Edge Computing: 4 Key Security Issues CIOs Need to Prioritize
While many enterprise edge computing strategies are still in their infancy, edge security could also emerge as a potentially risky new frontier.
The highly distributed nature of edge computing expands the threat surface and overall complexity of an organization. But the edge itself shouldn’t be considered scary or insecure – security just needs to be properly prioritized, just like your cloud and on-premises environments.
“Edge computing can create more complexity, which can make it more difficult to secure the entire system,” says Jeremy Linden, senior director of product management at Asimily. “Yet there is nothing inherently less secure in edge computing.”
Big security risks at the edge should sound familiar: compromised credentials, malware and other malicious code, DDoS attacks, and more.
[ Also read: What is ransomware? 5 facts IT leaders should understand now. ]
What’s different is that these risks now occur further and further away from your primary or central environment(s) – the traditional network perimeter of yesteryear is no longer your only concern.
“Edge computing poses unique security challenges as you move away from closed central cloud environments and everything is now accessible over the internet,” said Priya Rajagopal, director, product management, Couchbase.
The good news: Many of the same or similar tactics and tools that organizations use to secure their cloud (especially hybrid and/or multi-cloud) and on-premises environments still apply; they just need to be applied to the periphery.
As you shape your overall edge computing strategy, here are four things to focus on to ensure you prioritize security and achieve your business goals.
1. Good news: edge fundamentals are also edge Security fundamentals
Each of the essential components of a holistic, results-driven edge strategy – which we covered recently in this article – also help lay the foundation for an edge security strategy.
“By investing globally in a solid leading-edge strategy, you are already laying the foundation for security.”
According to Ron Howell, Chief Enterprise Network Architect, Capgemini Americas, you can sum it all up in one word: visibility.
You can’t secure what you can’t see – and you can’t fix problems if you don’t know they exist. Ignorance never brings happiness when it comes to computer security.
“With visibility comes insight to help organizations plan their cutting-edge security strategy appropriately,” Howell says.
Monitoring and observability are important, as are other fundamentals such as standardization and consistency of things like operating system configurations. Edge security becomes much more difficult when you’re dealing with a bunch of one-time or snowflake patterns in your edge applications and infrastructure.
Gordon Haff, technology evangelist at Red Hat, puts it this way: “Deploying and operating large-scale distributed infrastructure is difficult enough without introducing randomness and silos into the mix.”
By investing globally in a solid state-of-the-art strategy, you are already laying the foundation for security.
2. Edge security should be flexible/hybrid in its approach
Howell sees modern edge security as “nothing new” in terms of risks and responses to those risks – it’s just that they are happening in more places than ever.
As a result, Howell emphasizes the need for inherently flexible and hybrid security tools and practices, meaning they can work anywhere. If you are already building or operating a hybrid cloud environment, the fundamentals of flexibility, agility, and control apply here as well.
“Hybrid compute and hybrid design of security enforcement gives us a much more flexible model where security enforcement can take place at any point in the corporate network and not rely solely on on the cloud,” says Howell.
Security strategy can still be cloud-centric, but implementing and expanding enterprise edge architectures will inherently require security tools and policies that move to where they are needed, not just on site or in a cloud, but potentially anywhere. In this way, edge computing could actually promote a more adaptable and secure organization in the future – not less.
“Today’s knowledgeable, forward-thinking CIOs need to avoid security lock-in and select a secure hybrid compute model that can go where their business needs security,” says Howell. Edge Computing will play a key role in a flexible computing model that can be secured where needed for business benefit.
3. Cover key security technologies and practices, most of which you already know
Although edge security adds some complexity, many of the basic approaches to securing edge environments should sound familiar. “Edge computing, as well as data center infrastructure, is now secured like we secure any other enterprise resource,” says Howell.
Here are some tools and tactics that should be heavily considered in your strategy and planning:
● Know your threat model: A strong security posture in any environment depends on understanding what is at risk – and how/when/why those risks might be exposed. This is always true on the periphery.
“Understand your threat model and the negative impact different attacks could create, from exfiltrating sensitive data to disrupting business operations,” Linden says.
● Zero Trust/Access Control: Just as misconfigurations of accounts and/or leaking credentials have become one of the biggest attack points in cloud security, they will pose serious risks in edge environments: every endpoint and each application become a window or a door for an attacker to check. Access control technologies and policies (for humans and machines) will continue to be crucial, and the edge will only reinforce broader industry adoption of the Zero Trust approach.
“Using Zero Trust security design principles is quickly becoming the trust standard of choice for well-segmented, well-secured enterprise resources,” says Howell.
● Security wherever it is needed: Edge computing continues a (already ongoing) trend of the need for security far beyond the traditional enterprise perimeter or even multiple different clouds. For some organizations, this may be the newest element – and it’s the hybrid Howell model described above. Technologies such as SD-WAN or a cloud-based Secure Access Service Edge (SASE) play an important role.
“Security continues to be needed closer to where applications are running,” Howell says. “SD-WAN and SASE are secure connectivity tools and are designed to be flexible for use in a hybrid security model, where a flexible design can place network and security services where they are needed most within of modern business.
● Focus on applications and data: Again, several experts note that security fundamentals (such as Zero Trust, MFA, etc.) are just as important at the edge. Others, like device hardening, can be trickier on the periphery. Therefore, security needs to be more application- and data-centric.
“As you move to the far end, you’re typically dealing with large-scale data, and a lot of these devices that generate data have limited or no security hardening – think IoT sensors,” says Couchbase’s Rajagopal. “Thus, it’s important to assume the worst and harden your application against threats such as DDoS attacks.”
Likewise, this data must be protected. “Pay close attention to understanding where data resides in the organization and ensure that data is encrypted in transit and at rest,” says Linden of Asimily.
● Insulation: From a networking and architectural perspective, edge environments are distributed with a capital “D”. An isolated incident should remain that – isolated. Segmentation is the key. There are corollaries here with container and cloud security – don’t let a relatively small breach become a headline-grabbing hack. Make sure you can freeze an attacker in place.
“Create network and access control policies that don’t allow arbitrary communication between edges or between cloud and edge, so attackers can’t easily move laterally between assets,” says Linden.
4. Be clear about who is responsible for what
Last but not least: just as technology assets are increasingly distributed, so are human teams. Be sure to factor this into your edge security policy. “I thought someone else was watching this” is the source of many incidents.
“Because edge computing assets may reside in different physical locations and may be owned by different groups, ensure that lines of liability are clear and, in the event of a breach, that there is no confusion as to which role is responsible for what,” says Linden. .
While this is all ultimately the purview of a central security team, don’t let this lead to hubris or false assumptions – make sure the team is aware of the scope of the security strategy. periphery of the organization and its implementation.
“If a core group is responsible for security across the entire system, make sure they have the access they need to all parts of the system, from edge to cloud, so they can react quickly wherever an attack might occur,” says Linden.
[ Discover how priorities are changing. Get the Harvard Business Review Analytic Services report: Maintaining momentum on digital transformation. ]