Let’s not forget about edge computing security risk as we talk about new business potential of edge for telcos
Admittedly, edge computing is innovation and a new revenue enabler for telcos. It opens the door to new services, telcos could not offer before: like latency-sensitive, high-bandwidth and location-aware innovative services closer to the edge.
However, it is also true that edge cloud increases the attack surface area of the network and can cause new security challenges. Tens and hundreds of new edge cloud data centers (and edge devices) can also be the potential entry points for security attacks.
At a high level, the edge cloud security seems to be no different from a central cloud security, after all, both are clouds.
However, there are some differences that make edge cloud security more complex.
Therefore, through this article, we discuss what are some of the security risks and what could be the solutions for telcos to overcome them.
Edge computing security risks
There are multiple reasons network owners should be worried about the security of the edge:
- First, the edge is a multi-stakeholder environment where infrastructure can come from one vendor, MEC platform (Multi-Access Edge Computing) from another and yet applications from another one. The telcos can also partner with public cloud providers and use some of its components in its edge cloud.
With different stakeholders and ownerships, it can be a challenge to have consistent and fool proof security measures in place against threat protection.
- Second, the edge is a heterogeneous environment. There are RAN as well as core services that run side by side, there are other App providers as well. Some of them run in container environments, while others need a VM environment. In fact, a malicious edge function can exploit a zero-day vulnerability to gain root access.
Above all, they may require complex service chaining, which further complicates their management. All this requires tight security controls and monitoring to be in place for avoiding any security breaches.
- Last but not the least, the edge infrastructure is usually deployed in a physically isolated and insecure location like base stations, and/or isolated PoPs that are comparatively easily accessible to attackers then centralized locations.
In short, edge computing complicates the perimeter defense, challenges the security systems and requires extra security measures by security planners and requires them to align their network architecture with the security requirements.
A study showed major attacks on the edge computing infrastructure as below with DDOS and malware injection attacks as the ones with the highest percentage followed
Fig: Security threats on the edge
Some basic guidelines for network security on edge
Some of the recommended guidelines and things to take care of when designing edge security are following:
1. Zero-Trust Security is not an option but mandatory
Zero Trust model is no longer an option.
Zero Trust means eliminating any implicit trust and verifying every stage of a digital interaction. This means stronger authentication, authorization and ensuring “least access” policies. This is different from the traditional strategy of “allowing” by default and then putting access control lists to block certain users/applications.
Security administrators must ensure that they implement the edge cloud with zero-trust strategy.
2. Security Management & Governance model MUST be in Place
With a hybrid environment such as MEC, it is imperative to have a good security management and orchestration in place. Having end to end visibility on all layers from bottom to top that includes servers, virtualization layer, MEC platform layer, Apps layer is the recommended approach.
Also, a security governance model must be in place. A vendor that wants to integrate its solution within the platform should be able to meet a “required” security compliance and undergo tests to prove its compliance.
3.Think SASE;! It is a reality today!
Today, providing managed security functions in the cloud is a reality thanks to SASE (Secure Access Service Edge ) that integrates managed security in the cloud with think SD-WAN on customer premises. Functions like Firewall, IPS, IDS and Cloud Access Security Broker (CASB) are some of the security functions that can be offloaded from corporate network premises to the cloud.
SASE is ideal for the edge provider that has SD-WAN offering for its corporate customers. The MEC location on the edge provides an opportunity for the telcos to bring their SASE further towards the network edge and provide a low latency SASE offering.
In fact, MEF is working on standardizing SASE offering for such managed service providers, as shown in the following figure
Managed SASE : Source: MEC
4. Integrate layers! Networking + Compute+ Security.
Thanks to the P4 programmable networking layer, the networking fabric in edge data centers can provide more functions than just switching.
For example, by intelligently programming P4 switches, new functions can be introduced that would otherwise need additional compute resources.
For example, in-band telemetry, load balancing/security gateway and firewall/DPI functionality without requiring dedicated security appliances are some of the examples.
Also, a white box approach that is all in one open platform and inte-in-es all these three layers can result in a much smarter platform suitable for edge whistrategy that ismited in power and space.
Lanner’s Cyberelastic solution is a perfect all in one networking +compute+ security platform
Lanner’s CyberElastic™ combines best-of-breed components from Lanner, NoviFlow, and Fortinet to provide a powerful software driven cybersecurity solution. The integrated multi-vendor solution leverages modular hardware and software to provide up to 1 Tbps of scale-out firewall service in a highly scalable, yet small form factor suitable for edge deployments.
The solution includes multiple components
- HTCA comes in two form factors suitable for small edge deployments: HTCA-6600 that is 6U in size with 6 x86 CPU blades and 6 I/O blades that support P4 programmability based on Intel Tofino ASIC. while HTCA-E400 is a highly compact, 4U in size with 450 mm short depth suitable for small edge deployment also supporting P4 programmable blade based on Intel Tofino
- CyberMapper and NoviWare software from NoviFlow deliver switching, load balancing and Inband telemetry (INT). The Load balancer and INT run natively on HTCA-6600 P4 programmable blade. In addition, NoviFlow’s VisualAnalytics software provides comprehensive health and performance metrics across the cluster.
- FortiGate virtual x86 Firewall from Fortinet that can elastically scale from 10s to 100s virtual security appliances scalable up to 1 Tbps.
- Redhat Openshift, cloud native management and orchestration layer
Above all, being a powerful open universal CPE platform and vendor agnostic, HTCA supports functions beyond traditional security functions. It supports virtually any VNF (Virtual network function) including SD-WAN or SASE security functions by any vendor.