Despite the apparent oxymoron, fog computing brightens prospects for secure edge computing

Buzzwords are the lifeblood of technology: think cloud,
cyber, app, virtualization and the ever-popular “things,” to name just a
few.  One of the newer additions to the
vocabulary is “fog” — as in fog computing. 
It does not take too much imagination to suspect that fog could be a
variant of cloud. Indeed, fog is viewed as an intermediate layer in network
architectures, particularly those linked to ideas about how to wire the
enormous world of things – the internet of things (IoT) — now being envisioned
as an extension of the internet.

“When I was an independent consultant, if I told a potential
customer my computing model was in the fog, the meeting probably wouldn’t have
lasted long,” laughs Greg Scott, the author of multiple cybersecurity novels
whose day job is senior technical account manager at Red Hat. Fog computing is
a metaphor that you have to get used to; not quite in the cloud, not quite on
premises, but in the fog, Scott adds.

To explain the concept, Scott suggests thinking of a smart
IoT thermostat that sends temperature and humidity data to a backend server
someplace “in the cloud.” Thermostats are a good example because every building
has one or more and it makes the concept easy to visualize, he says. However,
“in the cloud” might be too far away for monitoring purposes; perhaps it is
more efficient if the databases for all the thermostats in a neighborhood live
on a system co-located in the nearest telephone company central office. Perhaps
the telco offers a nationwide thermostat monitoring service, and hosts regional
databases at central offices around the country because the databases need to
be close to the thermostats. That interim home for processing or storing data
is the fog layer.

Although some edge computing visions place a considerable
amount of processing and storage at the edge, the trend is toward placing those
resources in the fog, as Scott describes. The fog layer then becomes a
sub-segment of cloud to help to process and direct data closer to its sources
from its origin point on the ‘edge.’

Its importance, according to Matthew J. Smith, director,
computer science and cyber security programs at Bay Path University in
Longmeadow, Mass., is that massive growth is expected in IoT-connected devices.
“It is projected by Cisco that by 2020 there will be over 50 billion smart
devices which will hinder our use of the cloud in its current state, since it
will not be able to keep up with the bandwidth demand as it is currently
designed.”

According to Smith, “as we increase our use of the internet
of things we are relying more heavily on speed and bandwidth to get our results
back to us.” The fog nodes are typically in close proximity to the end users or
the data source and can be more responsive than the typical remote cloud, he
says.  But that new structure presents
cybersecurity challenges, as well.

In the fog

All those intermediate fog devices are not in a secure
server farm at a core datacenter, says Scott. Whoever operates that fog
infrastructure needs a flexible, distributed security model, with easy to add
and remove edge devices, and easy to relocate fog servers.  In other words, fog security depends on edge
security and vice versa.

Drew Farnsworth, partner at Green Lane Design, a company
that architects datacenters, sees a similar challenge. While a fog node can be
manifested in any size from a single server in a closet to an ultrahigh-density
micro data center that packs 50kW into a box, “getting so close to the edge
raises a host of security concerns,” says Farnsworth.

For one thing, since the locations are by definition spread
out, they cannot have the same physical security as a massive data center.
Likewise, because the intention of fog is to provide computation as close as
possible to users, there is often a need for a great many nodes, “which means
that there could be a distributed physical attack wherein many nodes are
attacked simultaneously, overwhelming any possible security response,” he adds.

On the bright side, notes Farnsworth, many of the other
cybersecurity issues related to fog are identical to those of a traditional
data center build but with more need for firewalls and robust network
monitoring and architecture. But, “physical security must be top notch,
including extreme intrusion prevention and surveillance,” he says.

Drilling further into the topic, Kevin Curran, IEEE senior
member and professor of cybersecurity at Ulster University, says that for fog,
the biggest threats that exist within the network infrastructure are denial of
service attacks, man-in-the-middle attacks, and rogue gateways. There are also
the added risks of misuse of resources, privacy leakage, virtual machine
manipulation, and injection of information, he notes.

As with so many cybersecurity challenges, the key tools to
combat these threats are identity and authentication, access control systems,
and securing the virtualized network infrastructure, Curran says.
Software-defined networking and network function virtualization are helpful and
“role-based access control policies can be used to provide inter-domain role
mapping and constraint verification for secure distributed access control,”
Curran adds.

“These end devices still follow the same security guidance
as in previous years,” Curran opines, but the importance of ensuring they are
safe and secure is even greater today. “We need to ensure that these devices
are nestled inside a firewall to limit the ability for them to be infiltrated
or hacked by bad actors,” he says. Patching and updating the software and
firmware is your first line of defense and limiting access and maintaining a
rigid access control list (ACL) is vital. “Ensuring that the proper roles and
permissions are in place will provide additional accountability,” Curran says.

Lastly, he says, providing ample passwords that meet or
exceed requirements and two factor authentication are also helpful.

Physical security concerns

Like Farnsworth, Curran believes organizations face a new
set of physical security concerns given the distributed nature of the fog/edge
computing model. “In this paradigm, there are numerous enabling technologies,
such as distributed and peer-to-peer systems, wireless networks, and
multitenant virtualization infrastructure; all of these components require
hardening,” he says.

There is also the threat of physical damage, privacy leakage,
service manipulation, privilege escalation, and even rogue data centers. Curran
says because of the distributed nature of fog there is also an added factor:
the latency of the security mechanism. The security ecosystem of the sensors
and mobile devices also have to be considered.

“Many [devices] run reduced instruction sets with weak
encryption,” he says. And, while managing trust is a major concern, trust
metrics can be utilized in this case in an autonomous fashion, he adds.

Since edge devices operate with limited computing resources
along with limited power sources, the three most important parameters, which
are required to be optimized on such devices, are performance, energy
efficiency, and security, says Somdip Dey, an embedded artificial intelligence
(AI) scientist at the University of Essex and a machine learning researcher on
edge platform at the Samsung R&D Institute U.K. The university is in the
town of Colchester in Essex County, northeast of London.

Regardless of whether you are using a cloud platform,
software on a generic computing device, or edge devices, Dey suggests that
trusting the software and firmware you are using and allowing or enabling
proper authentication on the device is a good place to focus. “You do not want
your device to be hacked or abused by someone or something else; if a proper
trust model is not used while using a device or the services on it,” and if
proper authentication is not enabled, it is not just your device that is at
risk but also your data, Dey says.

A lesser known security issue in fog computing or edge
devices is vulnerability through covert channels or side-channel attacks. “It
is extremely easy and plausible to hack one of your computing cores (processing
elements) on your fog node so that silent snooping or tracing activities on
that node or on neighboring nodes could be collected… [and] exploited,” Dey
says. However, due to constrained resources on fog nodes, it becomes very
difficult for such malicious apps or a hacked CPU to act on the collected data until
it is transferred to somewhere else with more computational resources, he
notes.

Foggy use cases

There are a growing number of use cases for fog/edge
computing and each can have unique security challenges, Curran says. Examples
include autonomous vehicle operations, where edge computing helps find patterns
in sensor data to make real time driving decisions; traffic management, where
edge computing can analyze data from the traffic sensors and apply filters to
remove unnecessary data to reduce the overall data being sent; and remote
monitoring, where edge or fog computing can analyze and process data from IoT
devices as well as spotting problems and issuing alerts.

Putting fog in perspective, Doug Cahill, a senior analyst at
Enterprise Strategy Group headquartered in Milford, Mass., says it is part of a
megatrend — the erosion of the network perimeter. Whether it is the growth of
cloud or data gathering on the edge, it begs the question: What is the
perimeter today?

“Previously, cyber people had a network-centric orientation
but today we need to evolve,” he says. 
“When I think about the use case for edge and fog, for me, it becomes
about the asset that needs to be protected at those perimeters, which is
usually data; and that is why we have seen a resurgence of data loss prevention
(DLP) as a product category,” says Cahill.

So, one key for fog and edge is to understand where your
data is and then classify it so you can appropriately assign policies, Cahill
says. Of course, he notes, the data sets sitting on the edge might not be the
ultimate destination for an adversary; the edge might simply be an entry point
for a larger attack. Therefore, Cahill recommends network segmentation to
ensure that different parts of the network have defined privileges. Monitoring the
volume and type of network traffic coming from edge sites is also important to
detect and prevent distributed denial of service (DDoS) attacks.

Another big edge control tool that could help with fog
computing is a cloud access security broker (CASB), he says. Indeed, CASBs can
address problems that are even larger than fog. Sitting between an
organization’s own infrastructure on-premises and a cloud provider, CASB helps
extend security policies and functions in a gatekeeper role.

A foggy glass half full

Ultimately, there is not much about fog computing that is
truly exotic — most of the challenges are familiar but the scale is different.
Thanks to advancing technology, today we are enjoying some of the most useful
benefits through our edge devices and fog computing, but it is easy to forget
that the adversary or hacker has equally capable, if not more advanced,
technology at their disposal.

Even users have a role in the defense of the fog computing
model. As with any other IT asset, training personnel on the difference between
the cloud, fog, and edge computing is imperative to its successful
implementation, says Smith. That simple measure always applies because “the
more data that transmits the greater the risk,” he says. And, warns Dey, “If an
attack is targeted, then no devices or fog nodes are completely safe from the
attack.”

Lowering the latency on getting our analyzed results back
through fog/edge can reduce bandwidth costs over the network but we cannot lose
sight of cybersecurity’s importance on every corporation and their networks,
opines Smith. “As the growth of IoT continues to increase the demand for cloud,
fog and edge platforms, cybersecurity should always remain at the forefront,”
he adds.

“If we do not address security in a robust manner, then the benefits of edge/fog computing could be overshadowed by the malicious attacks which may take place,” Curran adds.

Comments are closed.