That certainly doesn’t mean you can’t build out an edge architecture more securely. It’s just a (big, in all likelihood) change to your threat model since by definition you’re moving infrastructure, applications, and data well beyond your central or primary environments.
“Edge computing brings fantastic benefits to the user experience but comes at the cost of introducing fundamental security concerns,” Christopher Sestito, CEO of HiddenLayer, told us recently.
Many of those concerns – access control and management, data in transit, loads of new internet-connected devices – should sound familiar. They’re not insurmountable in the least bit, even in highly distributed, diverse edge environments.
[ Related read: 6 edge computing trends to watch in 2022. ]
Properly planned and prioritized, more secure edge environments could even bolster your existing posture. Edge computing and hybrid cloud have a complementary relationship, and that should extend to security. As Ron Howell, managing enterprise network architect at Capgemini Americas, told us recently, edge adoption can help drive not only a more flexible compute model but also a more flexible hybrid security model.
“Today’s well-informed and forward-thinking CIO should avoid security lock-in and select a hybrid secure compute model that can go where their company needs security to go,” Howell says.
7 edge security facts
With that top of mind, consider these seven facts about edge security. Use it as an initial checklist of overlapping fundamentals to consider as you plan and prioritize security in your edge environments.
Fact #1: Visibility is a prerequisite to security
It’s a basic truth in security: You cannot mitigate a risk if you don’t even know it exists. In the context of edge infrastructure, this might be best stated as: You can’t protect it if you can’t see it.
Visibility – used here to roll up monitoring and observability capabilities – is a must-have for edge security.
“With visibility comes insight to help companies plan their edge security strategy appropriately,” Howell says.
Fact #2: So is automation
Automation is a pillar of edge computing for sustainable operations and management. It’s also the second prerequisite for edge security.
For one, edge very much fits the general promise of security automation: The risks that organizations of all kinds face are too numerous and complex for human intelligence and effort alone to manage. Put another way: People need help from machines to maximize their security defenses.
It’s also important because of all of the new potential points of vulnerability and malicious behavior.
Sestito notes that automated detection response technologies (like EDR and/or XDR tools) may be good fits here. Tools that can automatically detect anomalous behavior or other activity and then also initiate initial response steps – or escalate appropriately for human intervention – are worth considering.
Fact #3: Supply chain security matters even more now
As Red Hat technology evangelist Gordon Haff noted at the outset of 2022, software supply chain security is one of the hot-button issues in enterprise IT this year.
That’s because, as we wrote previously: Just like in other supply chains, most software depends on other software to get built, packaged, and deployed. Even organizations with massive development teams use code that they didn’t write from scratch – often lots of it.
That same principle is very much in play in edge computing – not just with software but in various hardware and other infrastructure, some of which isn’t hardened by default.
Organizations that already take a holistic view of their IT supply chain into account will be well-positioned here; those that aren’t would be well-advised to use their edge use cases as reasons to start.
Fact #4: You need to be stingy with access/permissions
Sestito and other security pros say that a more granular approach to user permissions (including non-human users) and behavior is absolutely needed for edge security.
If you’re not already using and enforcing MFA/2FA, it’s time to start. And multiple experts we’ve spoken with on the topic say the Zero Trust model is the way to go in edge environments. If a person or system doesn’t actually need access, don’t grant it.
Fact #5: Like with other distributed patterns, a layered approach to security is best
There is no blanket security solution that will mitigate every risk – that’s true at the edge, in the cloud, and in your datacenter or corporate offices. Your IT stack has multiple layers; even a single application has multiple layers. Your security posture should, too. Edge computing boosts the case for a multi-layered approach to security.
This whitepaper describes a layered approach to container and Kubernetes security. While the details may differ in an edge environment, the core concept here remains relevant: A well-planned mix (or layers) of processes, policies, and tools – that lean heavily on automation wherever possible – is vital to securing inherently distributed systems. (And in reality, edge architectures are increasingly likely to overlap with containerization and orchestration anyway.)
Fact #6: Segmentation/isolation limits incident impact
The concept of granularity also applies at an infrastructure and network level. The more endpoints or nodes in an edge architecture, the more potential points of breach.
“You have to ensure that you enforce security controls at the granularity of the edge location, and that any edge location that is breached can be isolated away without impacting all the other edge locations,” says Priya Rajagopal, director of product management at Couchbase.
This is similar in concept to limiting “east-west” traffic and other forms of isolation and segmentation in container and Kubernetes security. There’s no such thing as zero risk – things happen. Don’t let a single vulnerable container image – or edge node – become a wide-open door to your application or network.
Fact #7: Device security is tough – so double down on applications/data
The practical reality of many edge environments is that securing devices and other hardware may pose a particular challenge – perhaps especially in IoT use cases.
“As you move toward the far edge, you are typically dealing with data at massive scale and a lot of these devices that are generating data have limited to no security hardening – think IoT sensors,” Rajagopal says.
Sensors and devices will in many settings have some inherent risks or flaws from a security standpoint – so focus on the applications and data.
“Thus, it’s important to assume the worst and to harden your application against threats such as Distributed-Denial-of-Service (DDoS) attacks,” Rajagopal says.
Howell from Capgemini suggests considering technologies like SD-WAN or a cloud-based Secure Access Service Edge (SASE) as a means for applying security closer to where applications are actually running: “SD-WAN and SASE are more secure connectivity tools and are designed to be flexible and to be utilized in a Hybrid security model, where flexible design can place network and security services where they are needed most.”
Encryption is a must, especially as data travels from edge locations to the cloud (or on-premises datacenter) and back.
“Every bit of data that is read/written needs to be authenticated and authorized, and all traffic needs to be encrypted end to end,” Rajagopal says.
[ Discover how priorities are changing. Get the Harvard Business Review Analytic Services report: Maintaining momentum on digital transformation. ]