• United States




Defending outside the firewall

Feb 07, 20185 mins
Internet of ThingsNetwork SecuritySecurity

The risks and rewards of the intelligent edge.

network security digital internet firewall binary code
Credit: Thinkstock

The Internet of Things, though still evolving, has pushed its way into the workplace. The result? CSOs are working overtime to keep up. What’s the protocol for these connected devices, and how do they fit into the existing security infrastructure?

The intelligent edge has emerged as a promising model for handling remote and varied connections—one that’s ideal for reconciling IoT with your topology. Instead of funneling unprocessed, raw data directly back to your network, intelligent edge computing allows data gathered from peripheral devices to be processed off-network and then transmitted back to the network as a finished product. 

Instead of funneling unprocessed, raw data that hasn’t been molded or organized to match your existing infrastructure, the intelligent edge allows devices to be deployed at the network’s edge. As an operational solution, this expedites the connection process, decreases latency and increases the number of connections you can make at any one time.

The intelligent edge presents a unique opportunity to streamline the integration of remote connections. However, handling security outside the firewall also comes with its own slew of risks. Here are a few things CSOs should be aware of as they consider taking advantage of the intelligent edge.

Network outsiders

When we talk about the intelligent edge from an IT security perspective, we’re really talking about a range of use cases and initiatives in which resources are handled outside the firewall.

Since these connections are made in a demilitarized zone [(DMZ), outside of the usual, rigorous IT infrastructure], a higher degree of risk needs to be accounted for to ensure the whole system stays secure. This means keeping better watch over these devices than those assimilated to the network, and, subsequently, setting up different thresholds. It means filtering all traffic and ensuring that the data is encrypted in transit.

Devices connecting at the edge should be authenticated and vetted in multiple ways to make sure the device is compliant and without vulnerability. Once the device is secured, we can go farther by strategically limiting network access to moderate the scope of potential breaches.

Holding down the fort

The first step to creating a secure intelligent edge infrastructure is to sufficiently secure both IoT device communication and edge gateway appliances receiving that data from IoT devices.

Ensuring that both the transported data and the gateway appliances are properly secured requires positioning both in a properly secured and monitored DMZ environment. With this configuration IoT devices route through the intelligent edge’s single access point. This approach enables the collection of valuable analytics at a single point, instead of haphazardly or in a scattered collection. As a result, you can better see the bigger picture and get a more complete story about your devices, your users and behavior. 

By streamlining data collection, you also limit the number of vulnerabilities detectible to potential attackers. The best rule of thumb in IT security is always to limit the number of network entry points. It’s easier, after all, to defend one gateway instead of a hundred. The intelligent edge allows you to do just that, routing all devices through one point and thus limiting the attack surface accessible by malicious actors. Meanwhile, by processing the data gathered from those remote devices up front—before sending that data back to the edge—you ensure a quicker, smoother process that limits the likelihood of anything getting caught in transit.

But buyer beware: the security of the information gathered at the edge is only as secure as its final destination. In many instances, this means the cloud. Since cloud storage is notoriously less secure than on-site storage, precautions need to be taken. By consolidating data collection, you raise the value of the incoming packages, so the onus is on your team and your cloud service provider to guard the data accordingly.

One easy step you can take to protect data collected this way is similar to how you collected it: store it in as few disparate locations as possible. By limiting where the data lives to one or a few locations, you’re again reducing the surface area available for attack as well as leaving less room for human error. Since the intelligent edge protocol is still relatively young and untested, pay special attention to anything in its pipeline. Limiting storage to a single destination makes it much easier to monitor for anomalies and protect from threats.

The ramparts we watch

With its rapidly expanding frontier, IT needs regular booster shots to maintain sufficient security. The intelligent edge, like all new technologies, presents promising opportunities, especially when dealing with remote workloads and IoT devices. However, incorporating these new technologies into a network requires careful planning, risk identification, and properly designed security from concept to deployment and into production. Most importantly, organizations need to be thoughtful about how they assimilate it into their security infrastructure.

With new technologies constantly introduced into the marketplace, networks will increasingly grow more complex. Mitigating the associated risk ultimately means remaining vigilant while adapting to continuously emerging and evolving threats. We will certainly continue seeing the adoption of new technologies, such as the intelligent edge, in our environments. As we continue to adopt, risk will subsequently evolve, but so too will the rewards.


Pete Burke is a security and borderless networks technical consultant at Sirius Federal. He advises federal technology buyers on the solutions that best fit their needs. Pete has previously worked at Gemalto and Philips Healthcare.

Pete can be reached online via Sirius Federal's company website.

The opinions expressed in this blog are those of Pete Burke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author