Most security breaches result from a breakdown in fundamental security aspects. At the root of a best practice approach in IT/OT security is ‘Zero Trust’. The Zero Trust approach to security is based on the tenet that there can be no automatic trust – each separate network segment is inherently trusted with defined boundaries and flow. All-access inside or outside enterprise perimeters must be verified before granting access.
In the Zero Trust security model, all access to devices and resources are fully authenticated, fully authorized, and fully encrypted based on device state and user credentials, regardless of network or location. In this model, administrators can enforce, via policies, highly-specific access to resources. The user experience between local and remote access to enterprise resources is effectively identical. Implementing a Zero Trust layered security architecture with due considerations for people, process and technology are essential.
Securing Devices
Edge devices need to address security starting at the hardware and firmware level by leveraging silicon-based root of trust such as provided by the standard Trusted Platform Module (TPM). This prevents the cloning of edge devices or their data and serves as a trust anchor for other security functionality. Trusted Platform Modules also prevent access using cryptographic identities. Identity issuance, provisioning, and attestation services involving digital certificates and encryption keys are also key elements of a hardware-level security framework that proactively addresses vulnerabilities.
Securing Data
Securing data is the core challenge of any security paradigm. Data archives and configuration data are usually termed “data at rest” while data transmitted between devices or infrastructure is termed “data in motion”. It is important to make the distinction between data at rest and data in motion to devise the right protection mechanisms. Data at rest protection procedures require strong data encryption, robust password protection, and secure access protocols. When encrypting large data sets becomes infeasible, identifying and securing the critical data sub-sets is important. Data in motion requires a different approach. End-to-end encryption, strong authentication, secure transfer protocols, monitoring of file transfer activity, audit trails are just a few best practices that should govern data movement between edge systems and cloud infrastructure.
Securing Networks
Zero-trust networks make each application’s security as agile as the application itself while replacing weak identities such as IP addresses with bi-directional identity-based networking – including from hardware root of trust – with authentication at every point on the network (not just at the time of entry). When an applicated, connectivity is initiated as outbound-only from the customers’ environment further protecting against DDoS, port scans, brute force attacks and exploiting vulnerabilities, poorly written or unpatched code – commonly referred to as a software-defined perimeter (SDP). Connectivity is made on a least privileged access (LPA) micro-segmentation (i.e. only specified applications, services, ports, or protocols) and isolated approach meaning malicious software cannot laterally spread.
Securing Applications
Applications that run on edge devices are as critical as the devices themselves and the network. Application-level vulnerabilities can be the sources of zero-day attacks, denial of service, unauthorized system changes, and intrusions. Detection and prevention of application-based security issues require a proactive threat management approach using techniques that only allow pre-authorized applications to be run on specific hardware and prevent unauthorized instances of applications in the ecosystem.
People & Central Management
Social engineering and human errors rank high in the causes of breaches. Having policies that proactively address access control and privilege misuse is effective. Additionally, investments in training and awareness of security-related topics are essential for an effective strategy to eliminate users as potential causes of critical breaches.
Visibility of the network assets, detection of threats/anomalies, and centralized management of the security framework are also key for a proactive approach to industrial security. Monitoring and managing the network, the access for personnel, and the device estate allows administrators to have control over the network operation. With centralized views and dashboards, administrators can proactively ward off threats and prevent catastrophic breaches.
Summary
Any solution for distributed edge networks should be able to offer all the above aspects to be effective. Getting the right expertise and technology stack to match the needs of the enterprise settings will help stakeholders deploy security solutions that are not just secure but also scalable. In part 3 of this series, we will examine a Zero Trust reference design that simplifies the implementation of security in distributed edge networks.
Did you know that Arrow offers a wide range of Edge Cybersecurity Services that can help protect your business from cybersecurity attacks? See our services or get a quote today.
