Best Practices for Edge Security
This article was written for and first published on Snapt, one of the world's leading experts in Software Security.
In the corporate tech fight against security threats, there is perhaps no struggle more difficult than dealing with Edge Security. While companies can put in extensive security protocols and systems to protect much of their data, applications, and core data centers or cloud servers, monitoring the security of an entire organization and the people working for it is incredibly difficult.
What is Edge Security?
Edge Security refers to the security of all those corporate resources that exist outside of their protected data centers. This includes all users, devices, and even external applications that may still have access to the corporate networks in some way and therefore are still liable to risk should they ever become compromised.
Why is Edge Security difficult?
What makes Edge Security so difficult is that the number of variables to contend with is significantly higher. Whereas companies can control to a large degree the security around their core systems with strict firewalls and access control protocols, it’s difficult to police every little person and resource that has access to your corporate networks. However, that doesn’t mean that it can’t be done, which is why companies need to adopt the following best practices to reduce the risk to security at the edge.
1. Prioritize the 5 Ps
To start with, it's worth identifying the 5 P’s of Edge Security: People, Policies, Process, Products, and Proof. You must fully understand all the critical aspects that form your organization’s “edge” and ensure they are prioritized correctly in addressing the security gaps that could occur at each of these levels.
First off, and always critical, is people. There's a need for individual training and reinforcement of training, as well as a cultural mindset. There is no point in trying to put in place extensive technical measures if you can’t change the way people think about security and the seriousness with which teams take edge security.
Policies and procedures are the governance that enables and reminds people to maintain vigilance. This is about creating clear ownership and accountability for different aspects of Edge Security and making sure that the right measures are implemented with specific people taking responsibility for the implementation and enforcement of them.
The process includes the things people must do to fully mitigate risks. Companies mustn’t wait for incidents to occur before figuring out how to deal with them. Rather these processes should be clearly documented with plans for different incident levels so that the instructions are clear on how certain personnel, systems, and the business as a whole need to respond.
Products might be the most challenging of the five Ps. It’s hard for IT organizations to make sense of what an end-to-end cybersecurity solution looks like. From hardware to software, from device to server, from network access to infrastructure protection, and from OT to IT, security needs to be considered across the board with synchronization between all the components. This requires an understanding of the communication needs between different systems and what level of security and access control is required across them.
The proof involves the regular testing of products, processes, policies and procedures, and people to ensure cyber risk is truly mitigated, or to find vulnerabilities and shore up those weaknesses. The trick here though is not just having once-off events to identify these areas, but to put tools and teams in place to do this regularly. Without this regular cadence of testing and remediation, cybersecurity strategies can and will quickly become outdated and ineffective.
2. Separate Networks
Perhaps most critically is for companies to build separate networks into the organization that all serve a different purpose and require rigorous VPNs should they need to communicate with each other. Many companies may want to have one big network where all systems are connected to create efficiency in operation, but the reality is that most people won’t need access to certain systems and many systems can often operate independently of others.
Rather, companies should look to keep certain critical systems completely separate from the rest of the organization. The majority of the business operations should work on a network that doesn’t connect to the critical systems in any way. Additionally, they may configure a guest network for personal devices, but again it needs to be separate and disconnected from the other networks.
Having separate networks might prove inconvenient for people or systems that may need to operate on both networks, because this will require users to navigate VPNs with strict rules that allow only specific addresses. However, by completely isolating your critical operations from your Edge you greatly reduce the risk of any compromises in your edge network from affecting critical systems and this makes those painful processes worth it.
3. Zero Trust
This might sound difficult for many companies wanting to build trust into their business, but when it comes to edge security it’s best to consider a Zero Trust policy for all users and devices on a network.
This can prove especially frustrating to employees who would like to make use of their USB ports to transfer personal data or connect to devices on outside networks. But the truth is that these can open up a company to too many risks and even well-intentioned employees can make mistakes.
Companies should rather ensure that device and network permissions are as restrictive as possible to keep the risk of a security breach as low as possible. Should people need to breach those measures for whatever reason, then they should use a device on a separate network for that purpose, or consult with a security expert to determine the risk.
Of course the same applies to training, and even though most staff are sick and tired of the same regular security training we are constantly fed, companies can’t assume people know what to do and so need to continue enforcing this training on people for the foreseeable future.
4. Contingency and Redundancy
A lot of risk at the edge can be avoided if companies built in the right contingency and redundancy measures to allow systems to operate safely when others are compromised. It may be expensive to have systems that exist on more than one network, but it allows for companies to easily isolate compromised networks and ensure that the company remains operational with the risk of being compromised significantly reduced.
The reason many companies don’t do this is due to the sheer cost of this process. It is all too easy for some companies to dismiss this cost as a wasted expense because it means keeping more networks and systems operational than is strictly required, especially when talking about systems operating on the edge that doesn’t appear critical. However, in the event of a serious security failure, these companies will be glad to have a redundant secure network to enable them to remain operational.
5. Proactive Monitoring
It’s not just a matter of having rules and gateways in place to protect your company’s Edge security. Companies must maintain visibility of what is going on across the organization.
Monitoring can be a sensitive topic, especially when it comes to monitoring individual machines on the network. The point though is not to check up on what people are doing, but for security teams to know when an unusual or suspicious event happens so that they can contain the situation before serious consequences occur.
Outside of company machines, it’s also important to have monitoring across all network access points, firewalls, and corporate servers to check the traffic going across the corporate networks, and to send additional notifications to security teams when abnormalities occur.
We’ve spoken about patching often and for good reason. Most patches contain important security updates, and companies delaying these patches for too long simply open themselves up to the vulnerable for longer.
Patching can feel inconvenient due to the high number and frequency in which they are required, but they are a key component to keeping organizations secure and should never be compromised. Companies should build in the appropriate times and processes to allow all devices and applications to be updated, especially at an edge level, and put measures in place to exclude devices and applications without the latest updates from accessing specific networks.
It’s perhaps worth mentioning that as inconvenient as patching can be, the more regular you do it, the smaller the updates are and therefore the less risky each patch becomes. Teams that allow long intervals between patching might inadvertently increase the risk of making the collective updates bigger than intended, which increases the amount of testing required and the number of things that could go wrong.
It’s clear that vital systems and all confidential data need to be well protected, but that is not the end of the risks, as every component and system of a corporate network needs to be protected as well.
Much like every other aspect of security, companies cannot afford to compromise on their edge security and should build a strict set of measures and implement the right systems to mitigate the risks. There is no one quick solution to the problem though, and it’s important that companies take a multi-pronged approach to ensure they keep every aspect of their edge secure.