6 essential elements of edge computing security

In 2017, a thermometer in a fish tank at a casino hotel lobby was hacked, enabling attackers to penetrate the casino’s network and transport its “high roller” database to the cloud.

In May, 2018, a denial of service attackknocked out a corporate website for four days. The attack was orchestrated through a network of internet of things (IoT) devices that included routers, security cameras and digital video recorders.

Both of these incidents illustrate why edge security is a growing concern for IT, which inevitably gets charged with controlling corporate security. This job gets tougher as more compute moves out to the edge in the form of IoT devices, robotics and other localized systems and networks used in remote facilities and user areas.  In this new edge computing environment, there are many IT policy and security issues that must be addressed.

Start your edge security strategy here with a look at the greatest areas of vulnerability and how corporate IT can cope with them.

1. Assets, assets everywhere

“If you’re responsible for asset management, you need to account for your IT assets across the company, whether these assets come in through IT or end user areas,” says Mike Raggo, CSO at 802Secure, which specializes in IoT security. “If you don’t do this, you’re going to have holes in your IT that hackers can penetrate.”

The risk is growing as more non-IT personnel are deploying and managing networks on the edge. This creates an “island effect,” where a central security organization like IT no longer has visibility into every device and network that is being deployed.

“In one case, an IT department for a hospitality company wasn’t even aware that the company had installed 400 new smart ovens, yet if this network of ovens were hit by a denial of service attack, how much money would you lose from the steaks you couldn’t grill or the customers you disappointed?” asks Raggo.

Scott Smith, chief revenue officer at Cloudapp, which provides secured cloud-based screen recording to devices, observed, “One reason edge computing is expanding is that there is a shift from IT to the end business when it comes to edge computing deployments. New generation employees are just looking for ways to get the job done at the edge, so they tend to disregard IT and also the need to secure the systems and IoT they deploy.”

Because of this, 90 percent of CIOs worldwide are now occasionally bypassed by business users in IT purchasing decisions and 31 percent are bypassed routinely. Consequently, knowing what tech you have “out there” becomes a real problem.

One solution is to use an asset management system to track all central and edge tech assets, but these systems frequently require manual input of the assets, and you can’t do that if you don’t know about them.

Another approach is to use a device detection software that enables you to detect any new device that has been deployed so you always keep track of your assets and can identify appropriate risk management tools and strategies.

“[Using device detection] you can also see where most of your traffic is coming from,” says Dan Olds, partner at research firm OrionX Network. “They did this at Uber and were very successful. First, IT identified the level 1 security risks, and ensured that all systems and devices were secured. Then, there was a less important security level 2 risk category that anyone could sign up for and use. Once these security levels were identified, appropriate levels of monitoring and risk management could be applied. The bottom line is, IT needs to know what’s all out there on the edge. It needs to prioritize where the serious security risks are and define tools and practices to apply to these assets. Most importantly, IT needs to work hand in hand with users as an enabler instead of as an enforcer.”

2. The people factor

A manager on a manufacturing shop floor who is pressed with a tight production schedule is going to focus on keeping production moving. He or she is not going to be thinking about how someone could break into a computer numerical control (CNC) machine. In this world, passwords will be shared, information that should be proprietary will be given out, and the physical cages that secure robotics and IoT systems that should be locked down are likely to be open.

One approach to this situation is to ensure that hardware and IoT devices are security-hardened, and that any data that they carry is encrypted.

A second approach is to use zero trust networks.

Originally dubbed “zero trust” by Forrester research in 2010, zero trust networks verify IP addresses and authenticate users from both inside and outside corporate walls. No one gains admission to the network until all security criteria have been met.

“A zero trust network detects and intercepts traffic that starts moving horizontally throughout the network in an abnormal way,” said Ben Goodman, VP of global strategy and innovation at ForgeRock, a digital identity and access management firm. “Detection is simplified because a zero trust network only admits a finite set of users. These networks are also an excellent edge technology that makes up for the fact that compute at the edges of enterprises must by necessity be remotely managed, and not by IT.”

3. Shadow IT

Shadow IT is now 30-40 percent of corporate technology spending according to Gartner research. Researchers at Everest Group found that shadow IT comprises over 50 percent of enterprise compute. Most of this technology is deployed at the edge, so when IT finds out about it, IT wants to enforce security.

“IT needs to change its mindset to deal with this,” says Olds. “Instead of looking at these situations as potential security problems, the better approach is to look at them as opportunities.”

Olds suggests that IT review and recommend security tools and services that end users can use on their own that will assist them in protecting their systems.

“Another thing that IT can do is to build in edge computing security and identity management that is part of every system’s DNA, whether it is on the edge or not,” added ForgeRock’s Goodman.

Here’s how this can be done:

AIl new technology must link into a zero trust network, where security protections already exist. Since the network is established, IT doesn’t need to confront end users and end users can self-enable their technology. IT can also issue security policies and toolkits that can self-enable end user security. For example, a tech vendor may not volunteer that devices are hardened for security at application, operating system, user and physical levels or that all data is encrypted—unless the end user knows to ask for these features during the RFP process. This is where upfront IT guidance on what to ask in an RFP helps.

4. Unpatched OSes 

“There is a risk management issue when many different types of devices and systems are being deployed by end users, and the technology comes with obscure operating systems that IT is not familiar with,” says Raggo.

He notes that hospitality companies that install smart ovens in kitchens; or healthcare facilities that install patient monitors, insulin pumps and a variety of other IoT devices, are especially vulnerable because the systems tend to be installed by end users, and they tend to run unusual operating systems.

In these cases, IT needs to 1) identify new assets through either a network that can detect these assets as they come online or preferably by working hand in hand with end users; and 2) work with vendors of these devices and systems to develop a procedure for executing regular software updates for any unusual OSs. In the majority of other cases where devices are running common operating systems, the task for IT becomes using an automatic push update for software that ensures security stays current and that software vulnerabilities and patches are administered in a timely manner.

An alternative is a pull update that gives end users the flexibility to install the new patches or OS versions when it is convenient, but this is not a recommended best practice because the pull update depends upon end users remembering to install the updates, which they may not do.

5. Risk management and DR

Corporate IT will also find that security measures must go beyond installing zero trust networks and equipping end users with security management tools and policies. What additionally will be needed is a process that incorporates edge computing into corporate risk management and disaster recovery (DR) plans.

Disaster recovery presents a particular challenge, since survey data indicates only 27 percent of companies plan for business continuity formally and consistently.

“Organizations lag when it comes to updating DR plans for edge computing,” says Olds. “Mission critical systems, networks and devices that exist at the edge should be identified and planned for in the event that they are compromised. If a breach occurs, it could have penetrated the device and been there for some time.” Additionally, says Olds, “You have to address the situation within the framework of managing your risk, and what a security breach could do to your company and your brand. Your organization could be held negligent by customers and business partners. It could lose tens of millions of dollars in company valuation. No one wants that—which is why an effective edge computing security strategy matters so much.”

6. Vetting vendors

“We manage edge device access points by maintaining a separate firewall secured network for our devices, and by providing two-way authentication and payload encryption for all transactions,” said Peter Mehring, CEO at Zest Labs, an agtech company that specializes in food post-harvest shelf life and freshness management. Mehring said that the company also looked at groups of transactions from a single sensor to determine if sensor data patterns made sense.

“This is what you want to see from your edge technology vendors,” says Olds, “And why it’s absolutely imperative to talk to your vendors about security and see what they have in their software and hardware. Then, take advantage of it. And if a vendor doesn’t have appropriate security provisions, skip the vendor.”

The last word

Users will rush to get data and services deployed, and they will overlook security. By including checkpoints like identity management, data encryption, zero trust networks, patch management, etc., as part of edge computing security protection and detection, IT increases the odds for a successful security strategy.