Businesses can find security vulnerabilities when they push their workloads to the edge. Discover the pitfalls of cloud edge security and best practices to secure edge workloads.
It can be tough to secure traditional cloud workloads. But workloads at the network edge face additional security challenges, such as a larger attack surface and elevated risk of physical security attacks.
An effective edge-to-cloud security strategy mitigates threats across a business's IT infrastructure while enabling efficiency and scalability in security operations. For businesses taking advantage of edge computing as a way to boost performance or digitize processes, implementing security at the edge is just as important as securing workloads in traditional data centers.
Learn about the basics of edge security, its challenges and best practices for securing edge workloads.
What is edge computing?
Edge computing refers to IT infrastructure that is physically closer to end users or data sources than conventional cloud data centers. Consider an IoT device that monitors conditions within a factory, or a smart device that tracks a patient's health. These are a few examples of devices that operate at the edge.
Edge workloads present a range of special security challenges that either don't exist at all in conventional data centers or are more pronounced in edge environments. These include a larger attack surface spread over several devices, limited compute power and network security risks.
In edge computing, infrastructure like these servers is pushed to the network edge closer to end users.
6 security vulnerabilities of edge workloads
Let's explore some of the vulnerabilities of edge workloads in more detail. Consider the following:
1. Attack surface
Edge networks often include multiple individual devices. A healthcare company that deploys remote sensors to monitor patient vitals can have thousands of such devices in operation. Likewise, a utility company that uses IoT devices to monitor gas pipelines at remote sites might rely on a network that includes tens of thousands of sensors.
The sheer scale of edge infrastructure can result in larger attack surfaces, as threat actors can target more devices. When devices are spread across disparate locations, it can be harder to implement central security controls, which complicates attack surface management.
2. Physical security threats
Most cloud data centers are highly resilient against physical attacks. Data centers are often built in remote areas and are spread out geographically. This redundancy can act as another layer of security. Cloud data centers can also come equipped with a variety of physical security measures to prevent and deter trespassers.
Compare these aspects to edge security. Typically, edge workloads have much less comprehensive physical security protections because they're in settings that anyone can access easily. This doesn't mean that admins cannot invest in the physical security of their assets, but they might be at a resource disadvantage compared to a data center.
3. Network security risks
Edge workloads rely on a central network to communicate with each other and with applications hosted in cloud data centers. Anyone who can access these network connections could potentially "sniff" sensitive information produced by edge devices. If the data is not encrypted, they'll be able to view it.
Attackers can target network data in a traditional data center, too. But doing so is typically harder because data center network infrastructure is protected by firewalls and not subject to the physical security risks of edge networks.
4. Limited computing power
Edge devices are often small and possess limited computing and memory resources. Remember, edge computing places infrastructure near the end user's device. Consider smart cameras or autonomous vehicles. These cannot support the resources a data center can.
As a result, these devices might be unable to run the type of security monitoring or hardening software that businesses often install on traditional endpoints.
5. Custom hardware and software
Some edge devices include bespoke hardware components. They might also use nonstandard OSes or custom software. This customization could meet specific workload requirements or compliance needs.
However, a lack of standardization can create security challenges by making it harder to monitor edge workloads adequately. Most cybersecurity monitoring and anomaly detection tools work with standard applications and OSes, not those present in edge environments.
6. Hardware supply chain attacks
There is a risk that threat actors could tamper with edge device hardware during manufacturing or shipping. Potential bad actors could, for example, install malicious firmware on it.
While these types of attacks have been rare to date, they are a real risk. This is especially true given the complexity and lack of transparency of the global hardware supply chains that produce IoT devices.
Given these vulnerabilities, it's understandable why consumers would choose a cloud data center. However, for organizations that rely on edge computing, and for use cases where it just makes more sense, we need to take a deeper look at how to secure edge computing workloads.
What is security at the edge?
Security at the edge extends to all aspects of edge security, including physical device security, edge software security, network security and the protection of sensitive data stored on edge devices.
Security at the edge is its own discipline. However, businesses that deploy edge devices alongside traditional, cloud-based workloads must integrate edge security seamlessly into their broader strategy. To do this, organizations must understand the limitations of conventional security measures when protecting edge workloads.
Organizations must understand the limitations of conventional security measures when protecting edge workloads.
Consider the shared responsibility model. In traditional public cloud environments, cloud service providers (CSPs) assume responsibility for protecting the underlying infrastructure that hosts cloud workloads. Their customers are generally responsible for securing any software they operate on top of the cloud infrastructure.
When admins add edge devices to their IT estate, they can't entrust the security of their edge infrastructure to a CSP. Since the CSP doesn't control the edge devices, admins are responsible for securing them. This is true even for cloud-based services like AWS IoT Device Management or Azure IoT Hub, which manage edge devices. While these services track edge devices and can help with tasks like monitoring and software updates, they can't address all aspects of edge security because the CSPs don't have control over the edge devices themselves.
Now that we better understand security at the edge, how can admins best secure their edge workloads?
Best practices for securing apps from edge to cloud
There is no one simple trick that can seamlessly integrate edge security into a broader security strategy. But several key practices can help businesses keep edge workloads secure, including the following:
1. End-to-end encryption
Encrypting data across all networks helps prevent eavesdroppers from exfiltrating sensitive information as it moves between edge devices and data centers. Encryption also protects more traditional types of data that exist within a cloud environment.
2. Authentication and access controls
Using cloud providers' identity and access management (IAM) frameworks, businesses can define authentication and access controls that restrict cloud-based applications, services and users from accessing sensitive information. Note that IAM policies typically won't prevent unauthorized physical access to edge devices.
3. Store sensitive data centrally
To mitigate the security risks of physical attacks against edge devices, it's best practice to move sensitive data into more secure data centers when possible. Rather than retaining data locally on edge devices, move it into the cloud. This way, if an attacker gains physical access to a device, no sensitive data is exposed.
4. Secure communications
To the extent possible, organizations should deploy network firewalls, gateways and VPNs to help mitigate network-based attacks. If edge devices don't need to communicate using the public internet (and most don't), allowing them to connect only to secure, private networks can help mitigate security risks.
5. Continuous monitoring
Continuously monitoring all components of the IT estate for signs of unusual activity can clue organizations into malicious behavior in real time. Even in cases where security tools can't run directly on edge devices due to resource limitations or nonstandard hardware and software, it's possible to monitor data, such as network traffic, as a means of detecting anomalous activity.
6. Supply chain security
Businesses that operate both cloud and edge environments should secure all aspects of their supply chains. These include not just software supply chains, but also the hardware supply chains they rely on to manufacture edge hardware. Organizations should know which vendors source the various hardware components in their devices and be sure they trust them.
7. Attack surface minimization
Edge environments have a broad attack surface, almost by definition. But that doesn't mean businesses can't take steps to reduce the attack surface area. Practices such as turning off edge devices that aren't in use and avoiding unnecessary hardware and software components on edge devices help keep attack surfaces lean.
8. Cloud network hardening
While it's typically not possible to deploy network security protections on edge devices, admins can harden cloud networks with tools such as firewalls, ingress controllers and cloud access security broker software. These can help detect and block malicious traffic originating from edge devices, which in turn can help stop the spread of a security breach that starts at the edge.
Chris Tozzi is a freelance writer, research adviser, and professor of IT and society. He has previously worked as a journalist and Linux systems administrator.
