How It Works

Overview

ZEDEDA provides an edge orchestration and management solution engineered to deliver applications and
workloads to edge devices. The solution is not specific to a particular industry or use case, instead, as foundational
infrastructure ZEDEDA enables these use cases by making them easy to deploy, scalable, and secure. ZEDEDA is deployed
in the distributed edge to empower new use cases on commodity industrial devices (e.g., edge servers, gateways).

As a control plane solution, ZEDEDA does not interact with edge node data at the application plane. Instead, users control data flow and can easily process
and upload to cloud or data center environments. ZEDEDA is built to deliver a Zero Trust security model addressing edge infrastructure’s unique, perimeter-less security challenges.

ZEDEDA Technical Details 

ZEDEDA delivers infrastructure software for running edge workloads and applications. Installing the edge virtualization engine on commodity hardware creates a trusted environment with an embedded hypervisor managed via the ZEDEDA Cloud API. 

Using the ZEDEDA Marketplace, an administrator defines the desired state of the applications running on the node. This includes selecting application infrastructure (e.g., VMs, containers, Kubernetes, NFVs), application services (e.g., networking, security), and the applications themselves.

ZEDEDA follows an eventual consistency model delivering maximum uptime regardless of connectivity. When connected, edge nodes call the ZEDEDA Cloud for configuration and updates. If there is an update, the edge node pulls down the new configuration and any required immutable artifacts. ZEDEDA is designed for segmented on-prem networks and can pull updates through NATs and firewalls. Each configuration change is deployed and tested in a second partition on the device to ensure stability before switching to primary. This operation is autonomous for each node.

Most modern applications have an application controller for management and configuration. Using ZEDEDA’s northbound APIs, advanced workflows can be created for complete lifecycle management. An example of this is our integration with Microsoft Azure to enable turnkey Azure IoT Edge runtime deployments, data pipelining, and Azure-to-Azure API configurations. 

For container and Kubernetes management, ZEDEDA partners with leading providers. API integrations with companies like SUSE Rancher, VMware Tanzu, and Avassa allow for simple integration with your existing company solutions. 

ZEDEDA consists of two parts. EVE (a bare metal virtualization engine) and ZEDEDA Cloud (a SaaS-based controller). These two components work together to provide an edge infrastructure for deploying and updating runtimes, workloads, applications, and complex solutions across 1000’s of nodes.

EVE

EVE is a bare metal operating system / virtualization engine which supports a consistent operational model across VMs, containers, Kubernetes, and NFVs.

EVE virtualizes all the hardware resources to make them available to workloads and applications on the device. It is curated by the LF Edge organization within the Linux Foundation.

EVE features:

    • Supports >75 hardware types and configurations
    • Complete control over all interfaces: Ethernet, LTE, WiFi, USB, Serial and Display, including internal components such as GPUs and FPGAs.
    • Diverse connectivity: LTE, WIFI and wired
    • Diverse southbound I/O: Ethernet, GPU, FPGA, Serial and USB
    • Works behind corporate proxy, NAT and FW
eve os how it works
ZEDEDA cloud whitebackgrnd

ZEDEDA Cloud

ZEDEDA Cloud is a SaaS-based controller for EVE orchestration and provides the management interface to control all the software running on edge nodes (e.g., OS, runtimes, workloads, NFVs, etc.).

Using the secure API between ZEDEDA Cloud and EVE as the only way to access a device, Administrators use policies to orchestrate applications across 1000’s of edge nodes.
ZEDEDA Cloud features:

  • Complete control over the entire software stack: EVE, guest OSes, containers, NFVs, Kubernetes, runtimes, and more
  • Detailed logs and statistics on device health and performance, application status, and operational history
  • Role-based access control (RBAC) with detailed permission mapping and complete audit logging of any activity
  • SOC-2 type-2 service operated by the experts at ZEDEDA

End-to-End Example

Zededa arrows

Step 1: Admin creates a project and defines the workloads to deploy.

Zededa arrows

Step 2: Order your favorite ZEDEDA-powered device and ship directly to the end location.

Zededa arrows

Step 3: Plug in device power and network cable – no IT required at end site.

Zededa arrows

Step 4: Instantiate the infrastructure, clusters, and applications.

Zededa arrows

Step 5: Monitor and update edge nodes and deployed applications with ZEDEDA Cloud.

Step 1: Admin creates a project and defines the workloads to deploy

ZEDEDA organizes devices into projects for orchestration. A project can consist of one or 1000’s of devices. The devices do not need to be identical, but in general we recommend similar configurations in a project. When creating a project you can define application policies, attestation enforcement, default network instances, and admin access rights. Expected hardware variations are added to the project where additional node-specific configuration can be added (GPU offload, LTE, etc.) Once a project is in place, the administrator uses the Marketplace to add applications and workloads to be deployed.

Applications and workloads via the marketplace

The ZEDEDA marketplace provides the 1-click mechanism for deploying applications to 1000’s of edge nodes. It includes a curated list of partner applications that are tested and certified for production. Custom applications are easy to add and can be restricted to specific projects or users in your organization. Only the metadata associated with the application manifest is stored in ZEDEDA Cloud. Manifests include information required to instantiate the application – image location, vCPU/memory, firewall/network, container/VM, direct attach (e.g., GPUs FPGAs), etc.

Manifests can also include custom templates and scripts that can be invoked as part of the application instantiation process. The admin selects an application, specifies the nodes to deploy upon and gives it an instance identity. The admin can also specify how to utilize adapters and any network configurations.

Finally, the admin can provide any custom configuration required to bring the application online. After review, the configuration is deployed to any existing nodes and all future nodes that meet the deploy policies in this project. To onboard future nodes, the admin configures the project to attest any unreported node by a unique identifier (usually serial number) and to assigns it to a project upon bootstrapping.

Step 2: Order your favorite ZEDEDA-powered device and ship directly to the end location

ZEDEDA has an extensive list of supported devices available from the popular device manufacturers. For example, you can order a ZEDEDA-powered node from Advantech that comes pre-installed with EVE.

Installing EVE is a 3-minute process and results in a system ready to connect to the cloud controller for attestation and instructions. The install includes an identity workflow that creates a device specific private key stored in a trusted platform module (TPM). Because the private key is secured in the TPM hardware you cannot clone or spoof the identity of the node. This key is also used to secure other operations on the device.

Once EVE is installed on the device all management and orchestration access is only via a mutually authenticated API connection. With EVE installed the device can be shipped directly to the edge location for zero touch provisioning.

Step 3: Plug in device power and network cable – no IT required at end site

When the device arrives at the end site it’s given a network and power connection, triggering the bootstrapping workflow. On the first boot and every reboot after, EVE performs a security workflow to ensure the integrity of the entire software stack.

  • Using measured boot and remote attestation prevents common attack vectors including modifying the software, installing firmware rootkits, adding hardware via PCI bus, and more
  • All data is encrypted and only unlocked upon a successful attestation workflow
  • All communications between EVE and ZEDEDA Cloud are encrypted in-flight (TLS)
  • I/O port isolation is enforced to prevent physical tampering via USB, serial, or other physical interfaces

Once the secure boot is complete the node presents its cryptographically signed unique identifier to ZEDEDA Cloud. Once verified, the node will be assigned to a Project as defined by the administrator in Step 1. EVE downloads the configuration file which includes all application manifests.

EVE Security Framework

The security framework implemented on EVE-OS and supported by ZEDEDA Cloud ensures secure deployment of applications by performing the following steps on EVE-OS installation and boot up by measuring the boot chain of EVE-OS and allowing access to select resources in ZEDEDA Cloud only based on an attestation of these measurements. 

The system adopts the following approach:

  • Measure the boot chain of EVE-OS
  • Detect any discrepancies in the boot chain and disallow access to sensitive resources in EVE-OS (like the credentials)
  • Allow EVE-OS to access encrypted volumes of the disk, as long as the measurements have changed
  • Provides a self-locking mechanism to restrict access to encrypted volumes in case of a change in the boot chain, even during offline operation

Step 4: Instantiate the infrastructure, clusters, and applications.

With the latest configuration from ZEDEDA Cloud downloaded, the node downloads binary images from any chosen repository (cloud or on-premises). A direct connection to ZEDEDA cloud is not required for application deployments or updates. The node performs the enclosed instructions to stand up infrastructure.

Here are some examples of the types of services deployed on an edge node:

    • A legacy application running in a windows virtual machine
    • Native containers
    • Kubernetes (K3s, Tanzu, MicroShift, etc.)
    • IoT frameworks (e.g., Azure IoT Edge runtime)
    • A firewall
    • An SD-WAN endpoint

Automating with APIs

With deep APIs ZEDEDA can integrate and preconfigure application controllers (firewall, SD-WAN, Azure services, etc.) for zero touch service enablement.

Step 5: Monitor and update edge nodes and deployed applications with ZEDEDA cloud​

ZEDEDA Cloud gives you the ability to:

  • Bulk deploy applications across fleets
  • Monitor the correct and secure operation of all devices and applications
  • Connect ZEDEDA to existing monitoring systems (Splunk, Datadog, etc.) for centralized reporting and compliance
  • Update configuration and software to respond to new needs
  • Deploy  security-relevant patches fleet-wide
  • Add new applications and use cases
  • Perform zero touch onboarding for new nodes
  • Specify and change how network ports and I/O adapters are used and configured 
  • Provide secure, fail-safe updates of EVE with automatic fallback
  • Manage applications and nodes by specifying the origins of content, volumes, and network connectivity, along with corresponding parameters
  • Manager users with full RBAC (role-based access control)

ZEDEDA cloud also provides a rich set of visibility, both for a single edge node or application and also across an entire fleet:

  • CPU
  • Memory 
  • Disk
  • Network usage
  • Network flows
  • Geographical distribution

Security Threats at the Edge

security-threats-icon-img-001

User access - poor usernames/passwords

security-threats-icon-img-002

Physical access - USB stick, ethernet cable

security-threats-icon-img-003

Theft - Disk/SSD or clone device

security-threats-icon-img-004

Network - DDoS of device

security-threats-icon-img-005

Attacks exploiting software bugs in OS/runtime

security-threats-icon-img-006

Device becoming part of a botnet attacking others

How ZEDEDA Removes These Threats

People

People

  • Remove need for device usernames/passwords
  • RBAC and multi-tenancy in controller

Processes

Processes - handle the entire edge device lifetime

  • Secure, scalable distribution of updates
  • API reports (resource usage, firewall violations) enable analytics in controller 

Security

Standard Security Technologies for the User Edge

  • Hardware root of trust (e.g., TPM)
  • Crypto-based identification
  • Measured boot and remote attestation
  • Encryption at rest and in-flight (TLS); keys sealed by TPM
  • Signed images for EVE and applications
  • Use hypervisors for strong isolation and defense in depth
  • Distributed firewall for every app
  • Physical security—port isolation
  • Support deployment of virtual security appliances

Our Customers

What our customers have to say

QuotesZededa arrows
“We have standardized on ZEDEDA as a critical part of our solution, enabling us to extend DeltaV to the distributed edge and provide AI-based data analysis for real-time support for automated decision-making”
Claudio Fayad,
Vice President of Technology, Process Systems and Solutions,
Emerson
QuotesZededa arrows
“ZEDEDA plays a key role in allowing us to securely deliver industrial edge solutions to any customer. Even in the far reaches of organizations in physically rugged and insecure environments, customers can deploy core applications and securely access valuable machine data.”
Chirayu Shah,
Director of Product Management for Edge, Data and Analytics,
Rockwell Automation
QuotesZededa arrows
“Leveraging ZEDEDA’s unique approach to orchestrating a wide range of apps (ours and our partners’), is making deployment of edge computing platforms easier.”
Sujit Kumar,
President and CEO,
Agora
QuotesZededa arrows
“ZEDEDA enabled us to focus on delivering value to our customers while providing a mature orchestration solution for the distributed edge, saving us years of development time and getting MachineEdge ready for the market.”
William Blankemeir,
President,
PeopleFlo
QuotesZededa arrows
“With ZEDEDA we have an automatic process that’s faster, less prone to error, and future-proofed. We can manage nodes remotely, easily update them, and have the peace of mind of knowing that if software failure happens, we can deal with it”
Ivan Arkipoff,
CTO,
PV Hardware
QuotesZededa arrows
“We’ve been confident in the robustness and reliability of ZEDEDA’s platform to manage our edge fleet. As we continue to grow and innovate, we’re reassured by ZEDEDA’s support, ensuring the quality and robustness of our architecture”
Jamal Abdelkhalek,
IoT Software Engineer,
Bobst
Previous
Next

VIEW FROM THE EDGE:

Previous
Next

Get started with ZEDEDA

Get In Touch