As the number and scope of internet of things (IoT) and other edge devices increase in the enterprise, so, too, must the focus on edge device security. Fortunately, there are a number of practical steps that organizations can take to harden their edge devices against attack and prevent them from being used to serve as platforms for attacking other devices on the network.
Organizations should look first at physical edge device security, and one of the most important things organizations can do to ensure physical edge device security is to acquire devices only from trustworthy sources. This is definitely not the time or place for off-brand bargain hunting. Indeed, edge devices purchased from obscure sellers are highly likely to contain back doors. Even if they don’t, they may harbor significant security vulnerabilities, and the chances that manufacturers of off-brand devices will provide regular firmware updates are slim.
Another important step is to adopt a centralized management system for devices at the edge of the network. Central management of IoT and other edge devices does not automatically guarantee edge device security, but it does enable organizations to more efficiently reduce devices’ attack surface.
For example, once an organization has implemented a solution for centrally managing its edge endpoints, the first thing it should do on the platform is make sure that all of the devices have been provisioned with the latest firmware updates. Just as operating systems and applications need to be patched to address newly discovered vulnerabilities, so, too, do edge devices.
Organizations should also focus on the way that the devices are configured. For example, make sure the devices are not using default passwords, and that any protocols not specifically required for the devices to function are disabled.
The ability to positively identify edge devices on a network is critical. In some cases, it may be possible to use an enterprise certificate authority to assign certificates to devices. These certificates can then be used to encrypt any traffic flowing to or from the device, while also allowing for positive device identification. In other cases, devices may need to be identified by their MAC address.
There are two reasons why it is so important to positively identify devices residing at the edge of the network. First, having a way to identify the devices connected to your network makes it easier to spot rogue devices. Second, you can begin to set up rules governing the use of the devices at the edge. If your edge devices connect to the network via Wi-Fi, for example, you can configure your wireless access points to allow only authorized devices to connect to the wireless network. Similarly, if you know what types of data your edge devices are normally sending, it may be possible to use an advanced firewall and intrusion detection system to look for suspicious traffic patterns.
This brings up another important point when it comes to edge device security: Devices that do not specifically need to communicate with one another should be placed on separate networks or on separate VLANs. That way, if an attacker does manage to compromise a device, it will be more difficult for the attacker to gain access to other edge devices.
Finally, it is important for organizations to review device configuration settings following every firmware update. Device manufacturers sometimes enable new features through these updates. If a new feature is introduced, it either needs to be configured in a secure manner or disabled if there are no plans to use it.
Firmware updates have also been known to reset one or more of a device’s internal settings back to factory defaults. If that happens, you will need to change the setting back to its previous state to maintain edge device security.
Edge computing is making it possible for organizations to serve customers faster and more reliably, but none of that matters if the model puts the network at risk. Organizations must improve their edge computing security posture as their use of edge computing expands.