Processing data at the network’s edge, whether it is on IoT devices, industrial equipment, or in nearby data centres, can reduce the latency of applications and enable richer, AI-powered functionality and user experiences. But edge computing introduces new security challenges which, analysts argue, require new approaches to securing devices and networks.
The centralisation of computing – in local area networks, in corporate data centres, and more recently in hyperscale clouds – has been good for security. It has allowed organisations to ‘hide’ their data behind layers of security defences, both virtual and physical.
Now, though, computing is once again being redistributed away from this secure core. One driver is the spike in remote working, which means employees are connecting to corporate networks through the internet. Another is the growing need for data processing to be located near users or devices at the edge of the network, to reduce latency and accelerate analysis. This means data is increasingly processed and stored on IoT devices, on industrial equipment in remote locations, or in local data centres close to the user.
Conventional models of IT security are not suited for this redistribution. As computing moves to the edge, these models risk exposing corporate data assets, holding back digital transformation, or both.
“Network security architectures that place the enterprise data centre at the centre of connectivity requirements are an inhibitor to the dynamic access requirements of digital business,” analyst company Gartner wrote in a report last year. “Digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside. ”
Network security architectures that place the enterprise data centre at the centre of connectivity requirements are an inhibitor to the dynamic access requirements of digital business.
Organisations embarking on edge computing use cases, whether that means distributing thousands of IoT sensors in the field or beefing up the data processing power of their industrial machinery, will need to adjust their security controls and practices to fit the new paradigm.
Happily, edge adopters appear to be aware of this: a survey of more than 1,500 companies by US telecommunications giant AT&T’s cybersecurity division found that companies pursuing edge use cases typically expect to spend between 11% and 20% of their investment on security.
The security challenges of edge computing – and the controls required to address them – can be simplified into two, overlapping categories: those that apply to devices, and those that concern networks.
Securing edge computing devices
One way in which edge computing increases cybersecurity risk is a simple matter of geography: more devices in more dispersed locations means a greater risk of physical interference or other damage. "Physical threats could include tampering with devices to introduce malware through physical access, or unintentional actions that damage the device and data," explained IT services provider Atos in a recent overview of edge computing.
Measures to control physical security risks to edge devices include increased security for company premises, Atos advises, and environmental monitoring to detect movement or adverse conditions.
The proliferation of edge devices capable of storing and processing data also increases virtual security risks. Remotely accessing these devices could allow hackers to steal data, sabotage operations or gain access to corporate systems. "If one device is compromised, the attacker can use it to get into the network,” says Raj Sharma, founder of consultancy CyberPulse and director of Oxford University's AI for cybersecurity course.
The security challenges that arise from edge computing devices will increase as their data processing capabilities improve, adds Bola Rotibi, research director at industry analyst firm CCS Insight. "With more processing capability comes more opportunity for an actor to gain control."
With more processing capability comes more opportunity for an actor to gain control.
Bola Rotibi, CCS Insight
Controlling these risks starts when devices are being procured. Device selection criteria should include adherence to security standards and practices, wrote Daniel Paillet, cybersecurity lead architect at Schneider Electric's energy management division, in a recent white paper on edge security. This may include Microsoft's Security Development Lifecycle, which establishes best practices for technology vendors, or IEC 62443, an international security standard for operational technology (OT).
The firmware of an edge device is critical to its security, Atos advises. Tampering with this could allow hackers to use a device to transmit "false or corrupted" data into enterprise systems. The company advises buyers to look for 'hardware-based root of trust', which prevents a device's identity from being tampered with, as well as device-level encryption.
Devices also need to be configured correctly, of course. This includes conducting a vulnerability assessment, disabling any non-operational functionality, and patching all systems before deployment, writes Paillet.
Once in operation, devices must be patched, tested, assessed for new vulnerabilities, and other cybersecurity best practices maintained. Endpoint or device monitoring, device authentication via certificates, and multi-factor authentication are the security measures that most respondents to AT&T's survey expect to apply to the majority of edge device categories.
When it comes to edge-connected OT, however, Paillet sounds a word of warning. "The IT paradigm prioritises confidentiality, integrity and availability," he writes. "In OT, the primary paradigm is reliability and safety."
OT engineers can therefore be wary of standard IT security practices such as regular patching, vulnerability assessment or penetration testing. "If an improperly validated patch is applied, instability could impact critical OT functions to where operators could lose connectivity to these devices, or worse, information coming into the control room may not be trustworthy," Paillet writes. Device-level security measures must therefore be carefully planned alongside OT teams.
Securing edge networks: the case for SASE
The transmission of data between edge devices and the cloud, and among each other, also poses security risks. Edge computing topologies may combine multiple networking standards, including IoT-specific network protocols such as NB-IoT and Sigfox, explains Atos, as well as more conventional technologies such as WiFi or 4G. The limited computing capacity of some edge devices adds to the challenges of securing such networks.
Writing in the context of edge-connected industrial equipment, which is likely to be located within an organisation's premises, Paillet identifies intrusion detection, network segmentation and defense-in-depth (DDN) network design – which establishes zones within a network that are handled with varying degrees of trust – as crucial measures to protect edge networks.
Intrusion detection is the security measure that respondents to AT&T's survey most commonly expect to adopt across the various edge network types. It is also viewed as the edge computing security control with the second-best cost/benefit ratio, behind firewalls at the network edge.
Thankfully, given the growing complexity of edge networks, network security is increasingly boosted by AI-powered tools such as user and entity behaviour analytics systems. "These are tools that augment or supplement what the security practitioner is doing, creating faster detection of anomalies, leaving that practitioner to focus on other, higher-level work," explains Tawnya Lancaster, security trends research lead at AT&T Cybersecurity.
However, as an organisation's data processing devices extended ever further beyond the corporate network, some argue that an altogether different approach to network security is needed.
"Classic architectures typically benefit from 'defense-in-depth' approaches, where multi-layered security controls protect the data hidden at the back-end," Atos wrote in its report last year. "Such architectures can withstand some controls being defeated or having mismatched/misconfigured systems ... because other layers provide assurance."
In edge computing, by contrast, data and processing are exposed to the outside world. This requires "more dynamic security controls that are able to adapt to heterogeneous environments without centralised monitoring and administration".
For Gartner, the solution is 'secure access service edge', or SASE. The analyst company coined the term to describe the merger of software-defined networking services delivered from the cloud, such as SD-WAN, with cloud-based network security functions, including firewall as a service and cloud secure web gateway.
This convergence, Gartner says, will help organisations secure increasingly distributed computing architectures. SASE will transform the "legacy perimeter" into "a set of cloud-based, converged capabilities created when and where an enterprise needs them".
Edge computing is one of many drivers to SASE, Gartner says. "An IoT edge computing platform is just another endpoint identity to be supported with SASE," it explains. "The key difference will be the assumption that the edge computing location will have intermittent connectivity and the risk of physical attacks on the system. Thus, the SASE architecture should support offline decision making ... with local protection of the data and secrets."
The tools that underpin SASE are still developing and their capabilities for edge computing are immature, Gartner warned last year. "Few vendors address IoT needs today, and serving edge computing and distributed composite application use cases are embryonic," it wrote. Nevertheless, it identified "extend[ing] SASE strategy to include edge-computing use cases" as a medium priority for enterprise organisations in the next 18 to 36 months.
Whatever approach they adopt, organisations must consider security from the very start of their edge computing initiatives, AT&T warned in its survey report. "Businesses innovating at the edge cannot be reactionary," it concluded. "The stakes are too high."