With the undeniable performance benefits of edge computing, many companies are moving to the edge. But will the same security protocols from on-prem and cloud computing transfer after migrating apps and websites? Ultimately, edge security strategies like zero trust that extend protection to the edge of the network have benefits for applications and websites residing anywhere in today’s complex threat landscape. In addition, a serverless approach to security can reduce the security responsibilities for application and site owners, resulting in fewer rote management tasks. This blog post will examine the differences between edge security and security for cloud and on-prem, the challenges of securing the edge, and some of the best practices and security tools that can help develop a robust and future-proof security strategy.
On-Prem Security vs. Cloud Security
Traditional, on-prem security models revolve around keeping threats out of a secure corporate perimeter, either by centralizing data, workloads, and devices in a single location or joining together multiple office branches and data centers via private connection, such as an MLPS, to shield sensitive data and workloads from the public Internet whenever possible.
On-prem security employs security measures such as:
- firewalls and Internet gateways to protect the network from unauthorized traffic;
- antivirus software to prevent malicious downloads;
- physical security to protect data centers from stolen or compromised equipment; and
- on-site IT to monitor any traffic to and from the public Internet.
In this setup, the company is fully responsible for their own security, including purchasing, maintaining, and managing their hardware and software. As a result, they face greater capital expenses, challenges in sizing and scaling infrastructure, and must perform their own security scans and update and patch any vulnerabilities they find. For better or worse, they are in control of the security of their own data and workloads.
Cloud computing security
Cloud computing changes the game, since compute and storage infrastructure is provided over the Internet.
Cloud computing not only reduces upfront costs, but management tasks as well, since cloud providers are responsible for the management of hardware and some (or all) of the software, depending on which cloud computing model is used:
- Infrastructure-as-a-Service (IaaS): provides virtualized compute resources over the Internet, with hardware and facilities operated by the cloud provider.
- Platform-as-a-Service (PaaS): provides a development and deployment environment with tools for building, running, and managing applications using hardware, facilities, OS, and runtime operated by the cloud provider.
- Software-as-a-Service (SaaS): Out-of-the-box software solutions that are fully managed by the cloud provider.
And since infrastructure is managed by cloud providers, either using IaaS, or PaaS, or SaaS models, they share the responsibility of cybersecurity with their clients. As opposed to on-premises security, where app owners and infrastructure teams are fully responsible for owning, operating, and managing their own hardware and software, cloud providers’ customers are responsible for more client-side security tasks, while the provider manages the security of the hardware, facilities, and some backend services.
This shared security model means clients have less to secure, but also less control over the security of their data and workloads, which are no longer siloed in a private network, but part of the public cloud.
In other words, an attack on the cloud provider could result in a security issue for the client. In addition, applications hosted on cloud platforms are multitenant, meaning that they share resources with cloud providers’ other customers, as opposed to applications hosted on-premises, which use their own private servers. If cloud providers do not take care to properly isolate their customers’ data and applications, multitenancy can result in privacy and security issues.
How Edge Security Is Different
Edge computing is similar to cloud computing in that it provides companies with virtual compute and storage resources over the Internet. However, with edge computing, resources are not centralized in hyperscale data centers, but highly distributed across geographic locations so that computing tasks can be performed as close as possible to end users. Although this has many benefits, including lower latency and less bandwidth use, it has the same multitenancy concerns as the cloud if edge providers do not take care to isolate customers’ data and applications. In addition, edge computing poses unique security challenges in that each edge location presents another attack vector, requiring companies to build security into each edge node to ensure that there are no weak points in the content delivery system.
In addition, edge computing enables next-generation technologies, such as AR/VR, IoT, AI and machine learning, which have their own security challenges. For next-generation applications that depend on the edge’s benefits such as ultra-low latency, real-time processing, and resource efficiency, security protocols cannot compromise performance by increasing resource usage and latency. For IoTs, security protocols may be immature or weak, relying on factory-set passwords that make them easy to compromise.
Best Practices for Edge Security
When companies began to increasingly move away from a model where workloads, users and devices were secured in private, on-premises networks, the corporate perimeter began to disappear. As a result, it became harder for security teams to distinguish trusted users from attackers using stolen or compromised credentials, making it increasingly necessary to abandon the old security model that automatically extended trust to authorized users. Instead, a new model was proposed by Forrester in 2010 to adapt to the changing threat landscape. This model is known as zero trust.
Forrester’s Zero Trust Security Playbook defines zero trust as a security approach that “never assumes trust; instead, it continuously assesses “trust” using a risk-based analysis of all available information.”  As noted in the report, this involves several components, including:
- redesigning networks into secure microperimeters;
- encrypting and obfuscating sensitive data to strengthen its security;
- limiting the risks associated with excessive user privileges; and
- using analytics and automation to dramatically improve security detection and response.
As applications become more and more distributed, the strategy of guarding attack vectors to keep malicious users out has become difficult to implement, as distributed architecture is more challenging to monitor and has more attack vectors. As a result, security teams must take precautions to not only reduce vulnerabilities, but limit the damage attackers can do once a system has been penetrated.
As such, part of a strong zero-trust security strategy is high visibility and threat intelligence through analytics. The complexities of edge computing do not leave room for security strategies that require continually switching between various dashboards to monitor different threats; instead, teams must be empowered with full-stack security solutions that provide a single pane of glass through which to view all threats.
Edge Security with Azion
Ultimately, the unique challenges of securing the edge must be overcome to ensure that the data-hungry applications and devices that rely on edge computing for real-time processing maintain their users’ security and privacy. Azion’s Edge Platform provides the tools companies need to create zero-trust security policies that are not only crucial for protecting edge-native applications and devices, but all applications, devices, and networks, given today’s large and complex attack surface.
In addition, Azion’s Edge Platform builds security into each edge node, keeping each function isolated in a multitenant environment using V8’s sandboxing capabilities, enabling companies to gain the scalability and performance benefits of edge computing without the security and privacy risks that can arise in the cloud and at the edge.
Azion’s robust platform of zero-trust security solutions enable:
- integrated security stack, including Web Application Firewall (WAF) and DDoS mitigation, for visibility and protection across the entire network;
- analytic tools that integrate with your company’s SIEM or big data solution for real-time threat intelligence;
- fine-grained permissions for different team members through Real-Time Manager;
- network segmentation with Network Layer Protection; and
- orchestration for automating security responses.
Designed for both security and performance, our products and services ensure that securing the edge does not require sacrificing the low-latency and resource efficiency that edge computing offers. By enabling custom rule sets, companies can tailor their security policies to their apps’ specific needs, rather than relying on one-size-fits-all protocols that can result in high false positives, reducing availability for legitimate users. Rather than relying on signatures of known attack patterns, which can increase resource use and application latency, Azion uses lean rule sets and best-in-class algorithms that maintain high performance and guard against zero-day attacks.
In addition, Azion’s serverless model reduces the attack surface by removing vulnerable infrastructure layers and eliminating the need for maintenance tasks like updating OS, scanning containers, or patching servers.
Balaouras, S., & Shey, H. (2019). (rep.). Defend Your Digital Business From Advanced Cyberattacks Using Forrester’s Zero Trust Model (pp. 2–3). Cambridge, MA: Forrester.