Device Security 101: Cloud, Networking, & Physical Security Essentials
Many businesses look to edge computing devices to maximize operational efficiency, improve performance, automate tasks and core business practices, and create better customer experiences. Because the edge spans anywhere between the end-device and the cloud or internet, it is crucial for businesses to set up their cloud and network infrastructure securely to ensure edge devices operate as they should, safely and without any performance degradation issues. This blog will break down the cloud, networking, and physical security essentials that businesses should consider when setting up their edge devices.
Cloud Security for Edge Devices
To preface, it can become overwhelming and expensive when there are hundreds of distributed IoT devices transmitting data over bandwidth-consuming, expensive communication channels to a central data center. Fortunately, processing data on a device at the edge helps manage the immense amount of data generated by IoT products as it also reduces bandwidth requirements and enables data to be analyzed in real-time. By processing the data “locally,” only relevant, critical data is sent back to the cloud. As many businesses will find, sometimes processing and analyzing data may not be ideal at the edge. For example, machine learning (ML) capabilities that handle image and speech recognition often are sent to the cloud so the data can be used to train more accurate ML models, since edge intelligence is still in its early stages, with Gartner expecting Edge AI Software and Hardware to reach its peak in another 2–5 years.
Security risks within edge computing depend on the relationship between the edge and cloud. Some edge devices connect to a cloud or private data center. In most scenarios, edge devices act as “controllers,” which means they control the data flow at the boundary between two networks. Therefore, the movement of data from the edge to the cloud — and especially from the cloud back to the edge — makes edge devices highly vulnerable to attacks. While cloud providers already offer many cloud-native security features and services, it is highly recommended that businesses also implement third-party solutions to protect their assets (and by extension their edge devices) from breaches, data leaks, and other targeted attacks in the cloud. Below are cloud security best practices for businesses:
● Implement granular, policy-based IAM (Identity and Access Management) and authentication controls so that only minimal access privileges to assets is granted for a group or role (e.g administrators) to carry out its tasks.
● Safeguard applications with a web application firewall (WAF) to monitor and filter traffic. A WAF protects web applications, APIs, and edge devices against common web vulnerabilities, Layer 7 DDoS attacks, and bots.
● Invest in enhanced data protection. Enhanced data protection with encryption at the transport layer, for example, hides the data being transferred from third parties.
● Evaluate and deploy only secure edge device management platforms. Managing edge devices at scale often requires the use of software applications and platforms to manage assets and data for edge devices, so businesses must carefully evaluate which ones to utilize. SDT offers complete control of edge devices in the form of a device orchestration software platform.
Network Security for Edge Devices
Edge computing evidently introduces new security challenges when securing devices and networks since increased connectivity also means an increase in the risk of malicious activity moving from the internet into the corporate network. Applying a “zero trust” policy to all edge devices is key to edge computing security. In a zero trust access” scenario, only the minimal amount of access, or appropriate trust required for each device to do its job, is granted. Building a zero-trust model using a unified security platform approach that spans a business’s cloud computing ecosystem helps consolidate security across all edges. Simply put, it simplifies the protection of the expanding attack surface regardless of where users or devices are located. Additionally, it makes security visibility and enables automation to cover the entire distributed network. Businesses should consider the following fundamental network security recommendations:
● Implement network access control at the most granular level wherever possible to prevent unauthorized users and devices from joining the network. This prevents potential attackers from infiltrating the network.
● Install antivirus and anti-malware software to protect against viruses, ransomware, worms and trojans and to continuously scan and track files that enter the network.
● Adopt network edge firewalls and intrusion detection to control incoming and outgoing traffic and block malicious traffic.
● Consider utilizing Virtual Private Networks (VPNs) to encrypt data at rest and authenticate devices to allow communication between the device and the network.
Physical Security for Edge Devices
By 2025, Gartner predicts “75% of enterprise-generated data will be created and processed at the edge.” From a security standpoint, data at the edge can be troublesome, especially when it is being handled by different devices that might not be as secure as centralized or cloud-based systems. As a result, security gaps are emerging in cloud-edge integration and edge devices will continue to serve as entry points for cyberattacks. Vulnerabilities exist along every element of the edge ecosystem — whether that be the edge, the cloud, and the endpoint. Every node on the IoT is a potential entry point for hackers. In other words, businesses must secure each point all the way through to the cloud to ensure attackers cannot use the edge to access the network.
While devices that rely on cloud computing have the advantage of additional security such as having servers in data centers are protected by doors, locks, security cameras, and firewalls, physical security for edge devices starts at the software and hardware levels. Security is often an afterthought in edge device design, and many times manufacturers build edge devices without investing into security. Many of these devices also come preinstalled with backdoor access that manufacturers use to monitor performance, but malicious actors use this to gain access to the device and the network. To counter these physical threats and other edge security threats, the following is recommended:
● Ensure devices have a Secure Boot, which guarantees hackers have not tampered with the firmware in the device. If a hacker manages to insert malicious code into the device, it could become part of a botnet or be used as a “launching pad” for attacks targeting other, more sensitive systems. Secure Boot is essential in preventing malicious actors from compromising an operating system or installing a different bootloader used for tampering.
● Invest in edge devices with embedded HSMs, which go hand in hand with key management and Root of Trust (RoT). The last few years has seen a strong push for the use of HSMs in new vertical markets, particularly those within the IoT ecosystem, including automobile, healthcare, manufacturing, and utilities industries. As an added hardware security module, it is used to provision cryptographic keys for critical functions such as encryption and authentication. This means enhanced security for sensitive data which is needed when messages are passed between two edge devices. Essentially, cryptographic features and key management techniques enable the protection of in-transit and at-rest data, while also ensuring that the edge booting device is running authentic, authorized firmware and software. A unique identity can also be created for the edge device, enabling a compromised device to be identified and isolated before damage can be done.
● Invest in PSA-certified edge devices for RoT. PSA provides a security framework that allows security to be built in at both the hardware and firmware level. Particularly, it establishes trust through a multi-level assurance program for chips containing Root of Trust (PSA-RoT). Having RoT is key in edge security since it serves as the backbone of hardware security. PSA certification saves developers and consumers time and money by thoroughly testing chips’ RoT capabilities to reduce the risk of a malware attack in the first place. All of SDT’s devices have PSA certification including its SDT Smart Hub, a smart city turnkey solution for water and sewage systems and SDT Pinmark, a high precision asset tracking solution for fleet management and equipment logistics.
● Use key-based and strong password-based authentication. If the edge device allows an SSH shell connection (a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network) key-based authentication or password-based authentication should be enabled, while disabling any non-password-based authentication.
● Consider using a Quantum random number generator for RoT.
Many agree the future of cybersecurity is within the quantum random number generator. As previously stated, the primary starting point, or backbone, for all security in the device is based on the RoT. Encryption is essentially a secret key used for encrypting data on the device, so businesses should store the key in a secure place. Typically, it is recommended that the encryption key be a minimum of 128 bits long and “contain full-entropy data, generated by properly seeded cryptographic random bit generator random data.” However, random bit generators are not truly random, which means hackers could potentially decrypt it with the right resources. SDT can produce any edge system with a verified quantum random number generator (QRNG), which can produce true random numbers. True random numbers will provide an unbreakable tool set for cryptography (i.e. encryption) as it will generate quantum keys for use to make the hardware like those in edge devices unhackable for the foreseeable future.
Edge security should never be an afterthought. Additional protection measures in software and hardware capabilities may be needed to ensure edge devices are fully protected. This blog presented just some of the “starting” essentials needed to protect edge devices but is by no means a comprehensive list. Contact SDT for your specific security needs, and follow the SDT blog for more updates on upcoming security products and services.
Read more about our edge devices and security on the SDT Naver blog or follow our SDT LinkedIn to stay informed on our upcoming quantum projects.
About the Author: Karen is a passionate B2B technology blogger. While studying at Georgia Tech, Karen first grew interested in cybersecurity and has since worked for several security and cloud companies as a global marketer. When she’s not freelance writing, Karen loves to explore new food trends.