Defending the Edge Data Center
Edge data centers are challenging for traditional security practitioners, as they tend to turn most established security policies on their heads. For example, instead of having to operate a single “man trap” at a large facility, edge security managers need to track dozens, or possibly hundreds of man traps at self-contained sites. The physical attack surface area at the edge is exponentially larger than at the core. Innovative countermeasures and best practices are emerging, however, that enable a robust security posture at the edge.
What is an Edge Data Center?
The first problem a security professional will run into in protecting an edge data center is getting a consensus on the definitions of the words “edge” and “data center.” Any discussion of edge data center security must be based on an agreed-upon reality.
The edge, the subject of much recent hype, is one of the flexible ideas that tend to get distorted by vendors and industry analysts. Simply put, the edge refers to the edge of a network, such as the internet. The edge stands in contrast to the “core” of the network, which usually comprises hyperscale data centers. Edge computing is about placing compute physically closer to end users than is possible at the core. The main reason is to ensure lower latency.
With that in mind, what, exactly is an edge data center? It depends. For some, it’s a small-scale replica of a full data center that can be located at a site where it delivers low latency compute performance to nearby end users. This might be a shipping container-size pod with built-in physical security, power backup, cooling, and so forth. It could be a freestanding structure or office with server racks installed. For others, an edge data center might be indistinguishable from an equipment cabinet.
Or, a center might simply be a conventional hyperscale data center located in close proximity to end users. The Switch SuperNAP in Las Vegas, for example, one of the world’s largest data centers, is close enough to residents of the city that they can enjoy 14-millisecond latency for compute hosted there. Does that make Switch SuperNAP an edge data center? Yes and no. Consultants are still searching for more edge sites in Las Vegas, because for them, “ultra-low latency” means one millisecond or less, so Switch SuperNAP will not do.
Making things more complicated is the variety of deployment options. The most common scenario, it seems, is the colocation model. IT departments envision renting racks in micro edge data centers and installing their own servers. However, there are also alternatives like bare metal hosting and edge cloud. In each case, the responsibility for security shifts. With edge cloud, for example, the cloud service provider will likely adopt a two-tier security model, with the client responsible for application and data security, along with access control.
The best approach here is to define an edge data center as being distinct from conventional data centers that happen to be close to end users. For our purposes, a center is a structure or container that hosts compute resources outside the controls of a large-scale data center. And, it’s safe to assume that there will be no permanent personnel on duty.
Mitigating Major Security Risks at the Edge
The edge does not present many novel security challenges, but it does distort the levels of risk for well-known threats. For example, in a hyperscale data center, the risk of an unauthorized individual accessing physical devices is relatively low. In an edge data center, that risk is far higher. Countermeasures need to adapt to such edge conditions.
Physical security is indeed a major area of concern at the edge. Data centers may be deployed in high-population areas where thousands of people will see them. A person intent on vandalizing the site or stealing its contents will be able to get within a few feet of it, perhaps even right up to the door. A truck could smash into it, too. Of course, most edge data center designs feature robust physical security, but the unfortunate fact is that these sites are exposed in ways that a traditional core data center never will be.
With heightened physical access risks in mind, standard security practices like identity and access management (IAM) and privileged access management (PAM) need to become more rigorous. For instance, if a malicious actor can establish an administrative account for himself, he may be able to enter an edge site and modify server settings or exfiltrate data before being detected.
Data security at the edge is comparable to data security at the core, but with a few differences. The risk of data loss is higher at the edge, due to risks of theft, vandalism and physical interference with the server. For this reason, data centers should be configured with frequent backups. Data also needs to be encrypted, in case someone is able to access the device without authorization.
Thinking About Different Countermeasures
Best practices and standard security policies for securing centers are emerging in the industry now. Some policies are new, such as requiring motion detection sensors on hard drives. The edge also makes optional controls, like hardening servers against physical access, become mandatory at the edge. Frequent, automated hardware inventory is also a good idea.
As these policies and practices coalesce, it may be optimal to think of the entire edge data center as an endpoint. Like an endpoint, it is outside the core of the network. It is at greater risk for attacks, both physical and logical, than core digital assets. Endpoint detection and response (EDR) solutions may need to be adapted to cover entire micro data centers, rather than just specific machines.
Incident response workflows should similarly adapt to handle attacks on centers. The changes to workflows may be subtle, but it is worth reviewing current playbooks to look for areas where having many distributed data centers is a factor, versus responding to incidents in a single core data center. The notifications and procedures will likely need to be different.
Conclusion
Security has to evolve if organizations want to defend digital assets hosted in data centers. The edge does not represent a radical shift in IT, but data centers are different enough that security managers need to rethink their countermeasures. In particular, they should recalibrate the emphasis they place on physical risks, as well as on how heightened physical security risks affect standard policies for data security and access control.
