The explosive growth of edge computing projects continues to gain momentum, but edge developers and architects are quickly realizing that the edge presents a unique set of challenges far removed from those faced in cloud or data center environments. One of the most pressing concerns is security, especially when dealing with AI applications. In a recent presentation delivered at The Linux Foundation’s One Summit event, Erik Nordmark, chief technology officer of ZEDEDA and LF Edge Technical Advisory Committee member, shed light on the security challenges many organizations face at the edge and offered insights on how to build a secure framework for edge AI applications.
The edge computing landscape
Unlike the cloud or data center, the edge lacks a secure perimeter, making it challenging to trust hardware, software, or even users. In addition, the diversity of hardware types and the limitations of intermittent connectivity and low bandwidth necessitate a fresh approach to security and application development.
Nordmark highlighted several real-world scenarios where developers have encountered these issues. For instance, scaling up AI applications often leads to a surge in bandwidth consumption, particularly when dealing with video data. To mitigate this, developers have turned to deploying containers locally at the edge, enabling local decision-making and reducing data transmission to the cloud.
However, this approach introduces new challenges, such as intermittent connectivity due to factors like outages, tunnels, or loss of cellular connection. Additionally, edge devices often lack the uninterruptible power supplies (UPS) common in data centers, leading to abrupt shutdowns that can disrupt applications and compromise data integrity.
The security conundrum
These challenges are further compounded by security concerns. Deploying AI models and algorithms at remote locations with limited physical and network security raises significant risks, including:
- Physical security: The physical vulnerability of edge devices to theft and tampering due to their often-remote locations and potentially less secure environments compared to traditional data centers.
- Network security: The challenges posed by intermittent or unreliable network connectivity at the edge, hindering remote updates and monitoring, and necessitating secure communication channels between edge devices and controllers.
- Software vulnerabilities: The inevitability of vulnerabilities in software components, including operating systems, container runtimes, and applications, emphasizing the need for mechanisms to deliver patches and updates promptly.
- Data security: The protection of sensitive information such as intellectual property and customer data stored on edge devices, including the use of techniques like full disk encryption and secure boot, while acknowledging their potential limitations in edge environments.
- Remote access and management: The necessity of robust remote management capabilities, incorporating role-based access control and secure authentication, to prevent unauthorized access to edge devices.
- Security monitoring: The importance of monitoring edge devices for security incidents and adapting security tools and processes to the unique challenges of edge environments.
The potential for theft of devices or drives, along with vulnerabilities in software components, necessitates a robust security framework. Nordmark emphasized the importance of addressing security questions from the outset. Questions like “What attack surfaces do you have?” or “Have you done a threat model and threat analysis?” are crucial to ensure the protection of intellectual property, customer data, and the overall integrity of the application.
An open source solution: EVE-OS
To tackle these challenges, ZEDEDA, in collaboration with LF Edge’s Project Eve, developed EVE-OS, a lightweight, open-source operating system tailored for the distributed edge. EVE-OS addresses common edge issues such as software and firmware attacks, inconsistent network connections, and the complexities of deploying and updating applications with limited bandwidth. Key features of EVE-OS include:
- Immutable read-only images: Ensure that updates are applied consistently, even in the event of power failures.
- Hardware and software watchdogs: Enable automatic recovery from failures without manual intervention.
- Declarative eventual consistency-based API: Simplify network configuration and enhance robustness of network security.
- Disabled physical ports: Prevent unauthorized access through USB and other physical interfaces.
- No user logins: Enhance security by eliminating direct user access to the device.
- Mutual trust and distributed firewall: Establish a secure sandbox for applications, limiting their network access.
One of the most significant innovations in EVE-OS is its approach to securing against the theft of devices or drives. By leveraging standard components like Trusted Platform Module (TPM) chips and firmware, along with techniques like measured boot and remote attestation, EVE-OS ensures that stolen devices cannot be easily compromised.
Additionally, EVE-OS incorporates a mechanism for remote updates, allowing for timely patching of vulnerabilities and ensuring the security of deployed devices.
Embracing the future of edge AI
Nordmark encouraged developers to embrace the evolving landscape of edge AI. He also highlighted the importance of understanding the unique constraints of the distributed edge and leveraging tools like EVE-OS to build secure and robust applications.
With its focus on security, robustness, and ease of use, EVE-OS represents a significant step forward in the development of edge AI applications. By addressing the challenges of the edge computing environment, EVE-OS empowers developers to create innovative solutions that can thrive in the real world.
To learn more about this presentation, watch the recording. For more information about EVE-OS, visit Project Eve or try it out on the LF Edge Sandbox. For more information on how ZEDEDA ensures the security of edge deployments, visit ZEDEDA.com.
