Considering physical and digital security at the edge after planned attack on AWS data center
A Texan man was recently arrested for allegedly planning to blow up an AWS data center in Virginia with plastic explosives. Attacks of this kind have been surprisingly rare, but the latest arrest follows a December 2020 bombing of an AT&T network exchange facility in Nashville, Tennesee which disrupted internet and cell services in the region for several days. Emerging threats to critical infrastructure pose an interesting security challenge for the burgeoning edge computing and edge data center markets.
Cloud and carrier-neutral data centers, on the whole, have a level of security that enterprises struggle to match in their own corporate locations. But what happens when compute and storage become more and more as distributed as infrastructure moves to the edge? Quite apart from the difficulties of securing hundreds and thousands of mini-data centers with traditional security measures, economies of scale start to disappear if providers need to further harden assets at the bases of thousands of cell towers, or some servers by the side of the road.
The upshot: securing the edge is going to require a new paradigm for asset protection.
Growing threats to physical (and digital) security
The threats are growing on both the physical and digital sides for infrastructure providers. Up to now, the internet infrastructure industry has been able to keep out of the limelight and to a certain degree avoid the kind of attack that AT&T recently experienced. With the rise of the edge, it is doubtful that can continue.
Firstly, the industry plans to play a central role in the roll-out of 5G, which is controversial among certain sections of the population. In the British city of Bristol, local protestors tore out some of the city’s mobile infrastructure after they heard that the city was conducting a 5G trial, not realizing they were endangering lives by ripping out the existing 4G emergency services communications network.
Secondly, as the cloud-delivered services become more central to daily life, the direction of the companies that provide those services will inevitably become more political. The row over Parler’s brutal removal from AWS—which is said to have inspired the recent planned bombing—is only the foretaste of what is to come.
Of course, there is nothing new about edge security challenges. IoT devices like CCTV cameras have been a popular target for hackers for more than a decade. Electronic devices often have their default passwords in place, with their owners unaware that their fridge or camera even has one. And yet, manufacturers are enthusiastically embracing the idea of making their cars or fridges or washing machines more like mobile phones all running an open-source OS. But what about the security risks if hundreds of thousands of air control units are running the same version of Android? Forget launching a bot attack—a successful hacker could crash the electricity grid.
Even more alarming was the recent SolarWinds attack, an event that showed that hackers don’t have to wait for cars to become mobile phones to stage a mass IoT/edge attack. Hackers targeted the popular SolarWinds Orion platform which is widely used by enterprises and government organizations to manage their infrastructure. In fact, it’s often used by data center managers to monitor and manage power systems remotely. SolarWinds was compromised and a software update it was working on was injected with malicious code before the build process was finished. The update went out to SolarWind’s tens of thousands of customers complete with a code signing certificate, a traditional method of authenticating software patches.
Perspectives on edge data center security
Rhonda Ascierto, VP of research at the Uptime Institute, recently took a look at the problems the edge faces in an interesting report discussing data center security.
“Edge data centers embedded in commercial buildings face some of the same challenges as mixed-use facilities. By their nature, edge data centers are near to users—in some cases, the general public—and may be in relatively unprotected physical locations (such as next to a busy street). This increases their vulnerability and therefore may require the use of safeguards in the IT itself (such as tamper-proof protective measures and extra encryption),” she wrote.
There are some security advantages at the edge, though, according to Ascierto. ‘The small size and self-contained nature of edge data centers can make them easier to shield.’ She says ‘Many are also likely to be hardened by distributed resiliency among multiple sites. However, this will not replace the need for physical hardening and protective processes facilities.’
Ascierto works for a data center certification organization and is taking the data center perspective, but there are also some interesting developments further up the stack which can also help.
The founder of SD-WAN pioneer VeloCloud, Sanjay Uppal, recently spoke at an Equinix event about the potential for Zero Trust security practices combined with the network slicing capabilities promised by 5G.
“An edge device can wake up and say I want a session lasting a period of time with 2ms latency. Network slicing means you can take a bunch of slices and hand it back,” he said. These ephemeral connections can be brought about in conjunction with Zero Trust services, where access is granted and lasts only as long as the type privilege and posture of the device can be checked.
The Zero Trust architecture is gaining a foothold in enterprise security, but is far from mainstream adoption; 5G and network slicing, in particular, is still in its infancy and the network is not fully software-defined, at least at the edge. But the potential is to at least mitigate what is probably the edge’s largest single problem is there.
When cloud began to emerge over a decade ago it was widely perceived to be a security risk even though mostly it offered better security than the on-premise alternative. Those perceptions inhibited the use of cloud in some applications in the early years of the market. We could see something similar with edge compute if a few isolated incidents become the focus of media coverage. Early adopters of edge are already looking to use preconfigured solutions to make management of a complex IT architecture viable; it’s incumbent on infrastructure and service providers to lay a secure physical and digital foundation for the edge.
VMware brings virtualization tech to wireless RAN for telco providers
The Next Evolution of the Cloud is at the Edge
Article Topics
5G | AT&T | AWS | edge data center | network slicing | physical security | security | Zero Trust
Comments