“Curiouser and curiouser!” said Alice.” Alice didn’t know it, but she summed up nicely the IoT edge landscape. Just as Alice was constantly reacting to the new and unexpected dangers of Wonderland, the IoT edge presents new vulnerabilities that invite investigation and that should not be ignored, such as:
- Logistics mishandling which can pose unique risks at the edge;
- Infrastructure theft; and
- Direct tampering for extended durations of time.
A good example of a logistics mishandling is a “shipping abnormality” where a parcel is delivered to the wrong place. Think about how often you have experienced an e-commerce “shipping abnormality.” Now, what if that “shipping abnormality” was your pre-configured IoT edge server, ready for plug and play deployment? What would you be risking? Confidential company data? Customer’s private data? What news headlines might result? The IoT edge requires new security approaches for new user groups to complement the physical security mechanisms found in a traditional or cloud hosted datacentre. IoT edge infrastructure is not new, but as workloads continue to be pushed closer to data generation points, and prices of edge compute devices decrease, more and more devices are being purchased and deployed at the IoT edge. Meanwhile, the value of the data stored and processed on these IoT edge devices continues to increase.
Understanding the reality of the IoT edge
Unfortunately, infrastructure administrators cannot be at every IoT edge location to personally shepherd this growing vault of valuable data. Modern orchestration toolsets allow a wide array of security setup plus plug and play install, update and remote control of most purpose-built IoT edge devices. However, most of these devices have setup and operational tools that require a specialised skillset which is not commonplace for the typical IoT edge user. Security-related settings are deeply entrenched in setup and operational tools which are familiar to the infrastructure administrator back at the data centre – not with the IoT edge user who might be an employee in a location like a warehouse, grocery store, or construction site. This skill-gap is a vulnerability that inhibits the ability to establish and maintain security at the IoT edge.
Empowering the IoT edge user – no matter who it is
Understanding the IoT edge users’ capabilities and designing onboard security software with those specific needs in mind presents a huge opportunity to secure data. Providing tools that support the IoT edge user extends the reach of the infrastructure administrators and potentially saves cost and time to resolution when security situations arise. Together, the infrastructure administrator and the IoT edge user work together to establish and maintain security at the edge. This means if you need to add compute horsepower to a manufacturing plant to enable real-time data feedback, or a quick-serve restaurant operating a hyperconverged stack for digital signage, point of sale operations and gathering food safety compliance data, the “IoT edge” can be anywhere and still be secure.
Detecting and thwarting tamper and theft
Even if your IoT edge user and infrastructure administrators can securely set up and operate edge devices, tampering and theft are a huge vulnerability. However, what if the IoT edge infrastructure could detect tamper or theft situations and do something about them? Built-in sensor technology for detection of these situations is key. The Lenovo ThinkSystem SE350has an intrusion switch which can detect if the cover has been opened and secure the drives by encryption should such an event occur. See Figure 1.
Figure 1: Inside the ThinkSystem SE350, detail of intrusion switch.
Coupled with secure encrypted drive (SED) technology, the SE350 will encrypt all disk data as well as prevent power distribution to the host system. What’s more, this is how the system is shipped from Lenovo, therefore ensuring system security from point of manufacture. So how can an end user, say a retailer or manufacturer for example, actually use the SE350 at the IoT edge if it arrives with the drives encrypted and power not permitted to the host? Lenovo has developed the cloud managed ThinkShield Key Vault Portal and ThinkShield Edge Mobile Management mobile application to facilitate unlocking whether the system is internet connected or in a completely air gapped infrastructure. These systems provide infrastructure administrators centralized tools to manage unlocking of their fleet of IoT edge devices. The IoT edge user has a simple and secure way to participate in device and data security by unlocking the device locally via mobile application.
Figure 2: Activating a SE350 using ThinkShield Edge Mobile Management App
With the ThinkShield Edge Mobile Management App, the IoT edge user is guided through a seamless activation process which authenticates device, user and cloud in a matter of seconds. Unlocking and decryption after tamper event is also enabled via the ThinkShield Key Vault by utilizing the same mechanisms which unlocked the device from the factory state. See Figure 2.
So, is your IoT edge infrastructure secure? With new vulnerabilities being exposed daily, your security program may feel more like a journey than a destination. You can improve your overall security by adopting a proactive stance – one that seeks understanding of the IoT edge landscape, anticipates the unique needs of the users and utilizes the latest hardware and software security technologies.