Maksim Kabakou - Fotolia
Security Think Tank: Edge datacentre security depends on specific needs
That datacentre security is a complex subject is not in doubt and, given the trend to move beyond centralised datacentres to distributed environments, this is not going to change. How can security professionals ensure such setups are just as secure as the traditional centralised model?
Although datacentres started out as large, resilient data stores, they soon evolved to include compute services and cloud-based applications, moving processing loads between physical servers and spanning multiple locations.
Hybrid cloud solutions, merging on-premise datacentres with commercial cloud provision, allowed local processing with the option to expand capacity into the cloud, reducing latency and bandwidth, but with the same level of processing on demand.
Today, this can be provided through edge computing, which moves some of the compute function geographically closer to the data source (an IoT sensor, for example) and/or data consumer (such as user terminal or mobile phone).
Edge computing allows data to be pre-processed close to the sensor, thus reducing bandwidth and latency of the sensor data transmitted, while user processing may be performed closer to the consumer of the data, with operations on new and cached data to provide a more reactive experience.
This processing may be on a network gateway, a dedicated on-premise server or within a mobile network, and may be on a platform not physically under the control of the service provider or the service consumer. However, the processing will be under the control of the central entity (cloud or datacentre) providing the service.
This raises a number of security questions, not least who is responsible for the security of each processing platform and the impact this has on any traditional security perimeter if applications under the control of a third party are running on platforms within your network and/or external third-party platforms.
In a public cloud environment, the responsibilities for security are spelt out by the cloud service provider in the service provision agreement. Typically with software as a service (SaaS), the service provider is responsible for the security of the processing within the cloud, including physical security of the platforms used for that processing. The same will usually apply for edge computing, where treating edge processing is being done within a “cloudlet”.
However, if the processing is being done on an on-premise edge gateway or server, then the service consumer will necessarily be responsible for the physical security, but will also need to protect against potential intrusion into their own system, within which the edge processing is taking place.
Many cloud service providers are developing or have developed their own secure edge processing solutions that allow hardened virtual machines (VMs) to be deployed onto processing platforms and can isolate the processing from the platform and mutually authenticate with the user and central cloud.
In the case of a distributed datacentre run by a large organisation, there is no overall division of responsibility, but edge computing may still be deployed on external platforms. Also, a large organisation may create a multinational virtual datacentre, spanning multiple legal and data protection jurisdictions. So although applications may be spawned from the centre, the data they consume and the information they deliver must be stored and processed within the relevant jurisdictions.
Read more from the Security Think Tank
The main risks of control of where data is stored to meet data protection regulations and security of the data during processing and storage are not dissimilar to those of the cloud. Edge processing can, however, help in these regards because it has specific geographic deployments.
The added risks come where the edge platform within a third-party system, or where an on-premise platform is running workloads controlled by a cloud provider, or a distributed datacentre controlled from another jurisdiction spanned by that datacentre.
Large datacentres and hybrid environments such as that described are usually secured using a zero-trust-like approach, which, as well as ensuring that the user is allowed access to the service, that the data consumed by that service can control where the processing takes place. This may be achieved, at least in part, by using a cloud access security broker in conjunction with the datacentre/cloud technology base, but where this alone is not sufficient, a full zero-trust approach may be necessary.
If processing does take place on third-party platforms, then as well as an appropriate legal agreement with the owner of the platform, the deployed workload running on that platform must be able to protect itself from intrusion by other software running on the platform.
Finally, any edge processing platforms operating within the secure perimeter of the client network must be isolated (placed in a separate zone) so that software running on them cannot easily break out and access other parts of the network.
Edge processing has clear performance benefits and can improve security from a data protection point of view, but can also bring new security problems. Therefore, the overall balance will depend on the specific requirement.