Does the rise of edge computing mean a security nightmare?
What do we mean by edge computing? In a nutshell, with edge computing you are processing data near the edge of your network, where the data is being generated, instead of relying on the cloud – or, more specifically, a collection of data centres.
As a relatively new methodology, computing at the edge invites new security challenges as you are looking at new setups or new architecture. Some say that you have to rely on vendors to secure your environment when you start computing at the edge. Those that champion edge computing claim that computing at the edge is safer because data is not traveling over a network but others see edge computing as being less secure because, for example, IoT devices are easily hacked.
And there are many ways to think about edge computing including smartphones. After all, if you consider the security and privacy features of a smartphone where you are encrypting and storing some kind of biometric information on the phone then you effectively take away those security concerns from the cloud and place them ‘next’ to the user, on their phone.
With edge computing, you are effectively running your code on the edge. But running your code on the edge brings about specific security challenges because it’s not within your stack or within your security environment – even though it is running on the edge it may still sometimes require queries from the back end, from the application. This is the main security concern when running a serverless environment and, in general, when running code on the edge. Where IoT devices are concerned, you run some of the code on the device itself (your mobile device or your IoT device) and you need to secure this.
The massive proliferation of end user endpoint devices could turn out to be an edge computing headache for many organisations. A single user might have multiple devices connected to the network simultaneously. The same user will undoubtedly mix both personal and professional data (and applications/profiles) onto a single device. In most scenarios, endpoint security tends to be less than robust, whereby this user could (unwittingly) expose the organisation to serious risk and accompanying losses or exposure to malicious viruses. Many of these devices are not only very insecure, but they can’t even be updated or patched – a perfect target for hackers.
And 5G will certainly cement the era of edge computing. In general 5G should be a wonderful thing because it will accelerate the use and development of real time applications. But when you have more data going through a device you need more control of that data and you will need tools that allow an organisation to control that data from a security perspective.
The IoT and 5G relationship will see huge numbers of IoT devices feeding a huge amount of data to the edge. Currently however, none of the security protocols on IoT are standardised which highlights the biggest security risk of 5G. That is to say, your smart fridge in the kitchen currently has no standard for how it secures and authenticates with other smart devices. Base-level security controls are therefore required to mitigate such risks.
In the wider business world there will be a massive shift of computing function to the edge. When organisations rely less and less on data centres, (they will end up virtually ‘next’ to the workforce), then securing the endpoint edge means encrypting communications and ensuring that security devices are able to inspect that encrypted data at network speeds. Devices also need to be automatically identified at the moment of access, and appropriate policies and segmentation rules applied without human intervention. They also need to be continuously monitored, while their access policies need to be automatically distributed to security devices deployed across the extended network.
Organisations ultimately want to protect their data and they want to protect their production. When you are computing at the edge you are working with data at the edge and not in your workload. From a security point of view therefore, you need to secure the data both in transit and at rest. This security challenge is currently undertaken largely vendors and ultimately the security protocols underwritten by the big cloud providers such as AWS for example.
However, it is a mistake to believe that edge technology inherits the same security controls and processes that are found with the likes of AWS or the public cloud. Computing at the edge can cover all kinds of environments which are often remotely managed and monitored; this might not offer the same security or reliability that organisations are used to seeing with the private cloud. Ultimately it is the responsibility of the customer to properly vet potential vendors to fully understand their security architectures and practices.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.