According to all the usual suspects in IT trend forecasting, edge computing is the latest and greatest growth area. Currently, about 10% of enterprise related data is created and processed outside the centralised systems, in the data centres or corporate cloud environment, but this will grow to the majority of the data within two or three years. Instead, it will be processed ‘at the edge’. This means at the edge of the network, and the important principle is that it is the edge near the real world and so near the sources and users of that data.
One of the largest growing areas of data sources is Operational Technology, or the Industrial Internet of Things. Sensor devices are not just installed on stationary devices in factories these days but are increasingly out and about or even mobile. Agriculture is a growing area for data capture and analysis, and a Formula 1 car can generate terabytes of telemetry data in a single race. While a farmer can accept a delay between collecting data from scattered moisture sensors and turning on the required irrigation systems to compensate, an engineering team monitoring a race car wants their data to be collected, processed, and acted on within milliseconds. Industrial control systems or augmented reality vision systems are also very sensitive to latency.
As well as low-latency responsiveness, ever increasing data volumes can be addressed by an initial processing layer close to the data sources, so that instead of transmitting huge quantities of raw data back to the central site, a much smaller quantity of useful information can be sent instead.
The third benefit is system autonomy. If the central systems or the link to them becomes unavailable, then local systems may be able to keep going. Centralised control may have been lost, but if ‘keep going as you are’ is good enough, then that is what can happen, which is particularly advantageous for critical infrastructure management.
Since low latency is one of the drivers of edge computing, there must be a way to communicate the data effectively and, increasingly, this is through a 5G connection direct from the device. This strong symbiosis with 5G means that MEC (Multi-Access Edge Computing or Mobile Edge Cloud) becomes the obvious place to virtualise and host edge computing capabilities. These are mini-data centres physically located close to the radio infrastructure of 4G and 5G networks.
So, if your data and, worse, your control signals, are bouncing around the mobile network, in and out of somebody else’s X-as-a-Service infrastructure, where X might even have multiple levels, such as a third-party SaaS platform running on top of the telco MEC IaaS platform, how do you keep everything secure?
The first piece of good news is that 5G is designed to be more secure than any of its predecessors. 4G networks were pretty good but did have some known problems. 5G addresses those, although hybrid 4G+5G networks may allow those additional defences to be circumvented, so only pure 5G networks will be as secure as the design allows for. However, the endpoints are much easier places to compromise and establish an attack, so need to be where the security controls are focused.
At the device end, sensor manufacturers normally target speed to market and budget, so security does not always get the focus it should. There is not yet any common standard on how IoT and similar devices should be secured, although ISO/IEC TR 30164:2020 devotes one section to it, and various governments occasionally state the need for regulation in this area. Key points to consider are: can the default password be changed, can the firmware be updated, and is the firmware update mechanism protected in some way such as by cryptographically signing the image? If these as a minimum are met then at least there is a possibility of keeping the most basic of attacks out and updating them to deal with future problems, at least for as long as the provider continues to produce updates and fixes. Beyond that, normal security controls should be applied, but if these devices have direct links to a mobile network, how can boundary controls be added? They cannot, but 5G networks do provide alternative protections. A private 5G network can be created to allow device intercommunication within a limited group, such as to all devices within a factory, or network slicing can provide a tunnel to systems elsewhere, such as MEC based facilities, without traffic being allowed out of that slice, or other traffic in.
The edge computing end has more to worry about, especially as the layers of virtualisation and containerisation mean that management of the full stack is likely to be split between multiple organisations. This means there is a strong need for good security processes – security must be considered as an important part of the design process rather than as something that can be quickly strapped on afterwards. With the mix of multiple providers throughout the edge stack, and a high likelihood of multiple customers making use of a shared service, identity and access control at each level must be effective at limiting who can do what. Continuous checking for weaknesses must be followed up by quickly patching or otherwise mitigating any problems found. The latest generation of automated penetration-testing tools go well beyond monthly vulnerability scans and next generation protection and detection services should also be considered to manage such a vast and decentralised service.
According to one technology advisory firm, “The additional layer of security at the edge enhances the user experience.” Maybe they mean avoiding feeling fury or panic when users learn about the latest security breach is a good thing, but that security does not provide itself. Service providers need to build it into and around their offerings, and users need to look after their own end as well.
Net Reply have experts in security by design, identity and access management, automated security testing and response, and many other aspects of security. Please feel free to reach out to Ian Shatwell for any further questions.