All Posts By

LF Edge

Building an End-to-End NFV & Applications Stack Powered by Kubernetes and ONAP

By Akraino Edge Stack, Blog

Written by Sagar Nangare, an Akraino community member and technology blogger who writes about data center technologies that are driving digital transformation. He is also an Assistant Manager of Marketing at Calsoft.


In this article, we’ll look at how open source projects like Kubernetes, ONAP and many others can be stacked to build a Network Function Virtualization (NFV) framework that is identified as an Akraino Integrated Cloud Network (ICN) blueprint.  We’ll outline the step-by-step inclusion of open source projects for various purposes (security, monitoring, orchestration, etc.). Readers will leave with an understanding of the role each open source project will play in the stack.


Here are some key terms that I use throughout this article:

NFV: Network Function Virtualization

ONAP: Open Network Automation Framework

CNF: cloud-native network functions

VNF: Virtual Network Functions

Akraino ICN Blueprint: Akraino Integrated Cloud Network or Akraino Edge Stack is a Linux Foundations project for edge computing infrastructure. It is one of the internal projects or blueprints dedicated to the cloud native NFV stack.

CNI: container-native interface

What is NFV (Network Function Virtualization)?

NFV is a concept of transforming hardware-based network functions into software-based applications. It simply decouples network functions from proprietary hardware without impacting performance.

Why do we need NFV?

  • Management and orchestration of thousands of network resources from central location
  • Enable network programmability
  • Allow dynamic scaling of network resources
  • High level automation in the network
  • Monitoring of resources and network connectivity
  • Ability to integrate new services
  • Optimization of network performance

The main reasons for enterprises and service to adopt NFV include: a vast scale of network resources containing different types of network equipment from different vendors, reducing the CAPEX and OPEX for network infrastructure, delivering services in an agile manner and enabling scalability and elasticity of network infrastructure to support rapid technology innovation.

Open Source for NFV

Kubernetes and ONAP are the key open source projects for this NFV stack. Using Kubernetes at the edge is something that leading networking solution companies are evaluating to provide dynamic capabilities managed from a central cloud. If you aren’t familiar with ONAP, it is a platform for real-time, policy-driven orchestration and automation of physical and virtual network functions.

We’ve already seen how Kubernetes is used in NFV as a backbone for cloud-native evolvement. This push for Kubernetes to dive into the NFV stack opens up possibilities for other open-source projects to make up the NFV backbone of enterprise and telecom networks. And further, Kubernetes will enable more automation and dynamic orchestration of application and infrastructure resources across the NFV-powered network.

Additionally, since various edges or hubs are involved in the typical 5G and enterprise network backed by NFV architecture, open-source projects like ONAP and Akraino blueprints are coming up with specific modules for critical orchestration and monitoring tasks.

Now that we’ve acknowledged the major role of Kubernetes and ONAP, let’s focus on the exact needs for a complete end-to-end NFV stack that will innovate a software-driven network. Let’s also look at how we can address those needs by combining different open source projects to power a 5G network and enterprise WAN.

Why Do We Need an End-to-End NFV Stack?

Currently, the IT infrastructure of enterprises and communication service providers is transitioning from centrally managed to geographically distributed. 5G presents the prominent use case for edge nodes or hubs as the initial level data center to communicate with IoT devices and host application services. And enterprises are deploying SD-WAN with edge-like capabilities.

In such architectures, workloads types like microservices, virtual network functions (VNFs) and cloud-native network functions (CNFs) are distributed. All those workload types are orchestrated by different solutions like Kubernetes and commercial solutions provided by VMware, Red Hat and Rancher.

In Figure 1, we can see that it’s difficult to manage all the workloads with different orchestrators, for several reasons. Security policy enforcement and monitoring of distributed nodes differs from centralized ones. You’ll need to manage all clouds and applications deployed on them and get insights about the performance of resources deployed on different edge sites. Additionally, this transition will cost the enterprises and telecom network providers.

Last year at ONS Europe (Open Networking Summit), Srinivasa Adeppalli (Intel) and Ravi Chunduru (Verizon) discussed using Kubernetes with ONAP4K8S, a sub-project in ONAP. This stack would manage all the applications and network functions spread across multiple Kubernetes clusters hosted on different edge nodes or data center infrastructures. They showed how a single pane of glass can orchestrate different edge sites, multiple clouds and network traffic.

Let’s See How it Works

In the presentation, Srinivas and Ravi showed an SD-WAN enterprise edge with microservices deployed in clusters and VNFs and CNFs present in an NFV stack. A request for data access generates the traffic that steers from pods to the internet through different VNFs, CNFs and external routers. Some of the microservices can be user-facing, with low latency needs. In this case, you need a multi-traffic orchestrator that controls the traffic flow and prioritizes the user-facing applications to deliver optimal performance.

Figure 3 shows the stack with the traffic orchestrator. In this scenario, Istio service mesh framework couples the microservices deployed at different edge sites. IPAM Manager ensures that each site is assigned a unique IP subnet and avoids overlapping addresses to Microservices/functions.

As we have seen, microservices, along with VNFs and CNFs, span multiple edge sites or clouds. So, we need a multi-zone manager (Figure 4).

Edge sites may face targeted attacks by external threats that can compromise network communication channels, microservices-based apps, software, and SSD/HDD. In Figure 5, we’ll use a new orchestrator called Multi-security orchestrator that uses CA Service, key distribution and attestation. You can integrate Istio, Vault project and Keycloak project with the Multi-security orchestrator to protect sensitive data as well as manage identity and access. In fact, you can run Istio from the central multi-cluster security orchestrator.

Further, a Multi-Cluster Security Orchestrator lets you monitor all the applications, VNFs and CNFs to check the health status and performance of multi-cluster app visibility and monitoring modules. Figure 6 shows how you can integrate PrometheusJaeger and Fluentd  on each edge site for data monitoring and collect the data logs for analysis at a central location.

Now we have a complete NFV stack, called an Akraino ICN (Integrated Cloud Network) blueprint.

The major frameworks used in the end-to-end NFV stack include ONAP4K8sOVN4K8sNFV, Kubernetes and Akraino SD-EWAN.

You can use ONAP4K8s as a Multi-Cloud/Cluster orchestrator to perform the following tasks:

  • Single-click applications deployment
  • Auto-configuration of service meshes
  • Auto-configuration of SD-WAN to facilitate connectivity among micro-services in multiple clusters
  • Parent CA and Child CA cert/private key enrollment for each edge/zone

You can use Kubernetes to orchestrate microservices-based applications and NFV-specific components like Multus, OVN4K8SNFV and SRIOVNIC as well as application components including Istio and Prometheus. OVN4K8sNFV works as a CNI (container-native interface) that supports multiple types of workloads, such as apps, CNFs, VNFs, etc.

Finally, Akraino SD-EWAN provides overlay connectivity among the Kubernetes clusters.


In this article, I’ve highlighted several open source projects that can be useful at various NFV tasks. Most of these projects are mature and widely integrated into different domains on a different scale. Each of the open source project addresses various features in NFV stack. You need to determine key capabilities from open source projects for each NFV features. You can get more information about implementation details and ongoing development from Akraino ICN and learn more about the NFV stack.

For more information about Akraino Blueprints, click here: Or, join the conversation on the LF Edge Slack Channel. #akraino-blueprints #akraino-help #akraino-tsc

EdgeX Foundry China Project Q1 Recap

By Blog, EdgeX Foundry

Written by Gavin Lu, LF Edge member, EdgeX Foundry China Project Lead and R&D Director in the VMware Office of the CTO

The EdgeX Foundry China Project launched in December 2019 with an active community in China that leveraged as many resources provided by LF Edge and EdgeX Foundry global community at possible. We’re happy to report that the first quarter has been a success.

All of our content is curated on the China Project wiki site.  Three monthly meetings were conducted on Jan 10, Feb 14 and Mar 6, where core contributors from VMware, Intel, Thundersoft, CertusNet, EMQ, IoTech and other active companies discuss the project, activities and outreach.

Webinars of technical talks

One of our focuses is to raise awareness for EdgeX Foundry in China and encourage developers to get more familiar with the EdgeX framework, unblock obstacles and boost their interest to contribute to the innovation of the community. We planned a hackathon and hosted a tight series of weekly webinars to introduce EdgeX Foundry components and code level analysis. We hosted six sessions led by VMware, Thundersoft,  IoTech and Intel with more than 500 developers attending these sessions.

Direct code contributions

The first result of our Virtual Sandbox came out in Q1. EMQ published an OSS project Kuiper for rule engine in edge & IoT area in last winter, and they had a strong interest to contribute to EdgeX Foundry community. China Project built the connection of EMQ with the proper technical leaders in EdgeX Foundry global community, and hosted the initial round of technical discussion meetings. Right now it’s agreed to include Kuiper container in EdgeX Docker Compose file, targeting to have that integration for Geneva release in Apr 2020. EMQ has biweekly meetings setup with EdgeX App WG to ensure that happen. This is the second major contribution from China to EdgeX community after UI by VMware, which we recently also added more resources to upgrade in the Geneva release next month.

We expect, encourage and support more direct substantial contributions coming later.


This quarter, we had Chinese Spring Festival break annually, and the recent coronavirus outburst also made a sudden and strong impact. While mostly working from home for better safety, members of China Project are still trying to make some progress to promote EdgeX Foundry. For examples,

  • Intel, Dell and VMware are leading EdgeX Foundry Hackathon plan in China, adapting the schedule accordingly.
  • Thundersoft is planning to co-organize an AI & IoT Innovation Contest with other hosts, and hold a webinar on EdgeX for developers.
  • Wayclouds is collaborating with Opple on smart lighting using EdgeX platform, targeting in mid of Apr.

As a common seen approach, we setup an official WeChat ID ”EdgeXFoundryCN” (“EdgeXFoundry社区” in Chinese), which will help us promote EdgeX Foundry as an independent communication channel. After just 10 days and three posts, the followers of this ID increased to around 150. We will leverage this WeChat ID as well as all existing EdgeX Foundry WeChat groups and Linux Foundation WeChat group, and other WeChat IDs operated by community members.

We understand that this is an extraordinary time, and we are adjusting to the rapidly evolving situation. In the meanwhile, we also try best to remain focused on supporting the community and delivering our commitments. Let’s work together and make it happen!

For more information, stay tuned to the EdgeX Foundry China Project Wiki:

How Open Source is Driving 5G, Edge, AI and IoT

By Blog, Training, Trend

The 5G transition is well underway, with the technology rolled out on every continent, and adoption growing daily. This is leading to advances in other technologies – most especially edge computing, artificial intelligence and the Internet of Things. Many don’t realize that open source software is at the heart of the 5G revolution, making it possible in the first place and helping to speed implementation thanks to shared R&D efforts and greater interoperability than prior wireless standards. 

Considering the accelerating rate of change in the networking and telecommunications industry, it can be difficult to stay up to speed on these and the other latest technologies. Managers and their technical partners will be the ones to build the next great innovations based on the capabilities of 5G – but in order to do so, they require a fundamental understanding of the market pressures and a basic understanding of the technologies driving this shift – technologies like edge computing, IoT and AI.

That’s why The Linux Foundation offers two online training courses exploring these topics free of charge. Business Considerations for 5G, IoT, and AI is designed to help you discern between the hype and real opportunities of 5G technologies. Open Source and the 5G Transition explains the open source infrastructure powering the future and how to leverage it for business benefit. 

These courses are only two hours long, and no technical expertise is required. They are designed for anyone from business professionals to engineers who want to improve their understanding of these technologies and the changes they bring. Register for free today and increase your knowledge!

Linux Foundation Executive to Give Keynote Webinar on Momentum, Direction of Open Source Networking & Edge

By Announcement, Event, LF Edge

SAN FRANCISCO, April 15, 2020 — The  Linux Foundation, the nonprofit organization enabling mass innovation through open source, will host a keynote webinar — “The State of Open Source Networking & Edge” — featuring Arpit Joshipura, general manager, Networking, Edge, & IOT. The webinar takes place April 30 at 9:00 AM PT and is open to anyone interested in attending.

Hosted by LF Networking (LFN) and LF Edge, the webinar serves as a virtual update on the current state of the open networking and edge landscapes. Due to the COVID-19 outbreak, the Open Networking & Edge Summit (ONES) North America, which was initially scheduled to take place in Los Angeles, Calif. later this month, has been rescheduled to September 28-29. However, the important work of the ecosystem continues and it’s time for an update on that progress.

“We are all learning to adapt and be more nimble than ever before,” said Arpit Joshipura, general manager, Networking, Edge & IoT, the Linux Foundation. “While we aren’t able to meet face to face with our communities physically, we continue to accelerate community collaboration and momentum while evolving critical industry initiatives that impact how the world accesses information. Please join us April 30 to hear how open networking and edge communities are moving the needle.”

The webinar will not only cover critical industry initiatives such as the Common NFVI Telco Taskforce (CNTT), OPNFV Verification Program (OVP), new project inductions and releases, but Joshipura will present compelling evidence on how community collaboration is accelerating the path forward. This will include an update on deployments, business value-add, R&D, developer engagement, and challenges the community is addressing in 2020. The webinar also presents an opportunity to hear these major LF Networking and LF Edge announcements first-hand. Attendees are encouraged to engage and participate in an open Q&A session following the presentation.

The webinar serves as the first in a series of LF Networking Webinars to bring the community up to speed on open source networking news, initiatives, and innovations and provide a new opportunity for community engagement. LF Edge’s webinar series, “On the Edge with LF Edge,” kicked off last month with an update on the Akraino project. The next LF Edge webinar, “EdgeX101: Intro, Roadmap, and Use Cases,” takes place April 23.

Registration is required to attend the webinar, which takes place April 30 at 9:00 am PT. Details and registration information available here:

Additionally, the important work of the LFN technical communities continues unabated as the LFN Technical Meetings Spring 2020 (initially co-located with ONES North America) are being held virtually from April 21-23. Details and registration:

Details on ONES, including registration and final agenda, are available here:


About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:

Linux is a registered trademark of Linus Torvalds.

State of the Edge is Now Part of LF Edge

By Blog, Open Glossary of Edge Computing, State of the Edge

Written by Matthew Trifiro, CMO of Vapor IO and co-chair of State of the Edge

Last week, we were thrilled to announce State of the Edge has become an official project of The Linux Foundation’s LF Edge. You can read the press release here.

In 2017, just as edge computing was entering the zeitgeist, a few like-minded companies came together to create State of the Edge. The goal was to bring clarity and a common understanding to the emerging market of edge computing. Back then, there was no LF Edge and edge computing felt like the early days of cloud or the early days of containers. A few pioneers could be found laying the technological foundations, but the practitioners did not share a common vocabulary and a lot of confusion and misunderstanding ensued.

We started with a vision of funding vendor-neutral research. Since launching, we’ve built an incredible community and published three major edge research reports, all of which are offered free of charge under a Creative Commons license. They are:

  • 2018 State of the Edge — the first inaugural report, which many people have called the “edge 101,” laid out a lot of foundational concepts. It has largely stood the test of time and is required reading at some companies during employee onboarding.
  • 2019 Data at the Edge — an experimental, shorter-form, topic-specific report that we built from research funded by Seagate. We will probably do more of these in the future.
  • 2020 State of the Edge — the second inaugural report, which we published in December 2019, was our most ambitious yet. We hired Phil Marshall of Tolaga Research to build a financial forecasting model to predict the expected demand for edge infrastructure.

In 2019, we began collaborating with The Linux Foundation, initially around the Open Glossary of Edge Computing and the Edge Computing Landscape. When LF Edge launched in January 2019, The Open Glossary became one of the five founding projects (including Akraino, EdgeX Foundry, Home Edge and Project EVE). The relationship became so beneficial to both parties, that by the end of last year it was clear that State of the Edge could find a long term home at The Linux Foundation. With LF Edge’s open governance model, we will continue to advance the State of the Edge as an open source project that maintains the organization’s original mission, further accelerating the adoption of edge computing technologies.

As of today, State of the Edge will officially merge with the Open Glossary of Edge Computing and the combined project will assume the State of the Edge name as a Stage 2 project (growth) at LF Edge. All State of the Edge projects will continue to be produced and funded collaboratively, with an explicit goal of producing original research without vendor bias and involving a diverse set of stakeholders.

The program will continue alongside a community that cares deeply about edge computing and the innovations that will be required to bring its promise to fruition.

State of the Edge will remain an active website but we’ll also be blogging and adding content on to the State of the Edge LF Edge website. Follow @LF_Edge for more news.

We’re looking forward to the next phase of growth for State of the Edge!

A special thanks is due to the original creators, contributors and funders of the State of the Edge project (alpha order).

Founding Members:

General Members:

Media and Analyst Partners:

EdgeX Foundry on ELIOT Blueprint

By Akraino, Blog, EdgeX Foundry, LF Edge

Written by Ramya Ranganathan, IOTG Validation Architect at Intel and EdgeX Foundry TSC member and EdgeX Test/QA WG Contributor



In the recent past, EdgeX has experience challenges in running regression tests on different platforms. Some of the difficulty has been attributed to not running the EdgeX platform tests on While it could be attributed to a pre-validated OS/SW configuration.


By running on a pre-validated base platform, the hope was to eliminate the platform variabilities and limit the debug scope to EdgeX SW. This in turn would lead to a quicker debug, throughput and finally quicker time to market.

Why LF Edge Akraino Blue Print

Since LF Edge has been spearheading the Akraino Blue print effort to provide a holistic design of EdgeX suitable platforms with respect to scalability, availability, security using finite set of configurations, and ease of use by Zero-touch provisioning, a proposal was put forth by EdgeX QA/Test work group to use a light weight Akraino blue print as “pre-validated base platform” for EdgeX engineering activities. The motivation was that the team could leverage the results from Akraino’s blue print validation framework and use it as a stable base platform for EdgeX engineering activities. While the motivation was from within the EdgeX community, this also served as a testimony to LF Edge’s Akraino initiative and to the importance of the LF Edge umbrella project to provide wholistic solutions to the EdgeX and larger LF Edge communities.

Engineering Activity & Results

Akraino offers several Blue prints, so the first task was to identify the right blueprint for EdgeX needs. ELIOT blue print has been chosen by the EdgeX QA/Test WG for this initial feasibility study as it seems to have a light weight foot print as the name suggests and also it is supported on both ARM and x86 architectures. EdgeX QA/Test WG members got LF Edge accounts and access to the Thunder Pod2 ARM based system and were able to get the EdgeX tests up and running on ELIOT Blue print with minimal effort (which goes in line with the key principle behind Akraino’s blue print goal).

Learn more about the Akraino ELIOT Blueprint: AkrainoELIOTBluePrint.pdf


This activity is an example of the early engagements between EdgeX and other LF Edge projects – one of mutual value to the engineers in both communities and demonstrating the value of a larger edge computing umbrella project.

For more information about Akraino Blueprints, click here: To learn more about EdgeX Foundry, click here: Or, join the conversation on the EdgeX Foundry Slack Channel.

Linux Foundation, LF Networking, and LF Edge Announce Rescheduled Dates and Full Agenda for Open Networking & Edge Summit North America 2020

By Announcement

Industry’s Premier Open Networking & Edge Conference will feature business, technical and architectural sessions on Edge Computing, Cloud Native Networking, Enterprise IT, and Carrier and Cloud Developer Operations

SAN FRANCISCO, April 9, 2020 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, along with co-hosts LF Networking, the umbrella organization fostering collaboration and innovation across the entire open networking stack, and LF Edge, the umbrella organization building an open source framework for the edge, announced today the rescheduled event dates for Open Networking & Edge Summit North America (ONES, formerly Open Networking Summit) and the complete session line-up.

ONES North America 2020 will take place September 28-30 at the JW Marriott LA Live in Los Angeles, California. The summit line-up features prominent speakers from AT&T, eBay, Ericsson, Huawei Technologies, Rancher Labs, Red Hat, Toyota Motor Corporation, Verizon, VMware, Wells Fargo, Yelp, and more. The full event agenda is available here.

ONES is the industry’s premier open networking event now expanded to comprehensively cover Edge Computing, Edge Cloud, and IoT. It gathers technologists and executives from enterprises, telecoms and cloud providers for technical, architecture and business discussions that will shape the future of networking and edge computing. ONES enables collaborative development and innovation with a deep focus on both Open Networking and AI/ML-enabled use cases for 5G, IoT, Edge and Enterprise deployment, as well as targeted discussions on Edge and IoT frameworks and blueprints across numerous industries including Manufacturing, Retail, Oil and Gas, Transportation, and Telco Edge cloud.

“We have an impressive roster of experts lined up to present at Open Networking & Edge Summit North America,” said Arpit Joshipura, General Manager, Networking, Edge & IoT, The Linux Foundation. “With expanded content focused on open source Edge, this year’s event is the place to be for the latest in open innovation and knowledge-sharing across adjacent technologies such as 5G, cloud native, AI/ML, IoT, and more.”

ONES North America 2020 conference session tracks include: Carriers – Core, Edge & Access, Enterprise Networking & Edge, Cloud Networking & Edge, and Business Critical & Innovation.

Content is delivered in a variety of presentation formats including deep-dive technical tracks, panel discussions, tutorials, and case studies.

Featured Keynote Speakers Include:

  • Andre FuetschExecutive Vice President & Chief Technology Officer, AT&T Services, Inc.
  • Dan Kohn, Executive Director, Cloud Native Computing Foundation
  • Alex Choi, Senior Vice President of Strategy and Technology Innovation, Deutsche Telekom AG
  • Farah Papaioannou, Co-Founder and President, Edgeworx, Inc.
  • Anders Rosengren, Head of Architecture & Technology, Ericsson
  • Justin Dustzadeh, Chief Technology Officer, Equinix
  • Aparna Sinha, Director of Product Management, Google Cloud
  • Bill Ren, Chief Open Source Liaison Officer, ICT Infrastructure Open Source GM, Huawei
  • Marisa S. Viveros, Vice President of Strategy and Offerings, IBM
  • Arpit Joshipura, General Manager, Networking, Edge & IoT, The Linux Foundation
  • Heather Kirksey, Vice President, Community and Ecosystem Development, The Linux Foundation

Featured Conference Sessions Include:

  • 5G Slicing is a Piece of Cake! – Alla Goldner, Director, Technology, Strategy & Standardization, Amdocs
  • Injecting Security to the Cloud – Susan Hinrichs, Software Engineer, Verizon Media
  • Architectural Patterns & Best-practices to Avoid Lock-ins with Serverless – Murali Kaundinya, Group CTO and Managing Director, Wells Fargo
  • Securing a Network Virtualized with Containers and Kubernetes: Example Solutions and Current Gaps – Samuli Kuusela, Security Architect, Ericsson & Amy Zwarico, Lead Member of Technical Staff, AT&T
  • Multi-Cluster Federation: Should Networking Impact The Solution? – Anil Kumar Vishnoi, Principal Software Engineer & Thomas D. Nadeau, Technical Director of NFV, Red Hat

Conference Registration is $950 through July 19, 2020 with additional registration options available including $300 Hall Passes, $575 Academic Passes, and $300 Student Passes.  Non-profit and group discounts are available as well; see details on the event registration page Members of The Linux Foundation, LFN and LF Edge receive a 20 percent discount on all registration fees; contact to request a member discount code. Applications for diversity and needs-based scholarships are currently being accepted; for information on eligibility and how to apply, please click here. We are continuously monitoring the COVID-19/Novel Coronavirus situation and are committed to converting ONES North America 2020 into a virtual experience should it not be safe to bring attendees together in person. Please continue to visit our website and follow us on Twitter and Facebook for updates.

Open Networking & Edge Summit North America 2020 is made possible thanks to our sponsors, including Platinum Sponsors Cloud Native Computing Foundation, Ericsson, and Huawei, Gold Sponsor IBM, and Silver Sponsor Red Hat. For information on becoming an event sponsor, click here.

Members of the press who would like to request a press pass to attend should contact Jill Lovato at

Additional Resources: 

About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:

Linux is a registered trademark of Linus Torvalds.

Securing the IoT Edge (Part 2)

By Blog, Project EVE

Written by Jason Shepherd, LF Edge member, VP of Ecosystem for Zededa and active leader in Project EVE

This post originally ran on the Zededa Medium blog. Click here for more articles like this one. 

The computing landscape has long observed a swing between centralized and distributed architectures, from the mainframe to client-server to the cloud. The next generation of computing is now upon us, representing both a return to the familiar distributed model and a breakthrough in rethinking how we handle data. Many of the security lessons we’ve learned from past paradigms are applicable, yet the edge also brings unique challenges. In part 1 of this blog series, we covered some of the characteristics that make security different at the edge compared to the cloud. In this blog, we’ll be going over ten baseline recommendations for securing IoT edge deployments.

Coined by former Forrester analyst John Kindervag, the “zero trust” mindset is rooted in the assumption that the network is hostile. This means that every individual or device — inside or outside of the network perimeter — trying to access the network must be authenticated and all downloaded updates verified, because nothing can be trusted.

Key principles of zero trust security

At the foundation of your security approach should be a trust anchor in your edge devices based on a root of trust at the silicon level (e.g., Trusted Platform Module, or TPM). Due to fragmentation in edge hardware, as much support as possible for this trust anchor should be abstracted into the software layer and exposed to your applications through APIs. This trust anchor should be the foundation for key functions such as device identification and authentication, secure and measured boot, encryption, application updates, and so forth.

 The massive distributed denial of service (DDoS) attack that leveraged the Mirai botnet and took down a portion of the internet in 2016 involved millions of cameras that shared a very small number of common credentials. Back during the setup of these devices, their credentials either could not be changed or were not changed because it was easier to use the factory default. What can we take away from this incident? Rather than relying on field technicians or end users to change and manage countless edge device passwords, leverage solutions that automatically create and store credentials in the trust anchor based on a unique device ID during a zero-touch provisioning process. Field technicians should then only be able to access the device through a central controller. Additionally, establish the ability to set policies in your network that allow you to remotely disable any unused physical ports on edge devices in order to prevent unauthorized installation of software.

 Leveraging the key provided by your trust anchor, encrypt data both at rest on your edge devices and in motion across the network. Deploy compute immediately upstream of resource-constrained edge devices and legacy systems to encrypt data when they aren’t capable of doing it themselves.

With a growing number of devices at the periphery of your network, it’s more important than ever that you have full visibility into user activity, device location and status, and the routes your data is traveling between devices and your on-prem and cloud systems. Be sure to regularly review role-based access to make sure only the users who need access have it, and that this access is based on real-time context as part of your zero-trust strategy.

Network flow log in ZEDEDA’s controller

The U.S. Department of Homeland Security estimates that as many as 85 percent of targeted attacks are preventable due to exploitation of unpatched software. These updates need to be signed from a trusted authority and verified by the private keys stored in your edge devices. Given the implications of downtime in an operational technology (OT) environment, it’s important to enable the scheduling of vulnerability updates during maintenance windows. Also key is to have rollback capabilities in the event of failed updates, so that devices aren’t bricked in the field, which can take down a mission-critical process or result in an expensive trip to a remote location. Software should have extended support, offering the ability to patch applications and underlying runtime for 5 to 7 (or more) years.

Consider solutions that leverage machine learning to assess the steady state of your deployments and alert for anomalies, whether it be unusual network activity, signs of malware, or other indicators. For example, had active threat analytics been applied at the edge in the 2016 Mirai attack, the unusual network traffic could have been addressed at the source rather than snowballing into a much bigger problem. Consult with experts that understand the unique needs of OT-specific protocols — this includes defining what normal behaviors are and how to gracefully shut down processes in the case of any detected attack.

 It takes a village to develop and deploy IoT and edge computing solutions, with multiple different parties coming together spanning the necessary technologies and domain expertise. It’s key to invest in tools for securing and managing your infrastructure that are consistent regardless of the applications and domain expertise applied on top. Leveraging purpose-built, open edge orchestration frameworks that support cloud-native development and have clearly-defined APIs provides a transparent mechanism for getting all stakeholders on the same page, regardless of the combination of ingredients used in a given deployment.

It’s important to strike a balance between locking a solution down and making it usable across the various stakeholders involved. Many of the breaches we hear of in the consumer space happen because developers prioritized instant gratification and usability over security. This is where capabilities such as zero-touch provisioning are key, eliminating the need for expertise and awareness to securely onboard devices.

Security is about defense in depth, applying the right tools in layers based on security posture and risk. This includes utilizing segmentation when possible — while a zero-trust mindset eliminates a perimeter-based focus, micro-segmentation is still important to isolate critical networks and devices, especially legacy systems.Further augment your zero trust model with distributed firewall software to govern access across nodes on internal networks.

Not all edges are created equally; for organizations looking to implement edge computing, it’s important to first understand the unique challenges of securing and managing computing located outside of the confines of a traditional data center. However, adopting a distributed model for compute efficiency doesn’t need to bring tradeoffs in security. Being aware of the considerations that exist at the edge will help organizations be better equipped to protect field deployments and reap the benefits of edge computing. At ZEDEDA, we build off of a foundation that considers all the points above to enable enterprises to securely orchestrate IoT edge deployments with their preferred devices, applications and clouds.

Zededa is a LF Edge member and active leader in Project EVE. For more details about LF Edge members, visit here. For more details about Project EVE, visit the project page

Securing the IoT Edge (Part 1)

By Blog, Project EVE

Written by Jason Shepherd, LF Edge member, VP of Ecosystem for Zededa and active leader in Project EVE

This post originally ran on the Zededa Medium blog. Click here for more articles like this one. 

IoT adoption by the enterprise is on the rise. Yet despite interest in the space accelerating, organizations of varying sizes and verticals have run into several roadblocks in implementation. Previously, we discussed why IoT needs edge computing to realize its full potential. In this two-part blog series, we will review the unique security implications of a distributed edge and how organizations can secure the edge.

Over time, software-defined edge computing is only expected to become more sophisticated and we will begin processing more and more critical information in distributed locations. Many edge computing systems host their own web servers for remote maintenance and logins, making them a prime target as attack surfaces, especially for bad actors who could input or extract data and disrupt an entire ecosystem from a single unsecured system. Users need solutions to deliver new applications to the edge that drive efficient business outcomes while also maintaining an appropriate security posture.

Not all edge locations are created equally when it comes to security. Practices for securing deployments at the cloud edge and within secured telecommunications infrastructure (e.g., cell tower facilities), modular data centers, etc., tend to be quite similar to traditional data centers. Meanwhile, as edge deployments get closer to the physical world — in locations such as the factory floor, inside wind turbines, on trucks, or within rooftop HVAC systems, to name a few — unique security challenges are introduced. As we dive into what this entails, let’s take a look at what makes security for the distributed edge unique.

Scale: Part of IoT’s value stems from having numerous devices connected in order to understand the holistic picture of your operations. Over time, we will see device deployments scale to the trillions, which is numerous orders of magnitude larger than the volume of deployments in centralized locations. This translates into an unwieldy number of distributed edge assets that an organization must secure and manage. Solutions oriented towards securing and managing datacenter infrastructure typically aren’t set up for this kind of scale, which is why we can’t simply copy/paste them to solve the problem.

Lack of physical and network perimeters: Another key challenge for securing distributed edges is that there are often no physical (e.g., the four walls of a secure data center) or network perimeters. In operations out in the field, it is very common to rely on a backhaul network and parameters (such as NATs and proxies) that are owned or managed by someone else when not practical to create your own network (e.g., cellular backhaul). In general, solutions should not rely on having an owned network or firewall to protect them.

Heterogeneity: The IoT edge is inherently heterogeneous, comprised of a variety of technologies including sensors, communication protocols, hardware types, operating systems, control systems, networks, and so forth. Skill sets spanning IT and OT (e.g., network and security admins, DevOps, production, quality and maintenance engineers, data scientists, etc.) are necessary to realize IoT as a convergence of the physical and digital. Security solutions need to accommodate a wide variety of technologies and skill sets in order to be effective.

Varying priorities: In the IT world, it is typically acceptable to immediately shut down access to the network to isolate an affected system in the event of a security breach. Meanwhile, the impact due to information loss (e.g., credit card data or IP) plays out over a long period of time. In contrast, in the OT world, a security compromise can lead to immediate loss of production and risk to safety, so any issues need to be addressed gracefully. As such, your security solution needs to recognize these different priorities and strike a balance.

Constrained devices: Many IoT sensors and devices are too constrained resource-wise to employ security measures such as encryption. The same goes for legacy systems that were never intended to be connected to broader networks, let alone the internet. In order to protect these devices, we must rely on more capable compute immediately upstream to serve as the first line of defense, providing functions such as root of trust and encryption.

As we seek to reap the benefits of edge computing, we must realize the nuances it requires of our security approach. It can’t be the same as what we’re used to in data centers; instead, we must consider the edge’s characteristics to bolster a distinct approach. In part two of this series, we will share a foundational strategy for securing IoT edge deployments.

Zededa is a LF Edge member and active leader in Project EVE. For more details about LF Edge members, visit here. For more details about Project EVE, visit the project page

Using On-Demand Talent for EdgeX Foundry IoT Exploration

By Blog, EdgeX Foundry

Written by Clinton Bonner, VP of Marketing for Topcoder

Industrial IoT is coming into its own. A decade ago, the tech world was enamored with all things IoT and as routinely happens in tech, the narrative gets a bit ahead of the uptake and enterprise use cases. What typically happens is that while some of the buzz or dare I say, the promise of a new technology, dampens a bit after the initial boom, the hard work of democratizing the technology and the establishment of important enterprise use cases marches on.

Often behind the scenes and without a Cybertruck-esque introduction, an enabling catalyst of a new tech philosophy is introduced, gains favor, and builds a steady stable of developers and enterprises who use it. For the Industrial IoT, LF Edge’s EdgeX Foundry is this catalyst and the momentum is genuine.

Earlier this month, LF Edge and EdgeX Foundry collaborated with Dell, Intel, HP, IOTech and Wipro to create a challenge to gauge the interest of the growth of Industrial IoT adoption. Partnering with the Topcoder community, the challenge offers a chance for developers to create a unique use case to submit in a 3-phase approach:


Communities like Topcoder are a fantastic way to cast a wide net and bring in scores of interesting and unique concepts and approaches to using technology such as the EdgeX platform.


The five top ideas will be selected from the ideation phase and move into rapid design on Topcoder. In this phase, the focus will shift to creating and designing intuitive and useful UX/UI concepts that showcase how the idea would work within the technical framework that EdgeX Foundry provides.


The top design concept from phase II will move on to prototyping, resulting in a functioning proof of concept with code-ready design.

This multi-phase approach is a fantastic use of on-demand talent to first explore ideas and then hone in on winning concepts to bring them further down the production life-cycle. It will be fast, focused, and provide an incredible example of how to use on-demand talent to accelerate successful innovation.

The pairing of the open EdgeX Foundry framework with the on-demand talent we provide access to at Topcoder is a smart accelerant and a combination we are excited to see in action!

To register for the challenge, visit the website: