How It Works
Overview
ZEDEDA provides an edge orchestration and management solution engineered to deliver applications and
workloads to edge devices. The solution is not specific to a particular industry or use case, instead, as foundational
infrastructure ZEDEDA enables these use cases by making them easy to deploy, scalable, and secure. ZEDEDA is deployed
in the distributed edge to empower new use cases on commodity industrial devices (e.g., edge servers, gateways).
As a control plane solution, ZEDEDA does not interact with edge node data at the application plane. Instead, users control data flow and can easily process
and upload to cloud or data center environments. ZEDEDA is built to deliver a Zero Trust security model addressing edge infrastructure’s unique, perimeter-less security challenges.
ZEDEDA Technical Details
ZEDEDA delivers infrastructure software for running edge workloads and applications. Installing the edge virtualization engine on commodity hardware creates a trusted environment with an embedded hypervisor managed via the ZEDEDA Cloud API.
Using the ZEDEDA Marketplace, an administrator defines the desired state of the applications running on the node. This includes selecting application infrastructure (e.g., VMs, containers, Kubernetes, NFVs), application services (e.g., networking, security), and the applications themselves.
ZEDEDA follows an eventual consistency model delivering maximum uptime regardless of connectivity. When connected, edge nodes call the ZEDEDA Cloud for configuration and updates. If there is an update, the edge node pulls down the new configuration and any required immutable artifacts. ZEDEDA is designed for segmented on-prem networks and can pull updates through NATs and firewalls. Each configuration change is deployed and tested in a second partition on the device to ensure stability before switching to primary. This operation is autonomous for each node.
Most modern applications have an application controller for management and configuration. Using ZEDEDA’s northbound APIs, advanced workflows can be created for complete lifecycle management. An example of this is our integration with Microsoft Azure to enable turnkey Azure IoT Edge runtime deployments, data pipelining, and Azure-to-Azure API configurations.
For container and Kubernetes management, ZEDEDA partners with leading providers. API integrations with companies like SUSE Rancher, VMware Tanzu, and Avassa allow for simple integration with your existing company solutions.
ZEDEDA consists of two parts. EVE (a bare metal virtualization engine) and ZEDEDA Cloud (a SaaS-based controller). These two components work together to provide an edge infrastructure for deploying and updating runtimes, workloads, applications, and complex solutions across 1000’s of nodes.
EVE
EVE is a bare metal operating system / virtualization engine which supports a consistent operational model across VMs, containers, Kubernetes, and NFVs.
EVE virtualizes all the hardware resources to make them available to workloads and applications on the device. It is curated by the LF Edge organization within the Linux Foundation.
EVE features:
- Supports >75 hardware types and configurations
- Complete control over all interfaces: Ethernet, LTE, WiFi, USB, Serial and Display, including internal components such as GPUs and FPGAs.
- Diverse connectivity: LTE, WIFI and wired
- Diverse southbound I/O: Ethernet, GPU, FPGA, Serial and USB
- Works behind corporate proxy, NAT and FW
ZEDEDA Cloud
ZEDEDA Cloud is a SaaS-based controller for EVE orchestration and provides the management interface to control all the software running on edge nodes (e.g., OS, runtimes, workloads, NFVs, etc.).
Using the secure API between ZEDEDA Cloud and EVE as the only way to access a device, Administrators use policies to orchestrate applications across 1000’s of edge nodes.
ZEDEDA Cloud features:
- Complete control over the entire software stack: EVE, guest OSes, containers, NFVs, Kubernetes, runtimes, and more
- Detailed logs and statistics on device health and performance, application status, and operational history
- Role-based access control (RBAC) with detailed permission mapping and complete audit logging of any activity
- SOC-2 type-2 service operated by the experts at ZEDEDA
End-to-End Example
Step 1: Admin creates a project and defines the workloads to deploy.
Step 2: Order your favorite ZEDEDA-powered device and ship directly to the end location.
Step 4: Instantiate the infrastructure, clusters, and applications.
Step 5: Monitor and update edge nodes and deployed applications with ZEDEDA Cloud.
Step 1: Admin creates a project and defines the workloads to deploy
ZEDEDA organizes devices into projects for orchestration. A project can consist of one or 1000’s of devices. The devices do not need to be identical, but in general we recommend similar configurations in a project. When creating a project you can define application policies, attestation enforcement, default network instances, and admin access rights. Expected hardware variations are added to the project where additional node-specific configuration can be added (GPU offload, LTE, etc.) Once a project is in place, the administrator uses the Marketplace to add applications and workloads to be deployed.
Applications and workloads via the marketplace
The ZEDEDA marketplace provides the 1-click mechanism for deploying applications to 1000’s of edge nodes. It includes a curated list of partner applications that are tested and certified for production. Custom applications are easy to add and can be restricted to specific projects or users in your organization. Only the metadata associated with the application manifest is stored in ZEDEDA Cloud. Manifests include information required to instantiate the application – image location, vCPU/memory, firewall/network, container/VM, direct attach (e.g., GPUs FPGAs), etc.
Manifests can also include custom templates and scripts that can be invoked as part of the application instantiation process. The admin selects an application, specifies the nodes to deploy upon and gives it an instance identity. The admin can also specify how to utilize adapters and any network configurations.
Finally, the admin can provide any custom configuration required to bring the application online. After review, the configuration is deployed to any existing nodes and all future nodes that meet the deploy policies in this project. To onboard future nodes, the admin configures the project to attest any unreported node by a unique identifier (usually serial number) and to assigns it to a project upon bootstrapping.
Step 2: Order your favorite ZEDEDA-powered device and ship directly to the end location
ZEDEDA has an extensive list of supported devices available from the popular device manufacturers. For example, you can order a ZEDEDA-powered node from Advantech that comes pre-installed with EVE.
Installing EVE is a 3-minute process and results in a system ready to connect to the cloud controller for attestation and instructions. The install includes an identity workflow that creates a device specific private key stored in a trusted platform module (TPM). Because the private key is secured in the TPM hardware you cannot clone or spoof the identity of the node. This key is also used to secure other operations on the device.
Once EVE is installed on the device all management and orchestration access is only via a mutually authenticated API connection. With EVE installed the device can be shipped directly to the edge location for zero touch provisioning.
Step 3: Plug in device power and network cable – no IT required at end site
When the device arrives at the end site it’s given a network and power connection, triggering the bootstrapping workflow. On the first boot and every reboot after, EVE performs a security workflow to ensure the integrity of the entire software stack.
- Using measured boot and remote attestation prevents common attack vectors including modifying the software, installing firmware rootkits, adding hardware via PCI bus, and more
- All data is encrypted and only unlocked upon a successful attestation workflow
- All communications between EVE and ZEDEDA Cloud are encrypted in-flight (TLS)
- I/O port isolation is enforced to prevent physical tampering via USB, serial, or other physical interfaces
Once the secure boot is complete the node presents its cryptographically signed unique identifier to ZEDEDA Cloud. Once verified, the node will be assigned to a Project as defined by the administrator in Step 1. EVE downloads the configuration file which includes all application manifests.
EVE Security Framework
The security framework implemented on EVE-OS and supported by ZEDEDA Cloud ensures secure deployment of applications by performing the following steps on EVE-OS installation and boot up by measuring the boot chain of EVE-OS and allowing access to select resources in ZEDEDA Cloud only based on an attestation of these measurements.
The system adopts the following approach:
- Measure the boot chain of EVE-OS
- Detect any discrepancies in the boot chain and disallow access to sensitive resources in EVE-OS (like the credentials)
- Allow EVE-OS to access encrypted volumes of the disk, as long as the measurements have changed
- Provides a self-locking mechanism to restrict access to encrypted volumes in case of a change in the boot chain, even during offline operation
Step 4: Instantiate the infrastructure, clusters, and applications.
With the latest configuration from ZEDEDA Cloud downloaded, the node downloads binary images from any chosen repository (cloud or on-premises). A direct connection to ZEDEDA cloud is not required for application deployments or updates. The node performs the enclosed instructions to stand up infrastructure.
Here are some examples of the types of services deployed on an edge node:
- A legacy application running in a windows virtual machine
- Native containers
- Kubernetes (K3s, Tanzu, MicroShift, etc.)
- IoT frameworks (e.g., Azure IoT Edge runtime)
- A firewall
- An SD-WAN endpoint
Automating with APIs
With deep APIs ZEDEDA can integrate and preconfigure application controllers (firewall, SD-WAN, Azure services, etc.) for zero touch service enablement.
Step 5: Monitor and update edge nodes and deployed applications with ZEDEDA cloud
ZEDEDA Cloud gives you the ability to:
- Bulk deploy applications across fleets
- Monitor the correct and secure operation of all devices and applications
- Connect ZEDEDA to existing monitoring systems (Splunk, Datadog, etc.) for centralized reporting and compliance
- Update configuration and software to respond to new needs
- Deploy security-relevant patches fleet-wide
- Add new applications and use cases
- Perform zero touch onboarding for new nodes
- Specify and change how network ports and I/O adapters are used and configured
- Provide secure, fail-safe updates of EVE with automatic fallback
- Manage applications and nodes by specifying the origins of content, volumes, and network connectivity, along with corresponding parameters
- Manager users with full RBAC (role-based access control)
ZEDEDA cloud also provides a rich set of visibility, both for a single edge node or application and also across an entire fleet:
- CPU
- Memory
- Disk
- Network usage
- Network flows
- Geographical distribution
Security Threats at the Edge
User access - poor usernames/passwords
Physical access - USB stick, ethernet cable
Theft - Disk/SSD or clone device
Network - DDoS of device
Attacks exploiting software bugs in OS/runtime
Device becoming part of a botnet attacking others
How ZEDEDA Removes These Threats
People
- Remove need for device usernames/passwords
- RBAC and multi-tenancy in controller
Processes - handle the entire edge device lifetime
- Secure, scalable distribution of updates
- API reports (resource usage, firewall violations) enable analytics in controller
Standard Security Technologies for the User Edge
- Hardware root of trust (e.g., TPM)
- Crypto-based identification
- Measured boot and remote attestation
- Encryption at rest and in-flight (TLS); keys sealed by TPM
- Signed images for EVE and applications
- Use hypervisors for strong isolation and defense in depth
- Distributed firewall for every app
- Physical security—port isolation
- Support deployment of virtual security appliances
