Debunking cybersecurity misconceptions about edge computing
The newness of Edge, outside of IT circles, unfortunately, contributes to a lot of confusion on the subject and related concerns about how secure it is.
Though Edge Computing is becoming increasingly undeniable, cementing its place from hype to necessary technology of the now. Forrester is calling 2021 the year for edge computing, predicting it will move from experimentation to mass deployment.
The newness of Edge, outside of IT circles, unfortunately, contributes to a lot of confusion on the subject and related concerns about how secure it is. Compared to a centralised and highly secured data center, the idea of a decentralised network of endpoint devices placed at the edge of computing networks is leading to concerns and more unfortunately even misconceptions and undue worry, which could get in the way of organisational adoption.
While organisations may have run with the castle-and-moat mentality - assuming those located at the back end were harmless and could be cleared for all-access - organisations are no longer as isolated, often depending on cloud solutions or having employees access company resources externally, especially when working from home.
In today’s reality, the old proverb of “trust, but verify” is no longer safe enough. Instead, Zero Trust is the way to go, by adopting a “don’t trust anyone, until verified” mentality. While this may cost more to secure one’s operations, avoiding loss of data and customer trust due to data breaches will save an organization much more in the long run.
Cybercrime Magazine predicts cybercrime will inflict $6 trillion in damages globally in 2021, making it the third largest “economy” after the US and China. This is expected to grow 15% year-on-year, likely to reach $10.5 trillion in damages by 2025.
In view of that, adopting edge computing can also present an exciting opportunity to refresh one’s security systems. In fact, concerns faced by the Edge has been thoroughly ventilated by security experts, who recommend mitigation with a holistic strategy in four parts:
- Device selection criteria
- Secure network design
- Device setup/configuration
- Operation and maintenance
- Device selection criteria
A common concern with IoT devices is that they could be the weakest link that enables attackers to break into an Edge network.
Thus, it’s important to consider two standards when choosing devices. One is that it has a well-implemented Security Development Lifecycle (SDL), a concept introduced by Microsoft to consider security and privacy concerns throughout the entire software development process. Next is IEC 62443, an internationally accepted standard that lays down process requirements for the secure development of products used in industrial automation and control systems as well as Edge IT applications.
Secure network design
Rather than a one-size-fits-all approach, a Defense-in-Depth Network (DDN) approach can help diversify risks by creating security zones with different defensive elements in each zone. While no individual method can stop all cyber threats, together they guard against a wide variety of threats while incorporating redundancy in the event one mechanism fails.
The first layer, network segmentation is essential as the edge perimeter expands. It works by breaking up a computer network into segments, enabling better control of data traffic and also limiting how far an attack can spread.
This can be further improved using data diodes and unidirectional gateways, which allow traffic to flow in one direction only, preventing sensitive data to be leaked should an edge device be compromised.
Next is an intrusion detection system that can identify and alert users of potentially malicious traffic that could damage, disrupt service, or impact the availability of systems running on the edge.
Before plugging in a new device or system into an edge application, it’s prudent to understand how it will function within your operation. Some steps recommended are performing vulnerability assessments to see the status of the device or system when delivered to the site, using the vendor’s hardening guide to set up and configure a device, disabling any unsecured or unnecessary protocols to reduce the attack surfaces, and to update all patches and updates before its final deployment.
Operation and maintenance
Installing a new device or system is only the start of the security journey. A popular fictional security professional once called for “constant vigilance”, and in the context of maintaining an Edge application, there are three best practices to apply: patch management, vulnerability management, and penetration testing.
There are many moving parts in an Edge application, thus before engaging in a patch deployment, it is key to coordinate with the operators, so they have a precise understanding of what is going to be patched, plus the required mitigation and timing for applying the patch.
Edge computing can introduce a level of operational complexity to vulnerability management due to the increased size of the landscape and new attack surfaces, thus a need to identify scan coverage gaps and prioritize them, plus proper asset management to identify the assets residing on the Edge network.
Lastly, it’s better to stress test a system on your own schedule before an external threat does it for you. This can be done with penetration testing, which simulates an attack on either a device, system, or a network environment, usually by attempting to create a breach to uncover vulnerabilities.
This article has been written by Venkatraman Swaminathan, VP & Country General Manager, India & SAARC, Secure Power Division, Schneider Electric