listen to this article:
When an autonomous car has to decide to swerve left or right to avoid hitting a pedestrian, milliseconds separate life and death.
When data captured in remote locations—an oil rig, an outback mining operation, a satellite—needs to be processed, bandwidth matters.
System architects have several deployment options for placing computing workloads and addressing storage needs, with the dominant theme over the past decade being the migration away from on-premises data centers to hyperscale cloud platforms. When designing for the above examples, however, edge computing is a newer approach that physically locates computing workloads at or nearer to the point where data is captured and/or where decisions must be made—after processing the collected data.
The Benefits of Edge Computing
Edge computing eliminates the time lag and bandwidth consumption of shipping all data back to a centralized location for processing and storage, whether an on-premises data center or a cloud service.
When a car is hurtling down a road at 60 miles an hour, every millisecond of delay caused by routing the data to a cloud service for analysis and interpretation can mean the difference between life and death—of the driver, an innocent bystander, or someone on the road who has the right of way.
Imagery and other sensor data captured in remote locations will often overload network connections, and therefore can be processed locally with only consolidated data being transferred for centralized storage.
The Cybersecurity Threats Resulting from Edge Computing Model
Devices used for edge computing can be compromised through cyberattack—both the device itself and the data processed or stored on the device. These cybersecurity threats include:
- Theft of a computing device. Edge computing often features a large number of deployed devices, increasing the physical attack surface significantly. If physical protections over the device are minimal, it is possible for the entire device to be stolen.
- One time theft of the data on a device, for example by removing a disk or copying data from the device to a thumbdrive. As above, if physical precautions are lacking, physical access will be orders of magnitude easier than accessing devices in data centers.
- Ongoing exfiltration of the data on a device, for example by adding a sniffer on the device between the network connection. Data is still shipped to where it needs to go, but data is also shipped to an unauthorized location.
- Rendering edge computing devices unusable, for example through a distributed ransomware attack.
- Gaining unauthorized access to centralized computing resources, for example by compromising the credentials stored on edge devices for communicating with centralized applications in a data center or cloud service.
Addressing Edge Computing Vulnerabilities
Devices used to carry edge computing workloads must be protected against cybersecurity threats. Two key principles for mitigating cybersecurity threats are:
- Anywhere data lives should be protected – both from physical compromise and data compromise. This applies just as much to edge computing as to endpoints, on-premises servers and data centers, and cloud services.
- Anywhere data is processed should be protected – against unauthorized access and manipulation. As above, this applies just as much in edge computing architectures.
Based on these principles, here are recommended countermeasures:
- Keep edge computing devices up to date with patching, ensure protections against unauthorized physical access and tampering are put in place, and incorporate edge devices in normal security monitoring and alerting processes.
- Use tools that automate the scanning for configuration weaknesses and drift in edge devices and workloads.
- Embrace a unified approach to encrypting data wherever it is located and processed, through approaches like centralized key management. Unified key management that works in conjunction with provider-specific encryption regimes enables an organization to hold centralized control of their encryption keys, and in the case of a data breach anywhere, to prevent unauthorized access to data.
Addressing security for edge computing ultimately remains the responsibility of the organization, even in a shared responsibility model. For example, the articles in the General Data Protection Regulation (GDPR) in Europe dealing with third-party “processors” of the organization’s data always place primary responsibility on the organization itself; while the processing may in practice be delegated with alacrity, responsibility is not. A data breach perpetuated from poor security in an edge computing deployment damages the organization more than any subcontracted providers or data processors, especially when the fault is traced to a configuration weakness, encryption failing, or oversight that should have been addressed by the organization itself.