Opportunities and risks of edge computing
The shift to cloud, which was already gaining momentum, accelerated significantly during the last 18 months as business reacted to new ways of working and new business models. Cloud can provide very significant security benefits, but these benefits can only really be realised with a proper understanding of the risks and obligations of the particular cloud model being used on each occasion. Cloud security has (rightly) become a discipline in itself; done badly, a move to cloud can significantly increase data security risk but done well it can significantly reduce risk. There is now a significant amount of guidance from standards organisations, national security bodies and industry on cloud risk and security management, and regulators are now referring explicitly to this sort of guidance when taking action.
A number of recent outages at edge computing service providers, which resulted in many websites being unavailable during the outage, has pushed edge computing into the public eye. Edge computing involves processing some data locally, in an attempt to deal with latency and network traffic issues which can arise from accessing data stored on cloud servers potentially thousands of miles away. For many uses, these constraints will not be an issue, but in other areas it can be problematic.
Edge computing can increase security, but it can also give rise to another layer of complexity. That can create new risks which should be properly understood and assessed, with appropriate processes and mitigations put in place. Where it involves additional network devices (such as IoT), edge computing will often create new attack surfaces. If it involves outsourced providers to shorten the distance to call on commonly processed data, it can create new points of failure. Those can have a significant impact on operational resilience and business continuity plans.
Determining what will happen, and putting in place appropriate technical measures, is an important part of risk planning. If the edge computing provider suffers an outage, what is the failover, and how does that impact the business? If data is being pulled from datacentres again rather than processed locally, what is the business impact, and can service levels be maintained? Is that process near-seamless, or will there be some downtime? What information or audit rights does the business have from an outsourced edge computing provider?
If the edge computing infrastructure involves significant IoT processing, with results only being sent back to datacentres, what is the impact of that? What data do the IoT devices need access to, and how will the business deal with network segregation to minimise risk arising from that (potentially very large) network of IoT devices? What is the long-term security risk profile of those devices, and how will that have managed? Most of those issues exist with IoT networks in any event but bear further consideration with edge IoT networks.
Autonomous vehicles represent perhaps the most obvious mainstream technology that will require significant edge computing capabilities. The scale of the challenge, and risks relating to, security in autonomous vehicles means that there is already significant research and guidance available (for example, from ENISA, CISA and the UK government among others). There is a trend of increasing legislation including minimum security requirements for IoT devices; to date this is focused on consumer IoT, but that may change in the near future.
A combination of cloud and edge computing seems here to stay for many industries, given the clear benefits it can bring. However, they change risk profiles across operational risk, data security and business continuity. Understanding and managing those risk profiles appropriately is crucial to obtaining the full benefit.
Author:
Baker McKenzie
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.