5 security considerations for edge implementations
Many organizations are apprehensive about the security of edge deployments. As data becomes more and more valuable, security threats create increasingly serious concerns. No organization wants to be in the news explaining why they were exposed to the latest security threat, nor do they want to account for sensitive information being stolen. These security threats can damage an organization’s credibility and ultimately impact their bottom line.
Red Hat and our ecosystem of partners can help mitigate some of the security threats posed by edge deployment by describing the additional threats created by deploying edge solutions.
Security considerations beyond the datacenter
For many security teams, securing the datacenter with firewalls, two-factor authentication, monitoring Common Vulnerabilities and Exposures (CVEs), and role-based access control (RBAC) methods has been their primary focus. Now that edge deployments are becoming more and more in demand, these security teams need to turn their attention to protecting these new deployments, which creates extra concerns because the attack surface is now extended beyond the datacenter.
An organization’s most valuable data traditionally was contained within the datacenter. Those teams had the ability to easily monitor and control the movement of this data in and out of the datacenter. Even if there was a data breach, they had the ability to trace how the data was stolen and what it included. Edge deployments complicate this because they move valuable organization data collection and management outside of the boundaries of the datacenter.
Figure 1 depicts how each edge deployment has five core areas of exposure that makes it vulnerable: data, network, operating system (OS) platform, software and hardware. Figure 1. Edge Technology Components
Explanation of each edge technology component and some of the vulnerabilities it presents.
Securing data at the edge
The most critical component is data. This is what edge deployments are all about—capturing, collecting, and processing raw data at the point it is generated through some event. Once the data is processed, then some valuable information is created that could be used to make intelligent business decisions.
Data, when moving from source to destination, is data in motion. Data stored on a disk in a database is data at rest. For edge deployments, there is typically a constant flow of data from the end user device or sensor. That data captured or exposed to some iniquitous group could pose serious challenges to an organization, so it must be protected in motion and at rest.
An effective approach to protecting data in motion or at rest is using encryption techniques. Red Hat and its ecosystem of partners have technologies that can help organizations meet governmental standards for encrypting data in motion and at rest. For example, Red Hat OpenShift provides the following features for data protection:
- Encrypted secrets at rest (etcd datastore)
- All traffic to master nodes is encrypted
- Configured cipher suites*
- Encrypted east / west traffic (Service Mesh)
- Volume encryption (TPM/vTPM, NBDE)
Securing networks at the edge
In order to access the data, bad actors must first breach the next most critical technology component; the network. Although data is the most valuable asset in an edge deployment, data is not always the motivating factor for security threats. Bad actors could just seek to disrupt operations by gaining access to networks or systems.
Today’s networks are more complex than ever, especially with edge deployments, and techniques like Software Define Wide Area Networks (SD-WAN) are now more common. We are all too familiar with disruption-style attacks like Denial of Service (DOS).These can be especially problematic for edge devices because they are typically resource-constrained and can easily be overwhelmed by such attacks. Network attacks at the edge are very similar to those against a datacenter.
The issue that edge deployments bring is the complexity and scale of the networks and the devices that connect into them. There could be millions of sensors or devices and gateways on the network, and a single misconfigured device could open the door to hackers looking for access. Automated, consistent, scalable, policy-driven network configuration is paramount to protecting against network attacks. Technologies such as Zero Trust Network Access (ZTNA) can also be used to protect edge access to enterprise data or cloud services.
Red Hat and its ecosystem of partners have technologies that provide several capabilities that mitigate network vulnerabilities including Red Hat OpenShift Container Platform, which provides network isolation at the platform level with:
- Ingress / egress control
- Controlling external and internal access to services
- Network microsegmentation
- Total control and isolation of internal networks in a cluster
Red Hat Ansible Automation Platform also supports policy-driven network configuration. It provides:
- Automated network configuration
- Automation of network configuration ensures that network devices are configured consistently and avoids human errors that could be introduced when doing manual configuration at scale
- Network infrastructure awareness
- Monitoring network health allows administrators to be proactive in discovering failing devices
- Network validation
- Validation of network device compliance to network and protocol standards can help security professionals discover noncompliant devices and activities
Securing OS platforms at the edge
Encryption technologies and network technologies are relatively established and have advanced a lot to help address security concerns for edge deployments, but hackers continue to find security vulnerabilities in OS platforms.OS platforms are readily available, so bad actors can pound away at these platforms, constantly finding ways to exploit any and every vulnerability. CVEs have become a common concern and is an industry-wide method for dealing with security threats.
Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform have security features that help organizations deal with CVEs in an efficient way. Red Hat CoreOS, the hybrid cloud Operating System, is built with security in mind and includes these features:
- Reduced attack surface
- Smaller number of packages so the attack surface is smaller
- Controlled immutability
- The OS is immutable by default and is updated in controlled manner
- SELinux on by default
- Allows for process security controls as part of the platform configuration
- Kernel namespaces and Cgroups
- Provides fine-grained access control to system resources that can prevent rogue entities from consuming too many resources
- CRI-O container runtime, Kubelet
- Utilizes a standard supported and tested container runtime that has fewer vulnerabilities
- Auditd for host-level audit
- Provides monitoring capabilities to log and identify all system events
Securing software at the edge
Not all security threats are external to the organization. Organizations deal with individuals who either intentionally or accidentally introduce software that could cause security issues. Here is a list of the concerns that can be introduced by bad actors or careless employees:
- Using insecure images
- Containers running privileged
- Unrestricted communication between containers
- Containers running malware or other rogue or malicious processes
- Containers running as root
Red Hat has an ecosystem of partners that enhance and bolster OpenShift’s container security features throughout the entire CI/CD pipeline, including:
- Security policies
- SCC (Security Context Controls)
- Non-root containers
- Controlled access to resources
- Automated compliance audit and remediation
- Image security
- ImageStreams track changes to external images
- Image scanning (Quay with Clair)
- Deployment policies (admission controllers)
With these capabilities and features provided by Red Hat partners, organizations can reduce the risks of their environments exposing them to unnecessary security threats.
Securing hardware at the edge
A major security threat for edge hardware is imposter devices. Because hardware is no longer confined to the datacenter, it is now accessible to bad actors who could potentially replace a piece of legitimate hardware with an illicit copycat. This imposter, if configured properly, could pretend to be something that it’s not. Organizations need to have confidence that any device that connects to their network is what it says it is and will perform as expected, including accessing expected data and networks.
One method to deal with this concern is device attestation. Attestation helps organizations identify devices that have been tampered with or have outdated insecure software running on them. Red Hat CoreOS, part of a Red Hat OpenShift deployment, is designed for secure boot capabilities that allow administrators to ensure that boot loaders, system files and other packages are as they should be by validating the digital signature of all these system resources.
The primary security challenges that edge deployments face and, at a high level, how Red Hat technologies help to thwart these security threats. Red Hat technology will also work alongside partner technologies to provide further defenses against security threats for edge deployments.