4 ways edge computing changes your threat model

Edge computing provides more opportunities for attackers to access devices--and your network--remotely and physically. These are the risks you need to consider.

digital transformation world map outsourcing iot edge computing
metamorworks / Getty Images

Many organizations have begun moving processing capabilities to edge locations or closer to where data is generated. This trend could open them up to new cyber risks that their threat models will need to take into account.

The biggest concerns include an expanded attack surface and greater exposure to threats like distributed denial of service (DDoS) campaigns, data theft and leaks, third-party vulnerabilities, and intrusions into the enterprise network.

Multiple factors drive the edge-computing phenomenon. The biggest, according to analysts, are network latency, bandwidth costs and performance. The increasing number of devices that organizations connect to the internet is driving the need for near instantaneous data transfers to and from those devices. Modern applications and services—in everything from autonomous vehicles, healthcare devices and operational technology (OT) environments—cannot afford the latencies involved in sending and receiving data between end devices and a data center somewhere in the cloud.

"If you had a 1,000 drones reporting back to you at the same time, how do you deal with that from a performance point of view?" says John Pescatore, director of emerging security trends at the SANS Institute. Edge computing is an approach that allows organizations to process, analyze, filter and store data close to the source so they can act upon the data faster, he says.

Edge systems serve as an intermediary between end devices and back-end systems and reduce the need for organizations to send all the data they capture at the network periphery back to a central system. Analyst firm Gartner has predicted that by the end of 2023 more than half of all large enterprises will be using edge computing for six or more use cases.

Emerging 5G-network technology and a new generation of relatively inexpensive server hardware are enabling the trend. "Edge computing will drive 5G adoption, and 5G availability will drive edge computing," predicts Jeff Pollard, an analyst with Forrester research. "Distributed and scaled computing with distributed fast connectivity with low latency is incredibly compelling." he says.

Edge computing gives attackers more targets

As with many technology shifts, this comes with some risks. With more devices performing compute actions, and more devices with internet connectivity, attackers have a lot more targets with potentially more sensitive data and access to other systems, to go after. Issues like physical access and product security assume greater significance as well. "The main difference between edge security and non-edge security is around scale and distribution," says Arpit Joshipura, general manager of networking, IoT and Edge for The Linux Foundation. "The number of applications, devices and connections that edge compute will drive require a scale that is 10 to 100 times today’s deployments," he says.

The risks vary significantly by individual use case and by industry vertical. An organization in the manufacturing sector will likely have to deal with a different set of issues than an entity in the healthcare or construction sectors. So a one-size-fits-all security approach will not work, Pollard cautions. Here at a high-level are some of the main security challenges that edge computing will impose on threat modeling, according to security experts. 

1. Attacks on poorly secured edge devices

Poorly configured and poorly secured edge computing devices give attackers more opportunities to disrupt operations or to gain access to the broader enterprise network. "One worry is attackers can use edge servers to break into the main network and grab credit card information," says Pescatore. "The other worry is an attacker could cause your drones to fly into buildings instead of getting them to drop off packages." The fact that many of the communication protocols and standards around edge computing are only still maturing adds to the problem, especially for organizations in critical industries.

The compute and storage capabilities in edge servers also make the devices attractive targets by themselves, says Scott Crawford, an analyst with 451 Research. "These devices are more capable; they have network connectivity full time and handle data that is sensitive for any number of reasons." Adversaries can target these systems in DDoS attacks, to steal data or as launch pads for attacks on others.  With edge computing, basic security mistakes like deploying systems with default passwords, or without multi-factor authentication, can have big consequences.

In edge computing environments, zero-trust and anomaly detection capabilities become especially important, Crawford says. Organizations need to have the visibility to ensure that "only the devices, users and functionality they expect to see, is what is actually out there," he says.  In a manner, detecting anomalies in an edge environment is slightly easier than on a normal network because edge systems are supposed to function in only a predictable and fairly limited set of ways. "But you need to make sure you can handle any anomalies you find in the sheer number of things that you deploy at the edge," he says.

2. Misalignment across device edge and service provider edge 

If cloud computing was about centralizing data and applications in big cloud data centers, edge computing is about distributing processing to the network periphery. Existing cloud providers will deliver many edge services either on their own, or in collaboration with internet service providers, carriers and others. Verizon, for instance, has tied up with AWS to offer a multi-access edge compute (MEC) platform for enterprises that want to take advantage of the edge computing approach. In other instances, organizations will need to work with ISPs, device manufactures, integrators and others on their edge computing implementation.

Concepts like third-party vetting and shared responsibility become much more important, Pollard says. Organizations will need to have a lock on third-party risk management processes, because the vendors they use will likely combine connectivity and edge computing to offer value added services, he says. "That means more third parties and more connections, so you need to be as mature as possible when it comes to enabling access while also limiting the potential damage if that access is subverted by an attack."

Organizations will need to pay more attention to security processes, service level agreements (SLAs) and architecture alignment across the device edge and service provider edge, says Joshipura. Enabled by 5G, telecommunication service providers are providing services for edge computing through software at the base station or edge locations that can deliver less than 20-millisecond latencies, he says. Enterprises will need to work closely with both telecom and cloud service providers to secure service and software. "Security needs to be architected from an end-to-end perspective with clear handoffs," he says.

3. Physical security around connected devices

Physical security will become more important. Many edge deployments will reside out side of secure data centers and therefore will not always have the same level of physical security as mainframes and servers in a data center. Issues like people physically tampering with devices, adding malicious devices, swapping devices, privilege escalation, and rogue data centers become significant. Organizations will need to implement controls to mitigate risks associated with these threats.

"The old rule in security was if they had physical access then you had no security," Pollard says. Edge computing is one area where this is especially true. When deploying hardware and edge devices organizations need to pay attention to the availability of tamper proof and tamper evident features and other capabilities like hardware root of trust, crypto-based ID, measured boot, encryption and automated patching.

Because edge computing will further dilute the notion of a physical or network perimeter, approaches such as zero trust security will become critical. All devices on the network will need to be treated as untrusted until authenticated and verified as being trusted with each access request. "With regards to physical security concerns, elements such as distributed and peer-to-peer systems, wireless networks and multi-tenant virtualization infrastructure all require hardening," says Kevin Curran, IEEE senior member and professor of security at Ulster University.  

4. Open-source software security

Many of the technologies being deployed at the edge are based on open-source software. This is especially true in areas such as life cycle management and application programming interfaces (APIs), says Joshipura.  "Open-source technologies are becoming a de facto mechanism by which the ecosystem is building edge solutions," he says. Organizations need to pay close attention to the security of the open source code they are using. Focus on end-to-end processes such as code scanning, vulnerability hunting, and auto patching, where possible he says. "Ensure critical vulnerabilities are resolved as code is deployed," Joshipura says. It's good idea also to do predictive maintenance and anomaly detection in open source using AI tools where available.

Copyright © 2020 IDG Communications, Inc.

8 pitfalls that undermine security program success