BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles Deploying Edge Cloud Solutions without Sacrificing Security

Deploying Edge Cloud Solutions without Sacrificing Security

Key Takeaways

  • Edge cloud systems face security issues when it comes to fragmenting data, locking down physical access, and the tendency of edge cloud systems to grow beyond the boundaries of what they were originally designed to operate in.
  • Most security systems are stuck with edge cloud systems, and need to figure out how to harden them against attack rather than abandon them
  • Overcoming the security challenges of edge cloud security systems will really come down to decentralization, encryption, and utilizing full spectrum security measures
  • A big determining factor for the security of edge cloud systems will be the speed at which businesses deploy them

In this series of InfoQ articles, we take a look at multiple dimensions of the edge story. We review considerations for virtual and physical security. Another piece explores the data streaming aspects of edge that are more about “how” and not “where.” We also explore the dynamics of constantly-changing edge systems, and how cloud-based edge services are lowering the barrier for experimentation.

This InfoQ article is part of the series "Edge Cloud". You can subscribe to receive notifications via RSS.

 

Edge cloud was a major topic of debate at RSA this year. Multiple panels were devoted to the subject, and even in those that weren’t the utility of edge solutions was often raised. At the same time, however, a tension was apparent: operations and dev staff were quick to stress the performance gains of edge cloud infrastructures, and cybersecurity pros raised concerns about the security implications of these same architectures.

This tension has been apparent for a while. In their 2020 Outlook report, Carbon Black pointed to a bit of a rift between IT and security teams regarding resource allocation in cloud edge structures. 

Edge, Cloud, and Edge Cloud

In order to see the challenges involved in deploying edge cloud solutions whilst retaining strong security, it’s worth reminding yourself why edge cloud solutions such as Software-as-a-Service (SaaS) were initially developed. Such solutions are becoming virtually commonplace, to the point that SaaS in particular is projected to account for almost all of the software needs for 86% of companies within the next two years (it already is being used to a lesser extent by 90% of companies right now).

Some security firms will tell you that their edge cloud SaaS solutions are only designed to ensure security, but that's not quite true. In reality, edge cloud systems were developed with one simple factor in mind: bandwidth. That's why, for instance, the Open Glossary of Edge Computing, an open source effort led by the Linux Foundation's LF Edge group, defines edge cloud systems primarily in terms of performance: "by shortening the distance between devices and the cloud resources that serve them," the glossary explains, "and also reducing network hops, edge computing mitigates the latency and bandwidth constraints of today's Internet, ushering in new classes of applications."

In other words, as the number of IoT devices connected to networks began to increase exponentially around five or so years ago, many systems engineers found that their cloud providers were not keeping up with the increased computing load. The solution was to insert another level of processing between devices and cloud storage providers, and thereby reduce the data loads that cloud services had to process. Only later, in fact, were edge cloud systems thought about as a tool to secure the devices they interact with. And that's primarily why cybersecurity pros don't trust them.

These concerns are well illustrated by the ongoing worry that the most high-profile example of edge cloud systems – automated vehicles – can be easily hacked. The ease with which data used by autonomous vehicles can be accessed and manipulated has been a concern for years, and as a result many of the security protocols used in ege cloud systems have been designed, primarily, to protect autonomous vehicles. 

The Challenges

There are a few problems with edge cloud solutions from a security perspective. Some are technical, and some relate to the way in which these services are used within a typical organization.

Architecture

First, let's think about the structure of edge cloud systems. In most implementations, edges are within organizations' computing boundaries, and so they will be protected by a wide variety of tools that focus on perimeter scanning and intrusion detection. However, that's not quite the whole story: in most systems, there will also be a tunnel between the edge straight to cloud storage. 

Sending data from the edge to the cloud in a secure way is fairly straightforward, because organizations will control the infrastructure that is used to encrypt and verify it. The problem arises when the cloud needs to send data back to the edge for processing. The challenge here is to ensure that this data is authenticated and verified, and is therefore safe to enter into an organizations' internal systems. 

Fragmentation

First, and most obviously, edge cloud systems fragment data. Having each device connected directly to cloud services might incur a performance loss, but at least this data is centralized, and can be covered by a single cloud security policy. Because edge cloud servers – almost by definition – need to be connected to many different devices, they represent a nightmare when it comes to securing these same connections.

Fragmentation is not only a problem when it comes to protecting data, though. With a growing number of IoT devices running via edge processing, each needs to be authenticated and follow a privacy policy that allows network admins to keep control of their data. The edge cloud model makes it inherently difficult to apply global privacy policies to each device, since each is communicating independently.

Physical Security

A third issue with edge cloud systems is that locking down physical access to these devices can be a challenge. The devices typically used in edge cloud infrastructures are designed, after all, to be portable, and as such are more susceptible to physical tampering than standard data devices.

An example of this is the "micro data centers" that many telecommunications providers are now making use of. These centers sometimes sit at the base of cell towers, and pre-process data before feeding either back to consumer devices or into corporate data systems. Micro data centers like this can dramatically improve the performance of cell networks, but they are also vulnerable to physical tampering.

Sprawl

All of these issues are compounded by the tendency of edge cloud systems to grow beyond the boundaries they were originally designed to operate within. In large organizations, building edge cloud functionality can be an invitation for other engineers, from other parts of your organization, to shift their computing demands to your edge cloud system. 

Overcoming this challenge requires a dual approach. On the one hand, management needs to be made aware of the limitations of edge cloud systems, both in terms of computing power and security, in order to prevent many new devices being connected to them. Secondly, engineers should design edge cloud systems with a view to the future, and make sure that the security that is built into these systems is easily understandable for other employees working with them.

User Error

The problem of "sprawl" is related to another: that many IT professionals simply don't take IoT device security seriously. Despite the well-documented security issues that these devices present, many people simply don't realize the level of connectivity – and the level of cybersecurity risk – that they provide. 

In this context, it is all too common for IoT devices to be connected to networks (and connected together) in poorly secured horizontal structures. Not only does this make them more susceptible to attack, but it also allows intruders a huge degree of lateral movement once they are inside IoT networks. 

So Why Use Edge Cloud?

Given all these security risks, and given that a recent study by Tech Republic found that two-thirds of IT teams considered edge computing as more of a threat than an opportunity, it's worth wondering why we need edge cloud solutions at all. This is, in fact, a very pertinent question, because some analysts have argued that the advent of 5G networks, coupled with the increased computing power of contemporary IoT devices, means that most of the processing currently done by edge cloud systems can now be done by devices themselves.

That doesn't seem to be born out by the facts, though. In its recent report “5G, IoT and Edge Compute Trends,” Futuriom writes that 5G will actually be a catalyst for edge-compute technology. “Applications using 5G technology will change traffic demand patterns, providing the biggest driver for edge computing in mobile cellular networks,” the report states. 

In other words: whilst connection and cloud technologies are developing rapidly, demand for them is increasing even faster. This is a particular problem when it comes to managing online backup services, because without proper oversight a cloud edge system can end up undermining the integrity of backup policies implemented by individual teams.

Put simply, companies can’t afford to give up their cloud-based systems or devices. Cloud connected VoIP systems can save businesses 70% of their total phone bills on average, and companies that turn to cloud computing to fulfill their software needs have seen major increases in productivity to help drive business growth. At the same time, the bandwidth available to these same companies lags far behind the amount of data they need to process on the cloud. Edge cloud computing, in this context, seems like an obvious choice.

Ensuring Security

This means that, for now, security teams are stuck with edge cloud solutions, and will have to work out how to harden them further against cyberattack. Crucial to this attempt will be the deployment of perimeter scanning systems that are able to analyse not just standard network data, but a huge variety of other forms of data such as that produced by embedded IoT devices. Overcoming the security challenges posed by edge cloud systems can be broken into a number of interconnected processes.

Decentralization and Resilience

First, it's worth pointing out that one of the features that makes edge cloud infrastructures so hard to secure – the fragmentation of data – can also make them more resilient. This is because, as Proteus Duxbury, a transformation expert at PA Consulting, said recently, "instead of one or two or even three data centers, where if they're close enough together that, say, a big storm could impact them all, you have distributed data and compute on the edge, which makes it much more resilient to malicious and nonmalicious events." 

In some ways, then, pushing data to the edge can mean that attacks on organizations are less effective, because they are not able to compromise a centralized data storage system which holds every piece of sensitive data. On the other hand, and as seen above, this fragmentation can make the application of global security measures more difficult.

The IoT and Encryption

Another issue that is raised by the widespread adoption of edge cloud systems is the security of the IoT itself. Concerns about the security of IoT devices are not new, of course: it has long been noted that the design of these devices prioritizes connectivity over security. However, in traditional cloud systems, the processing required to run these devices can be managed centrally. As IoT devices begin to utilize edge cloud solutions, this exposes them to increased threats.

The most commonly suggested solution to this problem is to increase the security of IoT devices themselves. However, at the moment many embedded devices lack the computing power to encrypt data before sending it to either cloud or edge cloud systems. As a result, network engineers have been forced to rely on other forms of security. 

Full Spectrum Security

Securing edge cloud systems is ultimately a problem of scale rather than of essence. Security professionals already have access to many of the tools that are required to protect these systems, but will need to hugely extend their reach in order to protect data on the edge. 

In fact, in many ways securing edge cloud systems requires network engineers to return to the basic principles of network security, but then to apply them outside the systems that they directly manage. These elements include:

  • Perimeter scanning techniques that use encrypted tunnels, firewalls, and access control policies to protect data held in edge cloud systems.
  • Securing applications running on the edge in the same ways that applications running within your organization are already secured.
  • Upgrading threat detection capabilities so that intrusion can be detected not just in relation to cloud or in-house systems, but also for the edge.
  • Automated patching that allows network managers to trust that both software and firmware automatically receives security updates.

Secure Access Service Edge (SASE)

All of these approaches and tools have been combined by Gartner into a new category of hardware and services that are specifically designed to improve edge cloud security. In 2019, the firm coined a new term – Secure Access Service Edge (SASE) – to define these systems.

Gartner has defined SASE as a combination of multiple existing technologies. The new paradigm, they say, "combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies." At a basic level, SASE combines SD-WAN, SWG, CASB, ZTNA and FWaaS as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels. 

Though SASE is still a new approach, Gartner has high hopes for the new technology. They predict that, by 2024, at least 40% of enterprises will have in place strategies to adopt this approach.

The End Of Zero Trust?

Securing edge cloud systems also involves overturning some basic misconceptions about threat hunting. Namely, it might be that the increased popularity of edge cloud solutions overturns another piece of received wisdom, the superiority of the zero trust model. Many of these new systems, or at least the devices that they interface with, will be extremely difficult to bring into single sign-on and user access control processes. 

Instead, ensuring security in edge cloud solutions might require a more pragmatic approach, in which individual networks are segmented and protected individually. This, in turn, requires that networks be configured to automatically perform authentication and verification steps on every connected device, at a frequency that ensures that the data being handled stays secure whilst not affecting global network performance. 

Pushing The Edge

Whilst cloud edge computing offers many opportunities, it also comes with challenges. To make matters worse, these challenges come at a time when security teams are struggling to keep up with other developments – the necessity to go multi-cloud whilst still using cloud-native tools, and becoming involved in DevSecOps migrations.

For that reason, a major determining factor in the security of edge cloud systems will be the speed at which they are deployed by businesses. Though edge cloud can offer significant gains in terms of performance, it will not replace traditional cloud models where these are currently working well. 

In some ways, this removes some of the pressure on security teams, who can afford to design each edge cloud system with security in mind at the earliest possible stage. On the other hand, as edge cloud systems grow in importance, security professionals will be in the unenviable position of having to secure cloud, edge cloud, and in-house system simultaneously. 

As with any piece of new technology, the level of security of cloud edge solutions is unlikely to become apparent anytime soon. But that doesn’t mean that we shouldn’t put in place tools and processes to protect these systems as far as is practical. 

Four Point Summary:

  • Edge cloud systems face security issues when it comes to fragmenting data, locking down physical access, and the tendency of edge cloud systems to grow beyond the boundaries of what they were originally designed to operate in.
  • Most security systems are stuck with edge cloud systems, and need to figure out how to harden them against attack rather than abandon them
  • Overcoming the security challenges of edge cloud security systems will really come down to decentralization, encryption, and utilizing full spectrum security measures
  • A big determining factor for the security of edge cloud systems will be the speed at which businesses deploy them 

About the Author

Sam Bocetta is a former security analyst, having spent the bulk of his as a network engineer for the Navy. He is now semi-retired, and educates the public about security and privacy technology. Much of Sam’s work involved penetration testing ballistic systems. He analyzed our networks looking for entry points, then created security-vulnerability assessments based on my findings. Further, he helped plan, manage, and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems used by the Navy (both on land and at sea). The bulk of his work focused on identifying and preventing application and network threats, lowering attack vector areas, removing vulnerabilities and general reporting. He was able to identify weak points and create new strategies which bolstered our networks against a range of cyber threats. Sam worked in close partnership with architects and developers to identify mitigating controls for vulnerabilities identified across applications and performed security assessments to emulate the tactics, techniques, and procedures of a variety of threats.

 

In this series of InfoQ articles, we take a look at multiple dimensions of the edge story. We review considerations for virtual and physical security. Another piece explores the data streaming aspects of edge that are more about “how” and not “where.” We also explore the dynamics of constantly-changing edge systems, and how cloud-based edge services are lowering the barrier for experimentation.

This InfoQ article is part of the series "Edge Cloud". You can subscribe to receive notifications via RSS.

BT