Microsoft once wrote in a knowledgebase article that if you don’t have physical control over your servers, you don’t own them. Although the comment was made years ago, it rings ironical in the context of edge computing.
As edge computing rises through industries, data security and data privacy maybe problematic for some organizations. Experts have cautioned companies with presence at the edge about the potential risks of putting IT assets that hold customer-sensitive information in unsafe locations. Without guards to watch over, they can be easily manipulated or stolen.
At the recent Edge Field Day event in California, the panel sat down to debate the implications and potentials, and posit their views on how to abate the risks.
“One of the biggest challenges to security when it comes to the edge is typically when you’re accounting for security in a datacenter, you can somewhat safely assume that the attacker doesn’t have direct physical access to the device. They can’t just walk up to a rack of servers and plug the console cable in. If they can, the old maximum is – if they have physical access, it’s game over,” said Ned Bellavance, IT veteran and tech content creator.
The paradox is that the reason companies might want to use edge computing is also the reason they might not – that data is processed and stored locally on devices. A lot of the anxiety about data security stems from the fact that edge computing is untested and unproven, but there are strong indicators that security might be a steady concern that may not be dispelled just yet.
The edge is not inside the safe space of a datacenter building. It is where the users are, and where they are not. Inherently, there’s much better security and governance controls when everything’s in one spot, ie., inside the datacenter. It is infinitely easier to protect something when you can put it inside the closed walls of a highly secure building.
But edge computing is not the only technology to have gaping security holes, argues Gina Rosenthal, Field Day delegate and tech coach. “Cloud too had huge security and privacy holes before everybody pointed it out, and people made lots of money filling those holes in,” she says.
A huge stumbling block is that organizations struggle to define the problem. The risks at the edge are more than just physical. The scale of edge itself poses a problem for software updates and maintenance that are equally pertinent to security. But, let’s for a moment, put a pin on that, and focus on physical security, which is the biggest problem as of today.
Vendors have a few tricks up their sleeve to get around physical insecurity. Manufacturers are operating off the assumption that all edge devices, by default, will either be tampered with by low-trust workers, or just be snatched up by fickle bypassers. Whether physical abuse may or may not happen is uncertain, but it’s safe to assume that it is likely.
To make the losses sting less, devices are priced at a reasonable low making them easily replaceable.
Some vendors are revisiting the designs, eliminating hard switches and buttons on devices to make them physically tamper-proof. They can at best be plugged off or physically damaged.
A lot of the times, bad actors are seen restoring to trading off internal components of devices in open market for money when they can’t get past the initial biometric sign-ins and authentications. With this in mind, Apple serialized most of the individual parts in its devices that prevents ripping and reselling. If a device is lifted, Apple advises the owner to registered it as stolen. Internally, Apple blacklists all paired components locking them from being reused.
Some Past Instances to Learn from
Part of the skepticism around edge computing comes from past instances of data breach. Countless digital privacy catastrophes have been orchestrated through hacking and breaching of personal devices. Devices, otherwise thought to be perfectly secure, like the iPhone, are being abused to perform long-distance stalking.
The Pegasus is another example. It is a spyware designed to covertly snoop remote user devices. Multiple times, it has been deployed on the mobile phones of targets which have served as back doors for discreetly collecting information.
Knowing that edge computing, at its cradle, has been used to diminish public privacy, is it safe to opt for it for business purposes where more than just one person’s private data is at risk?
If this concept of getting application running closer to where it needs to run to be performant has to take off, part of the deployment has to be about how and what data is available, and how is it secured,” opines Rosenthal.
Some vendors are taking a reverse approach. Instead of treating IoT and OT devices as unreliable, high-risk gadgets, they are using them to implement zero-trust at the root. Using passkeys is one of the ways companies are tackling the risks. These came as a replacement for passwords which are much easier to crack. The device generates the passkey, and it remains unknown to all entities, including the vendor. Passkeys are now the default log-in option for signing into websites and applications.
Big vendors like Apple, Amazon and Google have already introduced them into their stacks. “It’s creating more of a zero-trust boundary because now users effectively have immediate two-factor authentication,” commented Tom Hollingsworth, host and former network engineer.
Edge computing, like any breakthrough technology, creates the impetus to implement. Regulatory bodies around the world are already leveraging edge technologies for law enforcement. Some examples are scanning registration numbers on the license plates of moving vehicles, collecting live feed from dashboard cameras, monitoring an asset through indoor surveillance systems, and so on.
The information pulled from these devices are correlated and tallied with data from a series of other databases to create a case. Sometimes, doing this can encroach a person’s privacy and can reach a point where the public unwittingly becomes party to malpractice or data protection violation.
Bart Heungens, independent IT consultant, highlights, that General Data Protection Regulation, GDPR in short, has laid down strict clauses and levy harsh fines to crack down on any illegal or borderline illegal data practices.
The Spread of Edge
The other half of the problem is scale. As noted, there are not one or two, but a prolific number of devices at the edge. The spread makes simple things like pushing an upgrade or deploying a patch problematic. So is figuring out what application can expose users to risks.
Companies are keeping up by designing new patches and fixes and pushing them downstream as new data reaches them, but at this stage, it is not preemptive, which means that the impacts are felt at the bottom level before a remedy is available.
When the devices are so many in number, centralized orchestration and management is critical for effective maintenance, reminds Ben Young, head of cloud products, vBridge.
To ensure better maintenance and monitoring, companies are resorting to edge-as-a-service solutions. Opting for these outsources the tasks to an external vendor that deploys and manage the entire fleet at scale.
Edge computing is a trailblazer technology that will play an outsize role in boosting the Internet economy, and democratizing technology. But in the past, we have all seen good techs gone bad, and ways criminals can abuse a perfectly good solution. The edge maybe smart, and an empowering tool, but it still lacks social guardrails and security safeguards. It is on the vendors to recognize the best practices and applications so that users can harness this technology comfortably, without compromising on data security.
For more on this, be sure to watch the entire discussion – “Don’t Get Cut by Edge Security!”. And for more interesting conversations on edge computing, check out the technical presentations from the recent Edge Field Day event.