It’s almost an afterthought. According to Ben Goodman, who is responsible for global corporate business development at ForgeRock, most IoT implementations “prioritise connectivity first.” They look at getting the ‘things’ that make up the IoT talking on a network. Then they look at analytics, then, and only then, they have that sinking feeling — they forgot, they have to worry about cyber security for their IoT projects too. As for edge computing cyber security, Goodman likened it to the Wild West. Meanwhile, for Jake Moore, Cyber security Specialist at ESET, for edge computing and cyber security “two-factor authentication methods and password managers are key.”
To get your IoT cyber security right, “you really have to be secure at multiple levels. You want to secure the transport of the data, you want to secure access to the data, you want to secure access to things,” says Goodman.
He reckons that the key to this is machine identity — “you need to have a defined unique secure identity for the actual things you’re trying to manage.
“We have this point of view that there’s three phases: there’s an unknown, and the unknown could be a person or a thing; known, that you know who it actually is and trust it,” but there is a middle ground, you know about the device but not sure you can trust it. So that’s a kind of Donald Rumsfeld approach to IoT cyber security, knowns, known unknowns and unknown unknowns.
He explains further: “Many devices out there are just quite frankly unknown. Then you have some that have a very basic identity but are not necessarily secure, and you can’t validate. And then you have ones that actually do have a secure validated identity, so these you can trust. Once you can trust something, that really opens up all these additional opportunities.
“One of the fundamental powers of identity management is the capability to understand and model relationships and then use those relationships to make things like access decisions.”
Security is a great concern with IoT deployment, but what about edge security?
Edge computing and cyber security
And that takes us to cyber security and edge computing. What are the issues here?
Edge computing and IoT are not interchangeable, but they do often go hand in hand.
Goodman sees edge computing as a means to an end. Some of these devices that make up the IoT are too low-powered to do some of this work by themselves. So more and more, you’re seeing the implementation of some type of edge gateway or some type of edge presence which is enabling conversations downstream, or north-south, with these things at the edge.”
Jake Moore says that “edge computing certainly has some benefits, as they don’t need to tackle some traditional security problems such as physical data theft. However, edge is not exempt from other, more common mistakes that put data at risk. Many companies do not take the time to set-up strong unique passwords and keep using default ones.
“Enterprises should invest in two-factor authentication methods and in password managers, particularly for people with higher access levels. This is the fastest way to add an extra layer of security on a bigger scale. It is enough for one set of credentials to be compromised for attackers to penetrate the rest of the system.”
For many observers, edge computing creates a feeling of deja vu. We have seen a swing from PC, meaning local processing, to cloud, and now it’s swinging back to local at least on the edge. And cyber security considerations for edge computing have a sense of deja vu, too.
“I think there’s a zero-trust story,” says Goodman. The truth is, an awful lot of devices can sit on the edge, from smart phones to a container truck or a train. “I think people are going to have to use zero trust concepts where they can’t trust the network, have to authenticate use, and have to understand what data is actually resident there. And considering the fact that the edge could be very dynamic and always moving, you have to be really open and plan for that as well.”
The five pillars of Edge Computing
The cyber security challenges with edge computing
With the cloud we have become used to a small number of dominant players. For many organisations this has aided cyber security enormously, they know their cloud provider had cyber security tools in place.
With the edge it is different. Goodman likens it to the Wild West, “almost a no man’s land”, lots of players, no standardisation — although Dell is investing heavily. There’s not a single operating system for the edge, there’s not a single hardware configuration for the edge, there’s not a single network configuration for the edge.
“So to a certain degree, every project is bespoke, so that’s very challenging,” suggests Goodman and for cyber security for edge computing, just like with the Wild West, the door is open — you could say edged open — for pioneers.
Processing IoT data at the edge: the right business decision