Category

Project EVE

Securing the IoT Edge (Part 2)

By Blog, Project EVE

Written by Jason Shepherd, LF Edge member, VP of Ecosystem for Zededa and active leader in Project EVE

This post originally ran on the Zededa Medium blog. Click here for more articles like this one. 

The computing landscape has long observed a swing between centralized and distributed architectures, from the mainframe to client-server to the cloud. The next generation of computing is now upon us, representing both a return to the familiar distributed model and a breakthrough in rethinking how we handle data. Many of the security lessons we’ve learned from past paradigms are applicable, yet the edge also brings unique challenges. In part 1 of this blog series, we covered some of the characteristics that make security different at the edge compared to the cloud. In this blog, we’ll be going over ten baseline recommendations for securing IoT edge deployments.

Coined by former Forrester analyst John Kindervag, the “zero trust” mindset is rooted in the assumption that the network is hostile. This means that every individual or device — inside or outside of the network perimeter — trying to access the network must be authenticated and all downloaded updates verified, because nothing can be trusted.

Key principles of zero trust security

At the foundation of your security approach should be a trust anchor in your edge devices based on a root of trust at the silicon level (e.g., Trusted Platform Module, or TPM). Due to fragmentation in edge hardware, as much support as possible for this trust anchor should be abstracted into the software layer and exposed to your applications through APIs. This trust anchor should be the foundation for key functions such as device identification and authentication, secure and measured boot, encryption, application updates, and so forth.

 The massive distributed denial of service (DDoS) attack that leveraged the Mirai botnet and took down a portion of the internet in 2016 involved millions of cameras that shared a very small number of common credentials. Back during the setup of these devices, their credentials either could not be changed or were not changed because it was easier to use the factory default. What can we take away from this incident? Rather than relying on field technicians or end users to change and manage countless edge device passwords, leverage solutions that automatically create and store credentials in the trust anchor based on a unique device ID during a zero-touch provisioning process. Field technicians should then only be able to access the device through a central controller. Additionally, establish the ability to set policies in your network that allow you to remotely disable any unused physical ports on edge devices in order to prevent unauthorized installation of software.

 Leveraging the key provided by your trust anchor, encrypt data both at rest on your edge devices and in motion across the network. Deploy compute immediately upstream of resource-constrained edge devices and legacy systems to encrypt data when they aren’t capable of doing it themselves.

With a growing number of devices at the periphery of your network, it’s more important than ever that you have full visibility into user activity, device location and status, and the routes your data is traveling between devices and your on-prem and cloud systems. Be sure to regularly review role-based access to make sure only the users who need access have it, and that this access is based on real-time context as part of your zero-trust strategy.

Network flow log in ZEDEDA’s controller

The U.S. Department of Homeland Security estimates that as many as 85 percent of targeted attacks are preventable due to exploitation of unpatched software. These updates need to be signed from a trusted authority and verified by the private keys stored in your edge devices. Given the implications of downtime in an operational technology (OT) environment, it’s important to enable the scheduling of vulnerability updates during maintenance windows. Also key is to have rollback capabilities in the event of failed updates, so that devices aren’t bricked in the field, which can take down a mission-critical process or result in an expensive trip to a remote location. Software should have extended support, offering the ability to patch applications and underlying runtime for 5 to 7 (or more) years.

Consider solutions that leverage machine learning to assess the steady state of your deployments and alert for anomalies, whether it be unusual network activity, signs of malware, or other indicators. For example, had active threat analytics been applied at the edge in the 2016 Mirai attack, the unusual network traffic could have been addressed at the source rather than snowballing into a much bigger problem. Consult with experts that understand the unique needs of OT-specific protocols — this includes defining what normal behaviors are and how to gracefully shut down processes in the case of any detected attack.

 It takes a village to develop and deploy IoT and edge computing solutions, with multiple different parties coming together spanning the necessary technologies and domain expertise. It’s key to invest in tools for securing and managing your infrastructure that are consistent regardless of the applications and domain expertise applied on top. Leveraging purpose-built, open edge orchestration frameworks that support cloud-native development and have clearly-defined APIs provides a transparent mechanism for getting all stakeholders on the same page, regardless of the combination of ingredients used in a given deployment.

It’s important to strike a balance between locking a solution down and making it usable across the various stakeholders involved. Many of the breaches we hear of in the consumer space happen because developers prioritized instant gratification and usability over security. This is where capabilities such as zero-touch provisioning are key, eliminating the need for expertise and awareness to securely onboard devices.

Security is about defense in depth, applying the right tools in layers based on security posture and risk. This includes utilizing segmentation when possible — while a zero-trust mindset eliminates a perimeter-based focus, micro-segmentation is still important to isolate critical networks and devices, especially legacy systems.Further augment your zero trust model with distributed firewall software to govern access across nodes on internal networks.

Not all edges are created equally; for organizations looking to implement edge computing, it’s important to first understand the unique challenges of securing and managing computing located outside of the confines of a traditional data center. However, adopting a distributed model for compute efficiency doesn’t need to bring tradeoffs in security. Being aware of the considerations that exist at the edge will help organizations be better equipped to protect field deployments and reap the benefits of edge computing. At ZEDEDA, we build off of a foundation that considers all the points above to enable enterprises to securely orchestrate IoT edge deployments with their preferred devices, applications and clouds.

Zededa is a LF Edge member and active leader in Project EVE. For more details about LF Edge members, visit here. For more details about Project EVE, visit the project page

Securing the IoT Edge (Part 1)

By Blog, Project EVE

Written by Jason Shepherd, LF Edge member, VP of Ecosystem for Zededa and active leader in Project EVE

This post originally ran on the Zededa Medium blog. Click here for more articles like this one. 

IoT adoption by the enterprise is on the rise. Yet despite interest in the space accelerating, organizations of varying sizes and verticals have run into several roadblocks in implementation. Previously, we discussed why IoT needs edge computing to realize its full potential. In this two-part blog series, we will review the unique security implications of a distributed edge and how organizations can secure the edge.

Over time, software-defined edge computing is only expected to become more sophisticated and we will begin processing more and more critical information in distributed locations. Many edge computing systems host their own web servers for remote maintenance and logins, making them a prime target as attack surfaces, especially for bad actors who could input or extract data and disrupt an entire ecosystem from a single unsecured system. Users need solutions to deliver new applications to the edge that drive efficient business outcomes while also maintaining an appropriate security posture.

Not all edge locations are created equally when it comes to security. Practices for securing deployments at the cloud edge and within secured telecommunications infrastructure (e.g., cell tower facilities), modular data centers, etc., tend to be quite similar to traditional data centers. Meanwhile, as edge deployments get closer to the physical world — in locations such as the factory floor, inside wind turbines, on trucks, or within rooftop HVAC systems, to name a few — unique security challenges are introduced. As we dive into what this entails, let’s take a look at what makes security for the distributed edge unique.

Scale: Part of IoT’s value stems from having numerous devices connected in order to understand the holistic picture of your operations. Over time, we will see device deployments scale to the trillions, which is numerous orders of magnitude larger than the volume of deployments in centralized locations. This translates into an unwieldy number of distributed edge assets that an organization must secure and manage. Solutions oriented towards securing and managing datacenter infrastructure typically aren’t set up for this kind of scale, which is why we can’t simply copy/paste them to solve the problem.

Lack of physical and network perimeters: Another key challenge for securing distributed edges is that there are often no physical (e.g., the four walls of a secure data center) or network perimeters. In operations out in the field, it is very common to rely on a backhaul network and parameters (such as NATs and proxies) that are owned or managed by someone else when not practical to create your own network (e.g., cellular backhaul). In general, solutions should not rely on having an owned network or firewall to protect them.

Heterogeneity: The IoT edge is inherently heterogeneous, comprised of a variety of technologies including sensors, communication protocols, hardware types, operating systems, control systems, networks, and so forth. Skill sets spanning IT and OT (e.g., network and security admins, DevOps, production, quality and maintenance engineers, data scientists, etc.) are necessary to realize IoT as a convergence of the physical and digital. Security solutions need to accommodate a wide variety of technologies and skill sets in order to be effective.

Varying priorities: In the IT world, it is typically acceptable to immediately shut down access to the network to isolate an affected system in the event of a security breach. Meanwhile, the impact due to information loss (e.g., credit card data or IP) plays out over a long period of time. In contrast, in the OT world, a security compromise can lead to immediate loss of production and risk to safety, so any issues need to be addressed gracefully. As such, your security solution needs to recognize these different priorities and strike a balance.

Constrained devices: Many IoT sensors and devices are too constrained resource-wise to employ security measures such as encryption. The same goes for legacy systems that were never intended to be connected to broader networks, let alone the internet. In order to protect these devices, we must rely on more capable compute immediately upstream to serve as the first line of defense, providing functions such as root of trust and encryption.

As we seek to reap the benefits of edge computing, we must realize the nuances it requires of our security approach. It can’t be the same as what we’re used to in data centers; instead, we must consider the edge’s characteristics to bolster a distinct approach. In part two of this series, we will share a foundational strategy for securing IoT edge deployments.

Zededa is a LF Edge member and active leader in Project EVE. For more details about LF Edge members, visit here. For more details about Project EVE, visit the project page

LF Edge in 2020: Looking back and Revving forward

By Akraino Edge Stack, Baetyl, Blog, EdgeX Foundry, Fledge, Home Edge, Open Glossary of Edge Computing, Project EVE

Written by Melissa Evers-Hood, LF Edge Governing Board Chair 

Dear Community,

Happy New Year! As we kick off 2020, I wanted to send a note of thanks and recognition to each of you for a wonderful 2019, which marked several meaningful accomplishments for this organization.  LF Edge was launched in Jan 2019 with an aim to unify the edge communities across IOT, Telco, Enterprise and Cloud providing aligned open source edge frameworks for Infrastructure and Applications.

Our accomplishments include:

  • EdgeX Foundry has blossomed this year in participation, downloads, and use cases. EdgeX, as folks commonly call it, also graduated to Impact project stage and surpassed 1.5 million container downloads in 2019.
  • Akraino, which also reached Impact stage this year, is preparing for it’s second release with 5 new blueprints for R2, with updates to 9 of the existing 10 R1 blueprints already released. Most notably, its broadening its blueprint profile to include new blueprints for Connected Vehicles and AR/VR, truly becoming a viable framework across edge applications.
  • At the Growth Stage, Open Glossary provides common terminology and ecosystem mapping for the complex Edge environment. In 2019, the Glossary Project shipped 2.0 of the Glossary, which was integrated into the 2020 State of the Edge Report. The Glossary Project began the process of helping to standardize terminology across all LF Edge projects, and also launched the LF Edge Landscape Project: https://landscape.lfedge.org/.
  • Also at the Growth Stage, Project Eve allows cloud-native development practices in IOT and edge applications. EVE’s most recent release, 4.5.1 (which was gifted on December 25, 2019), provides a brand new initramfs based installer, ACRN tech preview, and ARM/HiKey support.
  • The Home Edge project, targeted to enable a home edge computing framework, announced their Baobab release in November. The Home Edge Project has initiated cross-project collaboration with EdgeX Foundry (secure data storage) and Project EVE (containerized OS).
  • We also added 2 additional projects this year.
    • Baetyl which provides an open source edge computing platform.
    • Fledge which is an open source framework and community for the industrial edge focused on critical operations, predictive maintenance, situational awareness and safety. Fledge has recently begun cross-project collaboration with Project EVE and Akraino, with more information available here.
  • Our reach has broadened with 9k articles, almost 50k new users, and 6.7M social media impressions.

I am excited about the work ahead in 2020, especially as we celebrate our one year anniversary this month. We laid the foundation last year – offered a solution to unite the various edge communities – and now, with your support and contributions, we’re ready to move to the next phase.

LF Edge is co-hosting Open Networking & Edge Summit in April and our teams are working hard on several cross-project demos and solutions. We’re planning meetups and other F2F opportunities at the show, so this conference will be a must.

Our focus as a community will be to continue to expand our developers and end users.  We will do this through having agile communities, that collaborate openly, create secure, updateable, production ready code, and work together as one. We also expect that there will be new projects to join and integrate.  As we walk into this bright future, working as a unified body will demonstrate that the fastest path to Edge products is through LF Edge.

I look forward to working with each of you in ‘20 and seeing you in Los Angeles this April at ONES!

Melissa

LF Edge Member Spotlight: ZEDEDA

By Blog, Member Spotlight, Project EVE

The LF Edge community is comprised of a diverse set of member companies that represent the IoT, Enterprise, Cloud and Telco Edge. The Member Spotlight blog series highlights these members and how they are contributing to and leveraging open source edge solutions. Today, we sat down with Aaron Williams, Developer Community Lead, and Erik Nordmark, Chief Architect and Co-Founder, at ZEDEDA to discuss the importance of a growing ecosystem, their IoT framework, the impact LF Edge has made and what the future holds for the company.

Can you tell us a little about your organization?

ZEDEDA delivers visibility, control, and security to enterprise IoT and edge deployments through edge virtualization. Ours is the only cloud service for edge management built on the open sourced Edge Virtualization Engine (EVE). By bringing virtualization to the edge, we allow businesses to deploy and manage any application on any hardware and connect to any cloud, breaking down IT silos and simplifying IoT strategies. Customers can easily dropship gateways at distributed sites without needing on-site IT expert personnel, and can launch greenfield and brownfield applications at scale with a single click of a button. 

With ZEDEDA, organizations easily eliminate the complexity of today’s IoT solutions at the edge and gain deeper insights into their operations by more effectively leveraging sensor data, including through AI-powered analysis in the cloud.

Why is your organization adopting an open source approach?

Today at the edge, there is a heterogeneous mix of hardware and applications, which makes it difficult to coordinate an IoT strategy and make the most out of all the available data. As a result, many enterprises can become mired in vendor lock-in. Embracing open standards gives the whole community a common foundation to work from, increasing interoperability, lowering the barriers to entry in this space, and promoting innovation. 

ZEDEDA adopted open source right from the beginning because we saw the value in providing a shared standard for edge virtualization technology. We think of it as being similar to what Android did for mobile phones, in terms of creating a single template for developers to follow that then ensures operability across a variety of hardware. Additionally, by making EVE open to community contributions, we’re committing to building the best possible solution with experts around the world.

Why did you join LF Edge and what sort of impact do you think LF Edge has on the edge, networking, and IoT industries?

The reason why we joined LF Edge is simple: we believe that the fastest route to innovation and success in edge computing is by working together with other companies to create universal standards that we can all build off of. It’s been a great opportunity to come together with like-minded organizations, contribute our expertise, and work collaboratively to build the best ecosystem possible for the future of edge computing. By hosting several key open source projects and making them available to the community, LF Edge is making it simpler for the industry at large to adopt IoT strategies as part of their IT portfolios. We believe that the rising tide will lift all boats, so to speak.

What do you see as the top benefits of being part of the LF Edge community?

There are many benefits of being part of this community. For one thing, it allows us to be at the table with other edge companies (both large and small) so that we can help shape the future of the edge in a way that benefits everyone. It also provides a learning opportunity when we all come together to better understand the different parts of the edge stack. Additionally, building our solution on top of code (EVE) that is open sourced through the Linux Foundation helps give our customers confidence that we’re working to the highest technical standards. Truly, we feel that we receive much more than we give as active participants in LF Edge.

What business/industry problems are you collaboratively working to solve?

Current solutions for edge deployments often leave several challenges unaddressed, and these are all problems that we help to solve with EVE and the ZEDEDA controller. For instance, typical edge management software has little-to-no interoperability, meaning that customers are locked into using a limited number of compatible apps, hardware, or clouds. By contrast, one of the main benefits of building our solution on top of the open-sourced EVE is that it gives all vendors a common foundation to work from: as long as their apps and APIs are compatible with EVE, they can run on any EVE-approved hardware. In the same vein, modern hardware and firmware isn’t generally suited to run legacy applications; however, many businesses still rely on legacy apps as a key part of their technology stack. By making use of virtual machines (VMs), edge virtualization allows legacy and modern apps to co-exist seamlessly on the same device. Security is also a critical part of edge deployments, with traditional solutions leaving businesses exposed to many vulnerabilities. By managing their edge deployments with EVE and the ZEDEDA controller, companies can mitigate against many of these vulnerabilities: EVE ensures that the device and data traveling to and from it is secure by leveraging the hardware root of trust, and the controller makes it easy to keep firmware and applications up-to-date with the latest software patches rolled out with a single push of a button.

 

What sort of contributions has your team made to the community, ecosystem through LF Edge participation?

ZEDEDA has been a major contributor to the Project EVE code base. In addition, we have worked hard to encourage our hardware and software partners to contribute their expertise to build out the hardware devices that EVE runs on.

How will LF Edge help your business?

Building on top of LF Edge’s Project EVE allows us to concentrate on what separates us from our competitors, secure in the knowledge that the foundation of our technology is solid. It also gives our customers confidence in our solution because it is built on code that meets the Linux Foundation’s high standard of technical excellence.

Can you give us an example of your LF Edge project in production and what problem it is solving?

A good example of EVE in production can be found on wind turbine farms. The operators of these farms face many challenges, including that the farms are remote, complex, expensive to maintain, and very large. There is limited IT staff on site, and a truck roll to do unscheduled maintenance can cost over $100,000. At the same time, downtime can cost $1,000 to $2,000 per day, which means that it is very important to the operators to have as much uptime as possible, but avoid unplanned maintenance.   

EVE works in conjunction with the ZEDEDA cloud-based controller to allow the operators to overcome these challenges. With EVE shipped on the device, the operator can take advantage of zero-touch provisioning and having a single pane through which to manage all devices. Since EVE is open sourced and works across a variety of hardware devices, the operator has the freedom of updating the hardware for new installs without making the previous installs obsolete. And with the 100% visibility and remote control of the devices, they are able to update their applications on the edge from anywhere at anytime.    

Project EVE Wind Turbine Demo Video by ZEDEDA

What advice would you give to someone considering joining LF Edge?

To borrow from Nike, “just do it.” Being a member of LF Edge allows you to be part of the conversation that is shaping the IoT revolution.  The Edge is too big and too complex of an industry for any one company to dominate, so the only way to create common standards and functionality is by working together. If you are not part of the LF Edge, you will be continually following the cutting “edge” of Edge development!  

 

Edge Computing at IoT Solutions World Congress 2019

By Blog, EdgeX Foundry, Home Edge, Project EVE

Every year one of the world’s largest Internet of Things trade shows, IoT Solutions World Congress, is held in Barcelona, Spain. It brings together device manufacturers, service providers, AI & ML companies and solutions integrators from around the world to share information about their products and the state of IoT ecosystems. Filling multiple convention halls at the Fira Barcelona center, and featuring the biggest names in IoT and technology, you can spend days walking the expo hall and talking to vendors.

Crowd at the LF Edge Booth

This wasn’t the first time the EdgeX Foundry has had a booth at IOTSWC, but this year they were joined by other LF Edge projects, specifically Home Edge and Project EVE, to present solutions across the edge landscape. Our booth was staffed by project contributors from all over the world, from the US and Europe to India and Taiwan, and featured real world examples of the open source technology that is being developed under the LF Edge umbrella.  Not only did our members get a chance to learn about each other’s projects during this time, they were able to explain those other projects to the visitors to our booth. It was truly a community coming together to support and promote the LF Edge as a whole.

EdgeX Smart Building Demo EVE deployments on a wind turbine

We spoke with thousands of people over the 3 days of conference, and gave countless demonstrations. One notable change in conversations from a year ago is that most attendees we spoke to this year already knew and understood the importance of edge computing, and were looking for specific solutions to the problems that they are now facing. And while many vendors at the show offered some of these solutions, only the LF Edge projects offered open, vendor agnostic platforms that prevent lock-in and promote an ecosystem of 3rd party development around commonly developed core.

Selfie of the LF Edge booth staffIf you missed us at IOTSWC, you can join our projects online where we have a public Slack, mailing lists and host our meetings in the open. You can also look for us at events in 2020!

The New Stack: How the Linux Foundation’s EVE Can Replace Windows, Linux for Edge Computing

By In the News, Project EVE

Whether or not Edge computing serves as the backbone of mission-critical business worldwide depends on the success of the underlying network.

Recognizing the Edge’s potential and urgency to support Edge network, The Linux Foundation earlier this year created LF Edge, an umbrella organization dedicated to creating an open, agnostic and interoperable framework for edge computing. Similar to what the Cloud Native Computing Foundation (CNCF) has done for cloud development, LF Edge aims to enhance cooperation among key players so that the industry as a whole can advance more quickly.

By 2021, Gartner forecasts that there will be approximately 25 billion IoT devices in use around the world. Each of those devices, in turn, has the capacity to produce immense volumes of valuable data. Much of this data could be used to improve business-critical operations — but only if we’re able to analyze it in a timely and efficient manner. As mentioned above, it’s this combination of factors that has led to the rise of edge computing as one of the most rapidly -developing technology spaces today.

This idea of interoperability at the edge is particularly important because the hardware that makes up edge devices is so diverse — much more so than servers in a data center. Yet for edge computing to succeed, we need to be able to run applications right on local gateway devices to analyze and respond to IoT and Industry 4.0 data in near-real time. How do you design applications that are compatible with a huge variety of hardware and capable of running without a reliable cloud connection? This is the challenge that LF Edge is helping to solve.

Part of the solution is Project EVE, an Edge Virtualization Engine donated to LF Edge by ZEDEDA last month. I think of EVE as doing for the edge what Android did for mobile phones and what VMware did for data centers: decoupling software from hardware to make application development and deployment easier.

Read more at The News Stack here.

LinuxGuizmos: LF Edge announces first Akraino release for open edge computing

By Akraino, EdgeX Foundry, In the News, Project EVE

The Linux Foundation’s LF Edge project announced the first release of the Akraino Edge Stack with 10 “blueprints” for different edge computing scenarios. Also: LF Edge recently announced new members and the transfer of seed code from Zededa to Project EVE.

The Akraino Edge Stack project, which earlier this year was folded into the Linux Foundation’s LF Edge umbrella initiative for open source edge computing, announced the availability of Akraino Edge Stack Release 1 (Akraino R1). Last month, LF Edge announced new members and further momentum behind its Project EVE edge technology. More recently Linux Journal’s Doc Searls published a piece on the LF’s 5G efforts and argued for more grass-roots involvement in LF Edge (see farther below).

Read the full article here.

SDxCentral: Edge Magnifies Open Source Challenges, Opportunities

By Akraino, EdgeX Foundry, In the News, Project EVE

There are almost as many open source groups and projects working on edge computing as there are definitions of edge — one such project, in fact, focuses exclusively on defining edge terms. This is partially due to the hype, and consolidation will probably happen as the hype turns into real-life deployments and concrete use cases.

We’re already seeing some signs of open source groups working together to solve edge challenges and take advantage of the opportunity it provides. The Linux Foundation and open standards body ETSI, for example, recently signed a memorandum of understanding to “bring open source and standards closer and foster synergies between them.” As it relates to edge, this means Akraino — which is the Linux Foundation’s open source edge software stack — will incorporate the ETSI Multi-Access Edge Computing (MEC) APIs directly into the stack.

Read the full article here.

SDxCentral: Project EVE Seed Code Drops, Creates Virtualization Standard for Edge Devices

By In the News, Project EVE

The Linux Foundation this week received initial seed code from Zededa for Project EVE (Edge Virtualization Engine), one of its five open source edge projects.

Zededa is a founding member of LF Edge, which the Linux Foundation formed in January as an umbrella organization for its edge projects. At the time, it also announced Project EVE to develop standard edge architecture that accommodates on- and off-premises hardware, network, and application selections. This enables edge gateways and devices to run a variety of edge workloads simultaneously, decoupling application management from the underlying hardware. Applications can be deployed in standard virtual machines (VM) or container environments and be managed through a standard set of APIs.

“The goal is to create a single virtualization standard for edge devices for the industry to build around so that we can enjoy the benefits of cloud-native applications sooner rather than later,” said Said Ouissal, co-founder and CEO of Zededa, in a statement.

Read the full article here.