With many enterprise edge computing strategies still in their early days, edge security could likewise appear as a new – a potential risky – frontier.
The highly distributed nature of edge computing does expand an organization’s threat surface and overall complexity. But edge itself shouldn’t be viewed as scary or insecure – security just needs to be properly prioritized, much like your cloud and on-premises environments.
“Edge computing can create more complexity, and this can make securing the entire system more difficult,” says Jeremy Linden, the senior director of product management at Asimily. “Still, there is nothing inherently less secure about edge computing.”
The big edge security risks should sound familiar – compromised credentials, malware and other malicious code, DDoS attacks, and so forth.
[ Also read: What is ransomware? 5 facts IT leaders should understand now. ]
What’s different is that these risks are now occurring farther and farther away from your primary or central environment(s) – the traditional network perimeter of yore is no longer your only concern.
“Edge computing poses unique security challenges since you’re moving away from walled garden central cloud environments and everything is now accessible over the Internet,” says Priya Rajagopal, director, product management, Couchbase.
The good news: Many of the same or similar tactics and tools organizations use to secure their cloud (especially hybrid cloud and/or multi-cloud) and on-premises environments still apply – they just need to be applied out at the edge.
As you shape your overall edge computing strategy, here are four issues to focus on to ensure you’re prioritizing security and achieving your business goals.
1. Good news: edge fundamentals are also edge security fundamentals
Each of the core components of a holistic, results-oriented edge strategy – which we covered recently in this article – also helps lay the foundation for an edge security strategy.
“By investing in a sound edge strategy overall, you’re already laying the foundation for security.”
According to Ron Howell, managing enterprise network architect, Capgemini Americas, you can sum everything up in a word: visibility.
You can’t secure what you can’t see – and you can’t address problems if you don’t know they exist. Ignorance never sparks bliss in IT security.
“With visibility comes insight to help companies plan their edge security strategy appropriately,” Howell says.
Monitoring and observability are important, as are other fundamentals like standardization and consistency of things like OS configurations. Edge security becomes much harder when you’re dealing with a bunch of one-offs or snowflake patterns in your edge applications and infrastructure.
Gordon Haff, technology evangelist, Red Hat, puts it this way: “Deploying and operating large-scale distributed infrastructures is challenging enough without throwing randomness and silos into the mix.”
By investing in a sound edge strategy overall, you’re already laying the foundation for security.
2. Edge security needs to be flexible/hybrid in its approach
Howell sees modern edge security as “nothing new” in terms of the risks and responses to those risks – it’s just that they’re occurring in more places than ever.
As a result, Howell stresses the need for security tools and practices that are inherently flexible and hybrid in their nature – meaning they can run anywhere. If you’re already building or operating a hybrid cloud environment, the core principles of flexibility, agility, and control apply here as well.
“Hybrid compute and hybrid security enforcement design brings us a much more flexible model where security enforcement can take place at any point inside the enterprise network and not rely on cloud only,” Howell says.
Security strategy can still certainly be cloud-first – but the implementation and expansion of enterprise edge architectures will inherently require security tools and policies that move where they’re needed – not just on-premises or in a cloud but potentially anywhere. In this manner, edge computing could actually promote a more adaptable and secure organization in the future – not less so.
“Today’s well-informed and forward-thinking CIO should avoid security lock-in and select a hybrid secure compute model that can go where their company needs security to go,” says Howell. Edge computing will play a key role in a flexible IT model that can be secured where needed to benefit the enterprise.
3. Cover key security technologies and practices – many of which you already know
While edge security does add some complexity, many of the core approaches to securing edge environments should ring familiar. “Edge computing, as well as data center infrastructure, is now secured much like we secure any other corporate resource,” Howell says.
These are some tools and tactics that should get ample consideration in your strategy and planning:
● Know your threat model: A strong security posture in any environment depends on understanding what’s at risk – and how/when/why those risks could be exposed. This is still true at the edge.
“Understand your threat model and the negative impact different attacks could create, from exfiltration of sensitive data to disruption of business operations,” Linden says.
● Zero Trust/Access Control: Much like account misconfigurations and/or leaky credentials became one of the major attack points in cloud security, they’ll be serious risks in edge environments – every endpoint and application becomes a window or door for an attacker to check. Access control technologies and policies (for both humans and machines) will continue to be crucial, and edge will only bolster the broader industry embrace of the Zero Trust approach.
“The use of Zero Trust security design principles is fast becoming the trusted standard of choice for well-segmented and well-secured company resources,” Howell says.
● Security wherever it’s needed: Edge computing continues a trend (already underway) of the need for security well beyond the traditional corporate perimeter or even multiple different clouds. For some organizations, this may be the newer element – and it’s the hybrid model Howell described above. Technologies like SD-WAN or a cloud-based Secure Access Service Edge (SASE) play a big role.
“Security continues to be needed closer to where the applications are running,” Howell says. “SD-WAN and SASE are secure connectivity tools and are designed to be flexible and to be utilized in a Hybrid security model, where flexible design can place network and security services where they are needed most within the modern enterprise.”
● Application and data focus: Again, multiple experts note that security fundamentals (such as Zero Trust, MFA, and so forth) are just as important at the edge. Others – like device hardening – can be trickier at the edge. As a result, security needs to be extra-focused on applications and data.
“As you move toward the far edge, you are typically dealing with data at massive scale and a lot of these devices that are generating data have limited to no security hardening – think IoT sensors,” says Rajagopal from Couchbase. “Thus, it’s important to assume the worst and to harden your application against threats such as DDoS attacks.”
Similarly, that data needs to be protected. “Pay special attention to understand where data lives across the organization and ensure that data is encrypted in transit and at rest,” says Linden from Asimily.
● Isolation: From a networking and architecture standpoint, edge environments are distributed with a capital “D.” An isolated incident should remain just that – isolated. Segmentation is key. There are corollaries here with container and cloud security – don’t let a relatively small breach become a headline-generating hack. Make sure you can freeze an attacker in place.
“Create network and access control policies that do not allow arbitrary communication between edges or between cloud and edge, so that attackers cannot easily move laterally between assets,” Linden says.
4. Be clear about who is responsible for what
Last but not least: Just as technology assets become more distributed, so do human teams. Make sure you’re accounting for that in your edge security strategy. “I thought someone else was watching that” is the root of plenty of incidents.
“Since edge computing assets can live in different physical locations and can be owned by different groups, ensure that the lines of responsibility are clear and, if a breach occurs, that there is no confusion about whose role is responsible for what,” Linden says.
If that will all ultimately fall under the purview of a central security team, don’t let that lead to hubris or false assumptions – make sure that the team is aware of the scope of the organization’s edge strategy and implementation.
“If a central group is responsible for security across the system, ensure they have the access they need to all parts of the system, from edge to cloud, so they can respond quickly wherever an attack might occur,” Linden says.
[ Discover how priorities are changing. Get the Harvard Business Review Analytic Services report: Maintaining momentum on digital transformation. ]