Security Challenges at the Edge of the Network

June 23, 2020

Whether data is at rest or in transit, protecting data is essential. Many of the security challenges faced by edge computing are shared with cloud computing, but there are several edge-specific security considerations that have emerged or heightened in the new edge computing paradigm.

According to State of the Edge’s Data at the Edge report, there will be 175 zettabytes of data generated by 2025, a tenfold increase from 2016. Managing this enormous volume of data will be one of the key drivers of distributed architecture. As the scale of edge computing grows, security challenges specific to the edge need to be understood and tackled head-on.

This is important for all areas of data - whether it’s payment information collected on point-of-sale devices at the edge or cameras used in public safety projects to examine aging infrastructure, we must institute rigorous security policies.

Edge security challenges

Security challenges specific to the edge include:

An enlarged attack surface

By definition, data at the edge is highly distributed. The scale of distributed computing and storage that edge computing requires is immense. Data for one application alone can be spread across dozens or hundreds of sites or nodes. Edge security practices also need to take into account the huge diversity of edge computing nodes and devices, and a flexible approach needs to be developed that adapts as needed within manageable guidelines.

Beyond traditional information security visibility

New security challenges exist around the fact that processing and storage at the edge typically exist outside of traditional information security visibility and control. Living strategic plans need to be developed beyond traditional data center security practices to include heterogeneous mobile and Internet of Things (IoT) computing security.

A physical threat as well as a virtual one

The smaller scale and diversity of physical locations means edge computing locations are more prone to physical tampering and theft. Remote edge locations typically have no IT staff, so this must further be factored into security and management strategy. This makes multiple layers of security even more important, such as encryption and multi-factor authentication.

Limited compute capacity, depending on the edge device type

Many edge devices, in particular IoT devices, have limited compute capacity, requiring a flexible approach to security. Minimum viable protection must be enabled by default. Many IoT devices never have their factory default or static username and password combinations changed by their users. We’ve seen the damage this can cause with botnets like the Mirai in 2016. Default passwords must be changed and control maintained through a centralized management dashboard that controls how devices interact with the computing environment.

Connectivity challenges

A base of constant network connectivity can’t be assumed for edge devices. Security controls need to continue to provide protection even if the edge system is disconnected from the management console, whether intermittently or for consistent periods. Companies can also reduce risks by not allowing direct connections between edge devices and the cloud except if they are essential for performing critical functions.

Security practices and challenges differ along the edge continuum

Security practices need to be implemented differently along the edge continuum. Specific approaches can be adopted within each tier in order to factor in important differences in the compute footprint, deployment scale and connectivity reliability, along with physical and network security challenges.

The three main tiers within the edge continuum to consider as part of an edge security strategy are:

On-Prem Data Center Edge (at the upper end of the user edge tier)

This tier refers to server-class infrastructure situated within traditional, physically secure data centers. While considerably smaller, security tools in these kinds of settings are largely the same as those used in the cloud data center. However, some difference of approach is necessary due to the smaller scale and to support the coordination of Kubernetes clusters distributed across edge data center locations.

On-prem data centers are typically more secure than smart device or constrained device edges, which tend to be deployed in semi-secure to easily accessible locations in the field.

Smart Device Edge (the middle of the user edge)

This tier comprises hardware (from consumer mobile devices and laptops to servers specifically for IIoT use cases, such as factory floors) situated outside physically-secure data centers, yet still able to support virtualization and/or containerization. Smart Device Edge IoT and compute resources can usually support robust security features, such as data encryption and multi-device authentication.

Constrained Device Edge (the lowest extreme of the user edge)

This tier refers to microcontroller-based devices that are highly distributed, such as sensors or actuators that perform little or no localized compute - all the way up to more capable devices designed to address time and safety-critical applications, such as Programmable-logic Controllers (PLCs). Constrained Device Edge resources often depend on upstream more capable devices for additional security measures. Often IIoT has isolated devices in this bracket; in order to drive new outcomes, it is important to connect them to networked intelligence.

In our next post on security at the edge, we’ll look at what’s involved in edge security and approaches that can be taken to solve some of these complex challenges.