When discussing edge computing and internet of things (IoT), it seems easy to just group them together. They are closely related but they do differ. The phrase “edge computing” captures the intent as it references actual computing and storage where the data is generated. Those devices do not necessarily depend on a cloud as they process the data locally. Whereas the term “IoT” encompasses devices that are typically much more simplistic (in comparison). “IoT” is used to encompass an ever-expanding network of physical devices that have software and sensors embedded within them. The devices’ primary role is to collect data, exchange it, and in some cases, automate tasks. For clarification before we go further, mobile phones fit the current definition of an edge computing device.
So how do you address security with edge and IoT? You have data on network file shares and data within the data center and likely in the cloud as well. How can you mitigate the risks? And don’t forget, employees have personal devices and possibly the agency-issued mobile devices. Oh, to add a little more, there are likely several IoT devices within the data center as well. It may be enough to keep you awake at night.
If that isn’t enough, the scope (and attack vector) increases as you consider these scenarios:
- More than one data center or cloud vendor
- One or more SaaS being utilized
- One or more shadow IT “computer rooms”
Can the scenario be any more challenging? I mean, who needs a good night’s rest, right? Most IoT devices have the following security characteristics:
- Weak or no encryption
- Low level firmware not consistently updated
- Weak authorization (passwords)
To minimize risk from IoT devices outside of the physical data center, the strong suggestion is to separate them on a network that cannot access agency data. That will not address the issues above but having them separated will allow the issues to be addressed with less risk. Unfortunately, IoT devices such as sensors and actuators are seeing an increasing role in modern-day data centers monitoring components, so you may not be able to place those on a separate network. For those devices, here are some suggestions to help with reducing risks:
- Ensure a complete listing is maintained of all IoT devices
- Understand the process/frequency to provide security patches (and who is responsible)
- Change default passwords & limit account access
- Ensure encryption is enabled (at rest & in transit)
Lastly, to minimize risk from personal mobile devices, only allow those to utilize a “Guest” network, not the agency’s data network. For agency-issued mobile devices, utilize some type of mobile device management software to restrict modifications and to allow remote wipe if needed.
To address the security risks of edge devices, consider combining the concerns and suggestions for both IoT and mobile devices. Threat actors will continue to devise approaches to attack these areas. Defined and diligently enforced policies minimally focusing on the points above will help reduce the risks.
Dan Kempton is the Sr. IT Advisor at North Carolina Department of Information Technology. An accomplished IT executive with over 35 years of experience, Dan has worked nearly equally in the private sector, including startups and mid-to-large scale companies, and the public sector. His Bachelor’s and Master’s degrees in Computer Science fuel his curiosity about adopting and incorporating technology to reach business goals. His experience spans various technical areas including system architecture and applications. He has served on multiple technology advisory boards, ANSI committees, and he is currently an Adjunct Professor at the Industrial & Systems Engineering school at NC State University. He reports directly to the CIO for North Carolina, providing technical insight and guidance on how emerging technologies could address the state’s challenges.
Leave a Reply
You must be logged in to post a comment.