Securing the Edge
THERE’S GOLD out there at the edge of the network.
From factories and power plants to smart buildings and beyond, businesses are increasingly using data from sensors, cameras, and other Internet of Things devices to drive real-time action in ways that increase efficiency and create new revenue streams.
Along the way, however, they’re adding hundreds and sometimes thousands of tempting targets to already vulnerable networks. Indeed, protecting edge computing hardware takes all the security challenges channel pros already know and compounds them with a bunch of new ones.
“They’re lower-cost devices, there’s a lot more of them, and they’re at remote locations,” says Ivan O’Connor, head of IoT at ActionPoint, a multinational software development and managed IT services provider based in Limerick, Ireland. “Those three factors alone make edge device security a tough nut to crack.”
And there’s more to edge security than just devices. The cloud solutions those devices connect to and the networks they employ to communicate with the cloud are potential attack surfaces as well. O’Connor and others with edge experience agree, however, that any IT provider familiar with the basic rules of edge security can successfully offer it.
“As long as you commit to those principles, there are very good platforms out there to do it with now,” O’Connor says. “There isn’t any rocket science involved here.”
Inventory and Assess
The volume and widely dispersed location of edge solutions aren’t the only reasons they’re difficult to protect. Security is often an afterthought among manufacturers of edge hardware, and few edge devices can accommodate endpoint security software. Managing edge devices, moreover, isn’t as easy as managing a laptop or smartphone.
“They mostly don’t have a user interface,” observes Ben Frame, vice president of product at ClearObject, an IoT solution provider based in Fishers, Ind.
To make matters worse, edge deployments in industries like manufacturing and transportation are often overseen by operational technology (OT) professionals who aren’t as well versed in security as their IT counterparts. “They may understand physical security, but cybersecurity is something that is often new to them or is not well understood,” observes Barry Dellecese, senior director at Stratus Technologies, an edge computing integrator headquartered in Maynard, Mass.
Tackling problems like those, he continues, should begin with a security audit aimed at inventorying edge assets and assessing their exposure. “You’ll look at where your threats are or where your potential vulnerabilities are, both physical and digital, and then begin thinking about what is going to be your plan to either accept those risks or put in place some remediation plans so that you can reduce the risk,” says Dellecese, adding that OT should participate in that process.
Gateways and Encryption
Those remediation plans should encompass edge devices, cloud solutions, and the networks that link them. Start with the hardware by performing basics like changing default administrator passwords set by the hardware maker. If a device has built-in security features like a secure bootloader, which verifies the authenticity of firmware before running it, make sure they’re enabled.
ActionPoint then takes an extra step. “We typically push a Windows 10 IoT gateway in there as the gatekeeper for the sensors,” O’Connor says. To make that unit as tamper-proof as possible, he continues, technicians enable its Trusted Platform Module feature, lock down any unnecessary ports, and ensure that only outbound connections to the cloud are permitted.
If possible, counsels Prakash Sangam, founder and principal of IT advisory firm Tantra Analyst, employ LTE or 5G networks rather than Wi-Fi to connect edge devices to the cloud. Mobile carriers typically encrypt data and authenticate users effectively, he notes. “If you’re using Wi-Fi then there are a lot of ways it could be hacked.”
Don’t rely solely on mobile providers for encryption, though. Secure edge solutions use it all the way from the sensors to the cloud. “Encryption is a big deal,” Frame says. “We want to encrypt data in transit and we want to encrypt data at rest.”
Cloud platforms like AWS IoT Core, from Amazon Web Services, Google Cloud IoT Core, and Microsoft Azure IoT Central all offer encryption for data at rest, along with a host of other essential security features, such as over-the-air patch management for edge hardware.
“It’s not a question of if, but when those devices will need to be updated,” Frame notes. “We want to make sure that that process is robust.” All three leading IoT platforms are also relatively easy to learn, he adds, and include APIs you can use to integrate them with your other management systems.
ActionPoint, once again, goes a little further than many of its peers by segregating customer data in dedicated cloud instances. “That’s not something that every IoT solution provider does,” O’Connor says. “Some solution providers kind of provide a SaaS model where all data goes into one tenancy, and then there’s authenticated access to that data.” Storing each client’s data separately, however, provides an extra bit of safety that clients worried about cloud security find reassuring.
Training and Policies
Even the best tools can’t safeguard edge solutions alone, however. “A lot of it’s about the people and process before you get to technology,” Dellecese observes. Getting the people piece of the formula right is mostly about giving users security awareness training on a regular basis. The process part entails setting policies in areas like access management that limit permissions to people who truly need them, and carefully controlling access by outside third parties.
Those are principles familiar to most channel pros already, however, and there’s no shortage of relevant and effective edge security technologies out there. “There really is no reason for any systems integrator or solution provider to not be able to build a highly secure system,” O’Connor says.
“Yes, it may take a little bit longer time and it may cost the customer a little bit more in terms of the upfront build and the ongoing service costs, but all of those modules are there and they’re pretty accessible.”
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.