Security Experts:

The Need for Tiered Security at the Edge

Enabling the networks of tomorrow requires organizations to Radically Reimagine the Security Tools they have in Place Today

One of the most disruptive results of digital transformation for many organizations has been the rapid emergence of the edge, which in many ways is what has been replacing the traditionally static network perimeter. The advent and support of an edge-based networking model enables organizations to more dynamically expand their networks, embrace mobile users, IoT, and enduser devices, build flexible and responsive WAN and cloud connections, and enable distributed processing. 

Edge Computing

Edge computing lets organizations analyze important data closer to the edge of the network in order to respond to events in near real-time – a requirement for many industries, including health care, telecommunications, manufacturing, and finance.

Of course, the edge isn’t just one thing. Processing data closer to where it is created, instead of sending it across long routes to physical or virtual data centers, is increasingly required by such devices as smartphones, IoT devices, and mobile laptops. Time-sensitive services, such as smart cars operating at highway speeds, or new immersive applications that consume massive amounts of bandwidth running on 5G-enabled enduser devices, require real-time response and processing—which means they frequently need to be able to make autonomous decisions locally before sending data all the way to the datacenter or cloud for processing.

Edge Devices

Connecting from the edge back to the core network or centralized resources can take several forms. A single smart device can, of course, generate an encrypted VPN connection back to the corporate network. More complex systems, such as a local LAN deployed at a retail store or branch office may leverage more sophisticated edge devices, such as specialized routers, routing switches, integrated access devices (IADs), multiplexers, and SD-WAN solutions. Even containers in the cloud have unique edge-based requirements. Regardless, edge devices need to work together to provide powerful and carefully managed entry points into enterprise or service provider core networks. 

The fact is, every time an endpoint or IoT device, cloud container, or branch office needs to connect back to a core environment to deliver or collect data, process information, or run an application or workload, you have created an edge. You can also create multi-edge environments, such as when a branch office has a specific SD-WAN connection to enable interconnectivity with other branch offices and the core data center, and separate connections out to the public Internet or to cloud applications or environments.

Securing the Edge

From a security perspective, each of these instances of an edge requires protection. As we have seen time and again, the security of an organization is only as good as its weakest link. Applications, critical resources, sensitive transactions, and PII as well as other data often flows across these edge links, and organizations have a financial, and increasingly, a legal responsibility to secure that information.

But not all edge connections are created equal. A device at a branch network connecting to the public Internet may not require the same degree of security as a video conference connection where remote engineers are discussing the development of new intellectual property. Organizations need to strike a balance between securing critical data and managing limited resources such as bandwidth as technical overhead.

Creating Trust Levels 

As the number of devices needing access to the expanding and increasingly interconnected network continues to grow, how do you ensure that that each new edge connection receives the security it requires?

This requires building a tiered security strategy around six guiding technologies:

1. VPN to secure data and connections. VPN encryption needs to be a baseline requirement for connectivity from the edge, especially for devices connecting over  publicly available network. However, basic SSL and IPSec encryption may not be adequate for some transactions, and organizations may need to augment the level of encryption required for some interaction or to access certain data or resources.

Likewise, single points of connection may be also be inadequate. Organization need to also consider developing and maintaining a meshed VPN overlay that allows multiple devices, applications, and branch offices to securely interact and interconnect over a public network.

2. NAC for establishing identity and policy. Devices seeking network access need to be identified at the moment of connection, and appropriate policies need to be applied to that connection based on the authenticated identity of the device and user, the resources they intend to access, and other pertinent data, including where they are connecting from and even what time of day the connection is being made. Further, any policies assigned to that device needs to follow it so that security and network devices along the data path can participate in enforcing those policies.

3. Segmentation and microsegmentation for protection. Once a device has been identified, and an appropriate access policy has been assigned, the most secure next step is to dynamically assign it to a specific network segment where it can be closely monitored, access to unauthorized resources can be prevented, and devices or applications that begin behaving badly can be immediately quarantined.

4. Physical and cloud-based security that can see, manage, and inspect data. Connections not only need to be secured, but the applications and data they contain need to be inspected. Which means that security tools need to be able to: 

• Provide deep inspection of encrypted data at network speeds

• A variety of security solutions—from NGFW and IPS to application security and sandboxing—need to be able to implement levels of security based on the nature of the connection

• Detected security events need to trigger a consistent response across the entire distributed network

5. Centralized management for visibility and control. Devices need to be able to share and correlate threat intelligence through a single, centralized management and orchestration solution in order to distribute policy consistently, identify anomalous behaviors, and orchestrate a consistent response through tight correlation between security solutions .

6. SD-WAN for demanding branch connections. The WAN edge at the branch office requires the complex integration of advanced networking functionality, a broad suite of security solutions, and deep interconnectivity between branch locations as well as with other edges through a dynamic, meshed VPN overlay.

Conclusion

The growth of edge devices and computing are utterly transforming today’s networks, and the impending delivery of 5G will only drive that transformation faster and further. While predicting the future of digital transformation, two things are certain: a) the legacy security solutions that brought us to this point cannot take us much further, and b) a one-size-fits-all approach to edge security is certain to fail.  Enabling the networks of tomorrow requires organizations to radically reimagine the security solutions they have in place today.

view counter
John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.