Buzzwords are the lifeblood of technology: think cloud, cyber, app, virtualization and the ever-popular “things,” to name just a few. One of the newer additions to the vocabulary is “fog” — as in fog computing. It does not take too much imagination to suspect that fog could be a variant of cloud. Indeed, fog is viewed as an intermediate layer in network architectures, particularly those linked to ideas about how to wire the enormous world of things – the internet of things (IoT) — now being envisioned as an extension of the internet.
“When I was an independent consultant, if I told a potential customer my computing model was in the fog, the meeting probably wouldn’t have lasted long,” laughs Greg Scott, the author of multiple cybersecurity novels whose day job is senior technical account manager at Red Hat. Fog computing is a metaphor that you have to get used to; not quite in the cloud, not quite on premises, but in the fog, Scott adds.
To explain the concept, Scott suggests thinking of a smart IoT thermostat that sends temperature and humidity data to a backend server someplace “in the cloud.” Thermostats are a good example because every building has one or more and it makes the concept easy to visualize, he says. However, “in the cloud” might be too far away for monitoring purposes; perhaps it is more efficient if the databases for all the thermostats in a neighborhood live on a system co-located in the nearest telephone company central office. Perhaps the telco offers a nationwide thermostat monitoring service, and hosts regional databases at central offices around the country because the databases need to be close to the thermostats. That interim home for processing or storing data is the fog layer.
Although some edge computing visions place a considerable amount of processing and storage at the edge, the trend is toward placing those resources in the fog, as Scott describes. The fog layer then becomes a sub-segment of cloud to help to process and direct data closer to its sources from its origin point on the ‘edge.’
Its importance, according to Matthew J. Smith, director, computer science and cyber security programs at Bay Path University in Longmeadow, Mass., is that massive growth is expected in IoT-connected devices. “It is projected by Cisco that by 2020 there will be over 50 billion smart devices which will hinder our use of the cloud in its current state, since it will not be able to keep up with the bandwidth demand as it is currently designed.”
According to Smith, “as we increase our use of the internet of things we are relying more heavily on speed and bandwidth to get our results back to us.” The fog nodes are typically in close proximity to the end users or the data source and can be more responsive than the typical remote cloud, he says. But that new structure presents cybersecurity challenges, as well.
In the fog
All those intermediate fog devices are not in a secure server farm at a core datacenter, says Scott. Whoever operates that fog infrastructure needs a flexible, distributed security model, with easy to add and remove edge devices, and easy to relocate fog servers. In other words, fog security depends on edge security and vice versa.
Drew Farnsworth, partner at Green Lane Design, a company that architects datacenters, sees a similar challenge. While a fog node can be manifested in any size from a single server in a closet to an ultrahigh-density micro data center that packs 50kW into a box, “getting so close to the edge raises a host of security concerns,” says Farnsworth.
For one thing, since the locations are by definition spread out, they cannot have the same physical security as a massive data center. Likewise, because the intention of fog is to provide computation as close as possible to users, there is often a need for a great many nodes, “which means that there could be a distributed physical attack wherein many nodes are attacked simultaneously, overwhelming any possible security response,” he adds.
IEEE senior member, professor of cybersecurity,
Ulster University
On the bright side, notes Farnsworth, many of the other cybersecurity issues related to fog are identical to those of a traditional data center build but with more need for firewalls and robust network monitoring and architecture. But, “physical security must be top notch, including extreme intrusion prevention and surveillance,” he says.
Drilling further into the topic, Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, says that for fog, the biggest threats that exist within the network infrastructure are denial of service attacks, man-in-the-middle attacks, and rogue gateways. There are also the added risks of misuse of resources, privacy leakage, virtual machine manipulation, and injection of information, he notes.
As with so many cybersecurity challenges, the key tools to combat these threats are identity and authentication, access control systems, and securing the virtualized network infrastructure, Curran says. Software-defined networking and network function virtualization are helpful and “role-based access control policies can be used to provide inter-domain role mapping and constraint verification for secure distributed access control,” Curran adds.
“These end devices still follow the same security guidance as in previous years,” Curran opines, but the importance of ensuring they are safe and secure is even greater today. “We need to ensure that these devices are nestled inside a firewall to limit the ability for them to be infiltrated or hacked by bad actors,” he says. Patching and updating the software and firmware is your first line of defense and limiting access and maintaining a rigid access control list (ACL) is vital. “Ensuring that the proper roles and permissions are in place will provide additional accountability,” Curran says.
Lastly, he says, providing ample passwords that meet or exceed requirements and two factor authentication are also helpful.
Physical security concerns
Like Farnsworth, Curran believes organizations face a new set of physical security concerns given the distributed nature of the fog/edge computing model. “In this paradigm, there are numerous enabling technologies, such as distributed and peer-to-peer systems, wireless networks, and multitenant virtualization infrastructure; all of these components require hardening,” he says.
There is also the threat of physical damage, privacy leakage, service manipulation, privilege escalation, and even rogue data centers. Curran says because of the distributed nature of fog there is also an added factor: the latency of the security mechanism. The security ecosystem of the sensors and mobile devices also have to be considered.
embedded AI scientist, University of Essex
“Many [devices] run reduced instruction sets with weak encryption,” he says. And, while managing trust is a major concern, trust metrics can be utilized in this case in an autonomous fashion, he adds.
Since edge devices operate with limited computing resources along with limited power sources, the three most important parameters, which are required to be optimized on such devices, are performance, energy efficiency, and security, says Somdip Dey, an embedded artificial intelligence (AI) scientist at the University of Essex and a machine learning researcher on edge platform at the Samsung R&D Institute U.K. The university is in the town of Colchester in Essex County, northeast of London.
Regardless of whether you are using a cloud platform, software on a generic computing device, or edge devices, Dey suggests that trusting the software and firmware you are using and allowing or enabling proper authentication on the device is a good place to focus. “You do not want your device to be hacked or abused by someone or something else; if a proper trust model is not used while using a device or the services on it,” and if proper authentication is not enabled, it is not just your device that is at risk but also your data, Dey says.
A lesser known security issue in fog computing or edge devices is vulnerability through covert channels or side-channel attacks. “It is extremely easy and plausible to hack one of your computing cores (processing elements) on your fog node so that silent snooping or tracing activities on that node or on neighboring nodes could be collected... [and] exploited,” Dey says. However, due to constrained resources on fog nodes, it becomes very difficult for such malicious apps or a hacked CPU to act on the collected data until it is transferred to somewhere else with more computational resources, he notes.
Foggy use cases
There are a growing number of use cases for fog/edge computing and each can have unique security challenges, Curran says. Examples include autonomous vehicle operations, where edge computing helps find patterns in sensor data to make real time driving decisions; traffic management, where edge computing can analyze data from the traffic sensors and apply filters to remove unnecessary data to reduce the overall data being sent; and remote monitoring, where edge or fog computing can analyze and process data from IoT devices as well as spotting problems and issuing alerts.
Putting fog in perspective, Doug Cahill, a senior analyst at Enterprise Strategy Group headquartered in Milford, Mass., says it is part of a megatrend — the erosion of the network perimeter. Whether it is the growth of cloud or data gathering on the edge, it begs the question: What is the perimeter today?
director of computer science and cybersecurity programs,
Bay Path University
“Previously, cyber people had a network-centric orientation but today we need to evolve,” he says. “When I think about the use case for edge and fog, for me, it becomes about the asset that needs to be protected at those perimeters, which is usually data; and that is why we have seen a resurgence of data loss prevention (DLP) as a product category,” says Cahill.
So, one key for fog and edge is to understand where your data is and then classify it so you can appropriately assign policies, Cahill says. Of course, he notes, the data sets sitting on the edge might not be the ultimate destination for an adversary; the edge might simply be an entry point for a larger attack. Therefore, Cahill recommends network segmentation to ensure that different parts of the network have defined privileges. Monitoring the volume and type of network traffic coming from edge sites is also important to detect and prevent distributed denial of service (DDoS) attacks.
Another big edge control tool that could help with fog computing is a cloud access security broker (CASB), he says. Indeed, CASBs can address problems that are even larger than fog. Sitting between an organization’s own infrastructure on-premises and a cloud provider, CASB helps extend security policies and functions in a gatekeeper role.
A foggy glass half full
Ultimately, there is not much about fog computing that is truly exotic — most of the challenges are familiar but the scale is different. Thanks to advancing technology, today we are enjoying some of the most useful benefits through our edge devices and fog computing, but it is easy to forget that the adversary or hacker has equally capable, if not more advanced, technology at their disposal.
Even users have a role in the defense of the fog computing model. As with any other IT asset, training personnel on the difference between the cloud, fog, and edge computing is imperative to its successful implementation, says Smith. That simple measure always applies because “the more data that transmits the greater the risk,” he says. And, warns Dey, “If an attack is targeted, then no devices or fog nodes are completely safe from the attack.”
Lowering the latency on getting our analyzed results back through fog/edge can reduce bandwidth costs over the network but we cannot lose sight of cybersecurity’s importance on every corporation and their networks, opines Smith. “As the growth of IoT continues to increase the demand for cloud, fog and edge platforms, cybersecurity should always remain at the forefront,” he adds.
“If we do not address security in a robust manner, then the benefits of edge/fog computing could be overshadowed by the malicious attacks which may take place,” Curran adds.
