Over the years, Edge Computing has continuously gained trust from the IT community, as well as recognition from those outside the IT circles. Now, the focus is put on cementing its place as a vital technological innovation. In fact, Forrester is calling 2021 the year for Edge Computing, predicting it will move from experimentation to mass deployment.
The novelty of Edge, outside of IT circles, unfortunately contributes to a lot of confusion on the subject and related concerns about how secure it is. Compared to a centralized and highly secured data center, the idea of a decentralized network of endpoint devices placed at the edge of computing networks is leading to concerns and more unfortunately even misconceptions and undue worry, which could get in the way of organizational adoption.
“In today’s reality, the old proverb of ‘trust, but verify’ is no longer safe enough. Instead, Zero Trust is the way to go, by adopting a ‘don’t trust anyone, until verified’ mentality. While this may cost more to secure one’s operations, avoiding loss of data and customer trust due to data breaches will save an organization much more in the long run,” explains Tony Kang, Business VP, Secure Power Division, Schneider Electric Philippines.
Cybercrime Magazine predicts cybercrime will inflict $6 trillion in damages globally in 2021, making it the third-largest “economy” after the United States and China. This is expected to grow 15% year-on-year, likely to reach $10.5 trillion in damages by 2025.
Cybersecurity continues to be a growing concern worldwide, and Asia-Pacific is not spared from cyberattacks. According to a study by Sophos, more organizations across six Asia-Pacific markets, including the Philippines, have been breached in the past year. In the Philippines alone, approximately 55% of the respondents stated that it took them more than a week to remediate cyberattacks.
Respondents in the same study also cited poorly designed or vulnerable supplier systems as a top risk expected in 2023. This is fueled in part by concerns that they might be targeted through third-party vulnerabilities and security, as well as other technology vendors being breached. Because of this, there is a need to create more awareness around strategies in securing platforms and networks.
“Taking this into consideration, adopting Edge Computing can also present an exciting opportunity to refresh one’s security systems. In fact, concerns faced by the Edge have been thoroughly ventilated by security experts, who recommend mitigation with a holistic strategy in four parts: device selection criteria, secure network design, device setup/configuration, and operation and maintenance,” Kang said.
Device selection criteria
A common concern with IoT devices is that they could be the weakest link that enables attackers to break into an Edge network.
Thus, it’s important to consider two standards when choosing devices. One is that it has a well-implemented Security Development Lifecycle (SDL), a concept introduced by Microsoft to consider security and privacy concerns throughout the entire software development process. Next is IEC 62443, an internationally accepted standard that lays down process requirements for the secure development of products used in industrial automation and control systems as well as Edge IT applications.
Secure network design
Rather than a one-size-fits-all approach, a Defense-in-Depth Network (DDN) approach can help diversify risks by creating security zones with different defensive elements in each zone. While no individual method can stop all cyber threats, together they guard against a wide variety of threats while incorporating redundancy in the event one mechanism fails.
The first layer, Network segmentation is essential as the edge perimeter expands. It works by breaking up a computer network into segments, enabling better control of data traffic and also limiting how far an attack can spread.
This can be further improved using data diodes and unidirectional gateways, which allow traffic to flow in one direction only, preventing sensitive data to be leaked should an edge device be compromised.
Next is an intrusion detection system that can identify and alert users of potentially malicious traffic that could damage, disrupt service, or impact the availability of systems running on the edge.
Before plugging in a new device or system into an edge application, it’s prudent to understand how it will function within your operation.
Some steps recommended are performing vulnerability assessments to see the status of the device or system when delivered to the site, using the vendor’s hardening guide to set up and configure a device, disabling any unsecured or unnecessary protocols to reduce the attack surfaces, and updating all patches and updates before its final deployment.
Operation and maintenance
Installing a new device or system is only the start of the security journey. A popular fictional security professional once called for “constant vigilance,” and in the context of maintaining an Edge application, there are three best practices to apply: patch management, vulnerability management, and penetration testing.
There are many moving parts in an Edge application, thus before engaging in a patch deployment, it is key to coordinate with the operators, so they have a precise understanding of what is going to be patched, plus the required mitigation and timing for applying the patch.
Edge computing can introduce a level of operational complexity to vulnerability management due to the increased size of the landscape and new attack surfaces, thus a need to identify scan coverage gaps and prioritize them, plus proper asset management to identify the assets residing on the Edge network.
Lastly, it’s better to stress test a system on your own schedule before an external threat does it for you. This can be done with penetration testing, which simulates an attack on either a device, system, or network environment, usually by attempting to create a breach to uncover vulnerabilities.
“While Edge Computing may still be seen as relatively fresh to the market, its potential and growing reputation, coupled with the dire need for better cybersecurity systems in the Philippines, makes it a most promising viable option,” Kang said.