previous post, we looked at challenges specific to security at the edge. In this one, we’ll take a look at some of the ways in which the edge can be secured.

A Kollective Distributed Devices report highlighted in TechRepublic recently showed that two-thirds of IT teams see edge computing as a threat to their organizations. Just over half of respondents said they expect to encounter challenges in ensuring complete security across all edge devices.

What’s involved in edge security?

There are multiple components involved in edge security at all levels of the edge continuum, including those listed below.

Perimeter risk management

As application architectures are becoming more distributed, the attack surface is growing. Millions of devices with a wide range of operating systems and update schedules are being brought into the enterprise, and workplace IT organizations need robust perimeter risk management strategies to secure them. These include:

Web Application Firewalls (WAFs)
WAFs block certain kinds of network traffic and allow legitimate traffic through. This prevents potential attackers from being able to communicate with your applications and services, thus preventing many types of security exploits.

There are various ways to sort traffic into legitimate or unsafe categories. One way is through layer 3 firewalls, also known as network firewalls, which filter traffic based on the TCP/IP stack. Another approach involves layer 7, the application layer. This approach allows you to filter traffic based on the application or application service that the traffic is trying to reach, and the specific contents of that traffic.

Intelligent WAFs automatically block threats based on your application’s unique threat profile.

Encrypted tunnels
Virtual Private Networks (VPNs) have become highly popular for enabling geo-blocking on websites and services, and bypassing government censorship without giving away who is doing the bypassing. A VPN does this by creating a tunnel between the end user and the Internet encrypting the Internet connection.

In the instance of Stunnel, the most commonly used tool for encapsulating arbitrary data in an encrypted tunnel, OpenSSL is used to create an encrypted tunnel. SSL stands for Secure Sockets Layer, which is the same encryption used to encrypt web pages.

Access control (virtual and physical)
It’s essential to use access control to:

  • Authenticate individuals to ensure they are who they say they are.
  • Authorize individuals to access only the information they need to view and use within a company.

At a high-level, access control involves restricting access to data through authentication and authorization. As all devices enter and exit the network, they must be subject to access control to ensure they can be trusted.

Threat detection

It’s important to use proactive threat detection technologies to detect threats early and thereby mitigate damage. Using monitoring tools to proactively run tests on your networks and endpoints means threats can be identified before they become full attacks or data breaches.

Cybersecurity monitoring can detect a wider range of threats, improve visibility into threat risks, provide reports on suspicious activity when it is still low level and significantly bring down incident response time. Proactive security measures can help prevent attacks or decrease the damage when one does occur. Threat detection needs to involve protection against both known and unknown vulnerabilities.

Application security

Applications running at the edge need to be secured beyond the network layer for threats such as account takeover, OWASP injection attacks, API/feature abuse, bat bots, etc. This requires layer 7 protection.

Ever since HTTP has become the universal app protocol, attackers have become more likely to scan for and exploit weaknesses within the app layer. The application layer is the closest layer to the end user and the user edge, meaning it provides hackers with the largest threat surface.

Automating Updates and Patches

Keeping devices up to date through automated patching is crucial for reducing the potential attack surface. You can often avoid data breaches by ensuring that patching of security holes is performed automatically.

Many of the most harmful malware attacks leverage software vulnerabilities in common applications, such as browsers and operating systems. These kinds of programs require regular updates to keep them safe and stable.

Summary: 5 Edge Security Solutions

Adopt a Zero Trust Security Posture

A high trust security posture was the norm in On Prem traditional data center settings whereas computing at the edge requires a low to zero trust security posture, similar to the cloud. Security capabilities need to be extended to all edge devices. According to Gartner, “enterprises need to develop defense in depth and manage edge computing stacks that must be assumed to be compromised - software and data.”

An edge security strategy must also protect all network communications to/from the edge and ensure a secure software updates schedule. Another aspect to adopting a zero trust security posture is to centralize your secrets in a KV secrets engine.

Access Control

Establish access control for edge device authentication and trust assurance in order to protect the data analyzed and stored at the edge, including privacy and compliance. Each edge device must have a linked identity that is provisioned and can be clearly managed and secured. By establishing a trusted network of devices and data at the edge, the security of data can be more easily handled.

Utilize AI Solutions

AI is another way that the edge and its data can be secured. AI systems can be programmed with trusted historical data allowing them to continuously scan new information against the gathered historical data to find anomalies that may signal an intrusion. AI is able to analyze the massive quantities of data generated at the edge, helping speed up response times and support security operations.

Minimize the Attack Surface

It is necessary to take steps to minimize the attack surface as much as possible by ensuring that edge computing, hardware, software, applications, data and networking have security and self-protection built-in as part of the design process. This is true for the prevention of both virtual attacks and physical tampering and theft.

Encryption

According to Dave McJannet, CEO of HashiCorp, “If you can centralize secrets and credential management and you can encrypt all data in rest and in-flight in this cloud world, you’ve gone 99% of the way to addressing the security challenge.”

For edge computing sites where the physical perimeter cannot be guaranteed, encryption of all data, whether in transit or at rest, is more likely to keep it safe even when the network is intercepted.