Protecting edge data in the era of decentralization

The new paradigm shift towards the decentralization of data can be a bellwether for change in how organizations address edge protection.

Cyberattacks can exacerbate existing security issues and expose new gaps at the edge, presenting a series of challenges for IT and security staff. Infrastructure must withstand the vulnerabilities that come with the massive proliferation of devices generating, capturing and consuming data outside the traditional data center. The need for a holistic cyber resiliency strategy has never been greater — not only for protecting data at the edge, but for consolidating protection from all endpoints of a business to centralized datacenters and public clouds. 

But before we get into the benefits of a holistic framework for cyber resiliency, it may help to get a better understanding of why the edge is often susceptible to cyberattacks, and how adhering to some tried-and-true security best practices can help tighten up edge defenses.

The impact of human error

Conventional IT wisdom says that security is only as strong at its weakest link: Humans.

Human error can be the difference between an unsuccessful attack and one that causes application downtime, data loss or financial loss. More than half of new enterprise IT infrastructure will be at the edge by 2023, according to IDC. Furthermore, by 2025, Gartner predicts that 75% of enterprise-generated data will be created and processed outside a traditional data center or cloud.

The challenge is securing and protecting critical data in edge environments where the attack surface is exponentially increasing and near-instant access to data is an imperative.

With so much data coming and going from the endpoints of an organization, the role humans play in ensuring its safety is magnified. For example, failing to practice basic cyber hygiene (re-using passwords, opening phishing emails or downloading malicious software) can give a cyber-criminal the keys to the kingdom without anyone in IT knowing about it.

In addition to the risks associated with disregarding standard security protocols, end-users may bring unapproved devices to the workplace, creating additional blind spots for the IT organization. And, perhaps the biggest challenge is that edge environments are typically not staffed with IT administrators, so there is lack of oversight to both the systems deployed at the edge as well as the people who use them.

While capitalizing on data created at the edge is critical for growth in today’s digital economy, how can we overcome the challenge of securing an expanding attack surface with cyber threats becoming more sophisticated and invasive than ever?

A multi-layered approach

It may feel like there are no simple answers, but organizations may start by addressing three fundamental key elements for security and data protection: Confidentiality, Integrity and Availability (CIA).

• Confidentiality: Data is protected from unauthorized observation or disclosure both in transit, in use, and when stored.
• Integrity: Data is protected from being altered, stolen or deleted by unauthorized attackers.
• Availability: Data is highly available to only authorized users as required.

In addition to adopting CIA principles, organizations should consider applying a multi-layered approach for protecting and securing infrastructure and data at the edge. This typically falls into three categories: the physical layer, the operational layer and the application layer.

Physical layer

Data centers are built for physical security with a set of policies and protocols designed to prevent unauthorized access and to avoid physical damage or loss of IT infrastructure and data stored in them. At the edge, however, servers and other IT infrastructure are likely to be housed beside an assembly line, in the stockroom of a retail store, or even in the base of a streetlight. This makes data on the edge much more vulnerable, calling for hardened solutions to help ensure the physical security of edge application infrastructure.

Best practices to consider for physical security at the edge include:

• Controlling infrastructure and devices throughout their end-to-end lifecycle, from the supply chain and factory to operation to disposition.
• Preventing systems from being altered or accessed without permission.
• Protecting vulnerable access points, such as open ports, from bad actors.
• Preventing data loss if a device or system is stolen or tampered with.

Operational layer

Beyond physical security, IT infrastructure is subject to another set of vulnerabilities once it’s operational at the edge. In the data center, infrastructure is deployed and managed under a set of tightly controlled processes and procedures. However, edge environments tend to lag in specific security software and necessary updates, including data protection. The vast number of devices being deployed and lack of visibility into the devices makes it difficult to secure endpoints vs. a centralized data center.

Best practices to consider for securing IT infrastructure at the edge include:

• Ensuring a secure boot spin up for infrastructure with an uncompromised image.
• Controlling access to the system, such as locking down ports to avoid physical access.
• Installing applications into a known secure environment.

Application layer

Once you get to the application layer, data protection looks a lot like traditional data center security. However, the high amount of data transfer combined with the large number of endpoints inherent in edge computing opens points of attack as data travels between the edge, the core data center and to the cloud and back.

Best practices to consider for application security at the edge include:

• Securing external connection points.
• Identifying and locking down exposures related to backup and replication.
• Assuring that application traffic is coming from known resources.

Recovering from the inevitable

While CIA and taking a layered approach to edge protection can greatly mitigate risk, successful cyberattacks are inevitable. Organizations need assurance that they can quickly recover data and systems after a cyberattack. Recovery is a critical step in resuming normal business operations. 

Sheltered Harbor, a not-for-profit created to protect financial institutions — and public confidence in the financial system — has been advocating the need for cyber recovery plans for years. It recommends that organizations back up critical customer account data each night, either managing their own data vault or using a participating service provider to do it on their behalf. In both cases, the data vault must be encrypted, immutable and completely isolated from the institution’s infrastructure (including all backups).

By vaulting data on the edge to a regional data center or to the cloud through an automated, air-gapped solution, organizations can ensure its immutability for data trust. Once in the vault, it can be analyzed for proactive detection of any cyber risk for protected data. Avoiding data loss and minimizing costly downtime with analytics and remediation tools in the vault can help ensure data integrity and accelerate recovery.

Backup-as-a-service

Organizations can address edge data protection and cybersecurity challenges head-on by deploying and managing holistic modern data protection solutions on-premises, at the edge and in the cloud or by leveraging Backup as-a-Service (BaaS) solutions. Through BaaS, businesses large and small can leverage the flexibility and economies of scale of cloud-based backup and long-term retention to protect critical data at the edge — which can be especially important in remote work scenarios.

With BaaS, organizations have a greatly simplified environment for managing protection and security, since no data protection infrastructure needs to be deployed or managed — it is all provisioned out of the cloud. And with subscription-based services, IT stakeholders have a lower cost of entry and a predictable cost model for protecting and securing data across their edge, core and cloud environments, giving them a virtual trifecta of protection, security, and compliance.

As part of a larger zero trust or other security strategy, organizations should consider a holistic approach that includes cyber security standards, guidelines, people, business processes and technology solutions and services to achieve cyber resilience.

The threat of cyberattacks and the importance of maintaining the confidentiality, integrity and availability of data require an innovative resiliency strategy to protect vital data and systems — whether at the edge, core or across multi-cloud.

Rob Emsley is director of product marketing for data protection at Dell Technologies.