As ABB – a multinational corporation headquartered in Zurich, Switzerland, that's focused on robotics, power, heavy electrical equipment and automation technology areas – implements edge computing in its factories, CSO Satish Gannu is tasked with securing the emerging collection of equipment and the data that resides in it.
According to Gannu, he must ensure the integrity, security and privacy of the data on the devices, as well as safeguard against any malware moving from the cloud through the network to the end devices themselves.
"In our factory, if we're trying to take actions in milliseconds, we need to do it on the edge. But once you start collecting data, [edge computing] security is paramount from day one," he said.
"The edge is within the IT boundary, so there is [a] huge amount of security in front of it. But, at the same time, we are building a tunnel from the edge into the cloud. So, now, you're giving a connection outside your boundaries—the cloud—and that [will] allow things to get through the tunnel. That's why it's important that the traffic can leave [the edge], but what comes back into the tunnel needs to be authenticated," he continued. "It's all about control where the data is. Whether the data is on the edge or in the cloud, you have to figure out who has access to it and who is monitoring it."
Gannu said he has a layered approach to securing his company's edge computing initiative and the data that resides in it, using a host of protocols and technologies – from firewalls to secure storage to a secure registration process to authenticated traffic.
As edge computing gains steam, security executives like Gannu are facing a similar jump in edge security challenges, as they seek to set and enforce security, privacy and compliance standards around a growing number of devices on the edge, an expanding network of connections and the various new software deployments enabling the actual compute power along the fringes of the network.
"There are new risks involved in edge computing, but you can't say it's less [secure]; it's just a different set of security issues you have to consider," said Kevin Curran, a senior member of the Institute of Electrical and Electronics Engineers and a professor of cybersecurity at Ulster University.
New Edge Computing Security Risks
According to experts, edge computing introduces several new security risks.
One of the most prominent concerns is the physical security of the devices, which are more vulnerable to malicious attacks and mishaps of all kinds than typical office equipment and technology safely held within corporate walls, said Proteus Duxbury, a transformation expert at PA Consulting, based in London.
"In a highly distributed model, there's a physical security and integrity threat, because there's no guarantee [someone] might not monkey with your device. So, the physical security of handsets, edge devices and micro data centers needs to be examined," Duxbury said.
He noted that micro data centers, such as those being deployed by telecommunication companies—in some cases, at the base of cell towers—introduce a level of physical vulnerability that didn't exist with corporate data centers and large cloud providers.
Meanwhile, many organisations will be challenged to understand, track and monitor what data they have and where, what protections are required at the various points based on the data and vulnerabilities specific to each endpoint and how to govern what could soon be a sprawling infrastructure at many companies.
"You're introducing more vulnerability into the system when you're keeping data on the edge. But it's not because it's a new threat, but more the volume of what we're now doing on the edge," Duxbury explained.
Edge Computing Security Offers Benefits
Although edge computing comes with new challenges, experts said it also offers some security-related benefits.
"In some ways, it's more resilient, because instead of one or two or even three data centers, where if they're close enough together that, say, a big storm could impact them all, you have distributed data and compute on the edge, which makes it much more resilient to malicious and nonmalicious events. This allows us to be resilient with data and processing," Duxbury said. "And there's less data going out to a centralised location and through communication lines, whether it's fiber-optic or telephone cables. So, there's probably less risk, because the data isn't leaving the edge and going across the internet," he continued.
Similarly, edge computing may offer some protection against a catastrophic attack where a single incident can compromise large amounts of a company's data, said Jamie Bourassa, vice president of edge computing for Schneider Electric.
"In some ways, there's more security with edge, because now your data is spread out [and] you're not concentrating and centralising your data. So, the impact of a breach can be highly contained," he said.
Meanwhile, IoT device vendors have been adding more edge computing security elements to their products after being criticised in recent years for not doing enough on that front. California's 2018 IoT security law, which, starting in 2020, requires manufacturers of connected devices to include security features designed to prevent unauthorised access, modification, and information disclosure, has helped push the issue further to the forefront.
Fundamentals Still Apply
Curran said organisations and IT leaders need to cultivate new skills within their security teams to cope with the new types of security and compliance challenges that edge computing brings, noting that security workers will have to develop more knowledge in security virtualised network infrastructure, rules-based access control policies, and multi-tenant virtualised server infrastructure.
He added that they must also retain all the conventional security and compliance acumen they've needed thus far, as the security, compliance and privacy risks, as well as the governance needs that exist today, aren't going away with edge computing.
In fact, experts pointed out that edge computing security and capabilities are vulnerable to denial-of-service attacks, ransomware and other conventional types of threats.
Despite the newness of edge computing, experts advise IT leaders to develop security, privacy and compliance plans for their edge computing capabilities as they would for their conventional technology infrastructure and data holdings.
"The fundamentals haven't changed: You're evaluating the risk. You go through the threat and risk analysis and decide what needs to be done," Gannu said.