Edge computing places nodes, often in the form of embedded systems, locally on the site where data is being gathered and processed. These nodes exist on the "edge" of your cloud's coverage and broadcast data (often preprocessed) back to your application service or data storage facility.
[ Improve your skills managing and using SELinux with this helpful guide. ]
Edge has many advantages, but by definition, it means deploying several computers (depending on your needs, it could be in the hundreds) to remote locations. Each of those systems represents a potential attack vector, so it's important to think about how to restrict access to your edge devices.
Don't let the terminology fool you. An edge device is a hyper-specific server that runs some service or collection of services. It receives input and produces output.
As with functional programming, you must ensure that the services running on the device accept (and validate) only the required inputs and provide verifiable output. The classic example of SQL statements that drop tables or add users is still relevant. While it may or may not apply to your device, the idea is the same: Restrict input to only what's expected, and provide output that's strictly scrutinized.
2. Operating system
This one is straightforward:
- What operating system is the device running?
- What support does it have for updates?
- What security policies does it make available to you?
Luckily, many edge devices run open source, such as Linux, BSD, or RTOS, so there's a lot of potential for optimizing settings with features like SELinux. However, through neglect or mismanagement, there's always the possibility that you're not taking advantage of your operating system's built-in features. Get to know your devices' operating system, read the documentation, and implement safeguards.
The edge is not synonymous with DMZ. Just because your devices are remote doesn't mean they don't need coverage. Whether you set up a site-specific firewall server or use a device's built-in firewall features, your edge network needs a firewall.
Some commodity devices have easy modes for quick connectivity. These may be great features for quick setup and testing. However, they are no substitute for establishing dedicated encrypted connections with encryption keys that you oversee and can revoke when necessary.
5. Zero-trust security
Use the zero-trust model:
- Authenticate all connections.
- Verify all devices, users, and applications.
- Route all traffic at the application level.
An unmonitored device is an invitation for failure. There are many great monitoring tools out there, like Tripwire, Prometheus, and more. Watch the edge the same as you monitor your local network (if not more).
Welcome to the edge
Edge computing can make your cloud snappier and more efficient, but it requires attention. It's a big and widespread responsibility to compute on the edge, so treat it carefully. Give it the attention it deserves, and treat your edge network with the same care you have for your local users.