Edge security provides protection for resources beyond the edge of the traditional network. The fastest growing need stems from edge computing for the Internet of Things (IoT) such as fitness bands, self-driving cars, and retail point-of-sale (POS) registers. However, the same need for security exists for remote workers, cloud computing networks, and operational technology (OT) such as smart industrial pumps, temperature sensors, and industrial control systems (ICS).
In this eSecurity Planet guide, we will examine edge security solutions through the following topics:
- Why Is Edge Security Needed?
- How Edge Security Works
- 5 Top Options for Edge Security
- Bottom Line: Edge Security Protects the Evolving Organization
Why Is Edge Security Needed?
Data no longer lives safely behind the firewall and within corporate data centers. Instead, data now processes within branch offices, retail locations, factories, and a host of IoT devices. Even though most of these assets reside outside of the corporate firewall’s protection, these devices are considered to be the edge of the network, and the core of the network is the cloud or locally-hosted data center.
Attackers, both malicious insiders and outside threats, seek to hijack communication streams, steal credentials, and remotely attack devices. These attacks gain access to the larger network, steal sensitive data, or compromise credentials for further attacks. While branch offices and some retail locations can be protected by traditional measures such as next generation firewall (NGFW) appliances, such expensive, large, and fragile equipment will often be inappropriate for the edge for the following reasons:
- Asset mobility of users and IoT prevent the installation of fixed security devices in a single location
- Expertise limitations at edge locations can make it impossible to properly install and configure equipment
- Physical size limitations of personal devices such as fitness trackers makes adding additional hardware impossible
- Scale requirements to manage the maintenance, access, and security profiles of hundreds or thousands of remote devices become too cumbersome for traditional management systems
Additionally, even as the number of assets and users continues to grow, organizations cannot necessarily increase their staffing and equipment at the same pace. Organizations require a centralized management capability that can scale without adding much additional work.
How Edge Security Works
Edge security replaces traditional appliances with solutions that extend security from the cloud to the remote assets. Edge security does not directly protect the endpoint device (laptop, server, IoT, etc.), data center, or cloud applications; however, it creates a hardened and monitored connection between them all.
The type of technology adopted will determine the nature of the layers of security deployed between the data center, cloud resources, and edge assets. In all cases, the technology will need to protect against attacks and create secure connections. Common features will include:
- Antivirus and antimalware detection and blocking
- Cloud access security broker (CASB)
- Intrusion detection and prevention systems (IDS/IPS)
- Network access control (NAC)
- Next generation firewall (NGFW)
- Secure web gateway (SWG)
- Software defined wide area networking (SD-WAN)
- Unified threat management (UTM)
- URL and domain filtering
- Vulnerability management
- Zero trust network access (ZTNA)
More robust edge security options will also be context aware and able to provide different levels of connections based upon the users, edge devices, and type of data as well as the resource requested for the connection. Artificial intelligence (AI) and machine learning (ML) analytics are also becoming common additions to many of the major offerings.
In addition to security features, edge security will provide centralized control and distributed access points. Centralized control allows for consolidated visibility and reporting of all edge assets as well as the determination of levels of security that will be pushed out to all edge assets. Distributed access points provide many different local and secure network or cloud access points for low-latency and high-speed connections.
5 Top Options for Edge Security
Edge security can be cobbled together using a variety of traditional security tools and techniques such as NGFW, wide-area networks (WAN), routers, URL filtering, whitelisting, and IDS/IPS. However, many IT and security teams may prefer more turnkey solutions that can enable faster speed, centralized control, and integrated security.
Many of the as-a-service (aaS) solutions will be cloud-hosted, which enables rapid deployment and easy scalability — both up and down. Some tools will also deploy AI or ML to provide advanced protection against attacks, turbocharge analysis, and even detect problems automatically.
The top options for edge security are:
- Firewall-as-a-Service (FWaaS)
- Network-as-a-Service (NaaS)
- Secure access service edge (SASE)
- Secure service edge (SSE)
- Zero trust edge (ZTE)
FWaaS providers generally replace NGFW and SWG appliances throughout an organization. FWaaS provides fully monitored and inspected traffic as well as URL filtering and other anti-malware security measures.
FWaaS fully monitors and controls access for users and applications and provides centralized reporting, visibility, and control for administrators. FWaaS generally does not perform microsegmentation or other network operations functions and monitoring.
NaaS providers consolidate management and control of a network for a fixed monthly rate. There are several different levels of service, from equipment-only NaaS to fully managed and implemented NaaS (with or without physical equipment).
Organizations that need to equip branch offices or stores will often select a NaaS provider that deploys on-premise equipment such as routers and switches. However, fully mobile requirements typically require cloud-based NaaS providers. Cloud-based NaaS deployments can easily scale and are used to replace load balancers, firewall appliances, and virtual private network (VPN) solutions.
NaaS delivers edge security through faster updates, centralized control, less need for maintenance, built-in encryption, and fully-monitored connections between edge devices and other resources. Some NaaS providers enable device access control, multi-factor authentication (MFA), micro-segmentation, and even ZTNA capabilities. Simpler NaaS solutions may need to be used in combination with more robust identity access management (IAM) tools, SWGs, or a CASB.
NaaS does not generally provide traffic inspection capabilities. This may be a plus for companies that require secrecy for their data and prefer to do their own inspection of all data. To enable anti-malware capabilities, NaaS will need to be combined with SWGs or IDS/IPS solutions.
Secure Access Service Edge (SASE)
SASE provides a complete and turnkey solution for edge security with a full range of features such as access control, network segmentation, and traffic inspection to prevent malware. Organizations that do not adopt SASE solutions often prefer to work with multiple vendors or only need a subset of the features and do not see value in the cost for the full feature set.
Secure Service Edge (SSE)
SSE provides a full set of access controls, anti-malware filtering, and packet inspection features. SSE provides nearly turnkey edge security features with the exception of SD-WAN capabilities.
Organizations with existing WAN or SD-WAN solutions often prefer to obtain an SSE solution to create a complete edge security solution. Organizations that pass on SSE will usually do so for the same reasons as they pass on SASE: reluctance to use a single solution, or they simply don’t need all of the capabilities and do not find value for the cost of the SSE.
Zero Trust Edge (ZTE)
Forrester defined ZTE as “a safer on-ramp to the internet for organizations’ physical locations and remote workers” that is close to SASE in capabilities but with an emphasis on zero trust access principles. Most vendors will claim that their SASE offering is also a ZTE solution, but organizations will need to check if the vendor’s actual zero trust capabilities live up to their needs.
Bottom Line: Edge Security Protects the Evolving Organization
The edge is here to stay. Some organizations simply need to secure their branch offices and remote users, and others have voluminous IoT resources and true edge computing needs. In either case, these resources lie outside of the practical protection of most traditional security and networking solutions.
Organizations of all sizes need to consider edge security solutions as they grow and evolve. These solutions offer effective means to lock down remote and cloud assets from attackers inside and outside of the organization.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.