Brian Jackson - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Challenges vs. benefits of edge computing security

Organizations moving more compute to the edges of their networks must adjust how they protect and govern their data and devices. But what should you expect along the way?

As ABB -- a multinational corporation headquartered in Zurich, Switzerland, that's focused on robotics, power, heavy electrical equipment and automation technology areas -- implements edge computing in its factories, CSO Satish Gannu is tasked with securing the emerging collection of equipment and the data that resides in it.

According to Gannu, he must ensure the integrity, security and privacy of the data on the devices, as well as safeguard against any malware moving from the cloud through the network to the end devices themselves.

"In our factory, if we're trying to take actions in milliseconds, we need to do it on the edge. But once you start collecting data, [edge computing] security is paramount from day one," he said.

"The edge is within the IT boundary, so there is [a] huge amount of security in front of it. But, at the same time, we are building a tunnel from the edge into the cloud. So, now, you're giving a connection outside your boundaries -- the cloud -- and that [will] allow things to get through the tunnel. That's why it's important that the traffic can leave [the edge], but what comes back into the tunnel needs to be authenticated," he continued. "It's all about control where the data is. Whether the data is on the edge or in the cloud, you have to figure out who has access to it and who is monitoring it."

Gannu said he has a layered approach to securing his company's edge computing initiative and the data that resides in it, using a host of protocols and technologies -- from firewalls to secure storage to a secure registration process to authenticated traffic.

As edge computing gains steam, security executives like Gannu are facing a similar jump in edge security challenges, as they seek to set and enforce security, privacy and compliance standards around a growing number of devices on the edge, an expanding network of connections and the various new software deployments enabling the actual compute power along the fringes of the network.

"There are new risks involved in edge computing, but you can't say it's less [secure]; it's just a different set of security issues you have to consider," said Kevin Curran, a senior member of the Institute of Electrical and Electronics Engineers and a professor of cybersecurity at Ulster University.

New edge computing security risks

According to experts, edge computing introduces several new security risks.

One of the most prominent concerns is the physical security of the devices, which are more vulnerable to malicious attacks and mishaps of all kinds than typical office equipment and technology safely held within corporate walls, said Proteus Duxbury, a transformation expert at PA Consulting, based in London.

"In a highly distributed model, there's a physical security and integrity threat, because there's no guarantee [someone] might not monkey with your device. So, the physical security of handsets, edge devices and micro data centers needs to be examined," Duxbury said.

He noted that micro data centers, such as those being deployed by telecommunication companies -- in some cases, at the base of cell towers -- introduce a level of physical vulnerability that didn't exist with corporate data centers and large cloud providers.

Meanwhile, many organizations will be challenged to understand, track and monitor what data they have and where, what protections are required at the various points based on the data and vulnerabilities specific to each endpoint and how to govern what could soon be a sprawling infrastructure at many companies.

"You're introducing more vulnerability into the system when you're keeping data on the edge. But it's not because it's a new threat, but more the volume of what we're now doing on the edge," Duxbury explained.

Edge computing security offers benefits

Although edge computing comes with new challenges, experts said it also offers some security-related benefits.

Despite the newness of edge computing, experts advise IT leaders to develop security, privacy and compliance plans for their edge computing capabilities as they would for their conventional technology infrastructure and data holdings.

"In some ways, it's more resilient, because instead of one or two or even three data centers, where if they're close enough together that, say, a big storm could impact them all, you have distributed data and compute on the edge, which makes it much more resilient to malicious and nonmalicious events. This allows us to be resilient with data and processing," Duxbury said. "And there's less data going out to a centralized location and through communication lines, whether it's fiber-optic or telephone cables. So, there's probably less risk, because the data isn't leaving the edge and going across the internet," he continued.

Similarly, edge computing may offer some protection against a catastrophic attack where a single incident can compromise large amounts of a company's data, said Jamie Bourassa, vice president of edge computing for Schneider Electric.

"In some ways, there's more security with edge, because now your data is spread out [and] you're not concentrating and centralizing your data. So, the impact of a breach can be highly contained," he said.

Meanwhile, IoT device vendors have been adding more edge computing security elements to their products after being criticized in recent years for not doing enough on that front. California's 2018 IoT security law, which, starting in 2020, requires manufacturers of connected devices to include security features designed to prevent unauthorized access, modification and information disclosure, has helped push the issue further to the forefront.

Fundamentals still apply

Curran said organizations and IT leaders need to cultivate new skills within their security teams to cope with the new types of security and compliance challenges that edge computing brings, noting that security workers will have to develop more knowledge in security virtualized network infrastructure, rules-based access control policies and multi-tenant virtualized server infrastructure.

He added that they must also retain all the conventional security and compliance acumen they've needed thus far, as the security, compliance and privacy risks, as well as the governance needs that exist today, aren't going away with edge computing.

In fact, experts pointed out that edge computing security and capabilities are vulnerable to denial-of-service attacks, ransomware and other conventional types of threats. 

Despite the newness of edge computing, experts advise IT leaders to develop security, privacy and compliance plans for their edge computing capabilities as they would for their conventional technology infrastructure and data holdings.

"The fundamentals haven't changed: You're evaluating the risk. You go through the threat and risk analysis and decide what needs to be done," Gannu said.

Dig Deeper on Cybersecurity strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps has your organization taken to secure its data on the edge?
As far as I can tell, Edge Computing seems to be mostly taking off in the types of firm that haven't yet been through the challenges of managing large estates of computers and so they have limited understanding of what they don't know.

When I looked at large estates in data centres, they were full of security holes because the management silos hid sufficient information to enable management of the security. This was typically cloaked in the language of this article: layered security. That was in firms with annual IT budgets in the single digit billions.

This leads me to question whether the early adopters of Edge Computing have the necessary capabilities to understand what they need to do about security.
There is nothing new here!, The edge computing is a marketing term and it is not about any true technology change. People have been using the so called edge computing before public cloud became popular or even before corporate data centers came in to existence. It was then called as small to medium business. The only addition today is that of data generated from various factories or medical devices etc. The compute part in those devices is very device specific and not a general purpose compute. The data security issues have always existed decades ago but at that time we talked about small office to head office data transfer security. The devices in small office were lot more vulnerable than devices at head office. So the issue are same. There is no new technology to solve this except data encryption. The only thing extra today is explosion of data.