Security


Cybersecurity is an important aspect of Edge Computing. EnOS Edge creates a secure and trusted environment for edge computing by enhancing the security of edge infrastructure, network, data, and applications against various cybersecurity threats.

Edge Infrastructure Security

Edge Infrastructure provides the hardware and software foundation for the entire edge computing node and the basic edge computing requirements. EnOS Edge provides trusted edge infrastructure security and covers the following aspects:

  • Operating System Security

    Enhance the stability and security of its operating system through Secure by default principles that include closing unused open ports, restricting account access, and minimizing system settings.

  • Edge Device Identity and Authentication

    Support device identity and authentication to ensure device uniqueness and identity legitimacy by:

    • Key-based single-way static authentication: Each Edge device is installed with a set of keys called triplets (Product Key, Device Key, and Device Secret). The Edge device uses the installed triplets to authenticate with the EnOS Cloud

    • Key-based single-way dynamic authentication: Edge devices attempt to access EnOS Cloud with Product Key, Product Secret, and Device Key. After successful authentication, EnOS Cloud returns the Device Secret to the Edge devices. During subsequent access, Edge devices will use triplets for authentication.

  • Access Authentication

    Certificate-based mutual authentication is supported between EnOS Edge and EnOS Cloud. When mutual authentication is enabled, all communication sessions between the EnOS Edge and EnOS Cloud platforms will enforce mutual authentication based on the X.509 certificate.

Edge Network Security

Edge network security is essential for interconnecting edge computing with existing industrial buses and clouds. EnOS Edge secures the edge network from the inside-out approach, covering the following aspects:

  • Security Protocols

    • The protocol stack fully implements a variety of standard industrial communication protocols, and conforms to the strict specifications of communication protocols for security.

    • Support encryption and encapsulation of the original protocol through secure channels such as VPN and SSL, which further enhances the security of the original protocol and secure the data transmission.

  • Network Domain Isolation

    • Support adding a dedicated firewall between the on-site OT networks and the cloud IT networks, and securing devices and data within the OT networks through custom firewall policies and network access controls.

    • Support deploying network isolation devices for scenarios with strict network isolation requirements, such as the power field and data center use case. The network isolation appliances further realize the strict isolation of the network domain, effectively preventing a variety of malicious network attacks, such as DDoS attacks and port intrusion.

    • Support connections to network-isolated devices and the transmission of real-time data or files using network-isolated devices for data transmission to the cloud and data forwarding.

  • Network Monitoring and Protection

    Support additional network monitoring and protection via the firewall. EnOS Edge detects suspicious behaviors through traffic analysis. And then it alerts network administrators, blocks harmful traffic directly through traffic analysis and rule matching, and generates logs.

Edge Data Security

Edge data security ensures the security of data stored at edge nodes and transmitted in complex heterogeneous network environments, allowing the same data to be safely viewed and used by users or systems at any time according to business requirements. EnOS Edge ensures the security of edge data throughout its life cycle, thanks to:

  • Secure Data Storage

    • Enforce secure storage of database passwords to prevent unauthorized access to the database.

    • Support encrypted storage of files with lightweight data encryption technology.

    • Support automatic data backup to ensure data availability.

  • Secure Data Transmission

    • Support the use of TLS/SSL for device data collection and forwarding.

    • Support VPN secure channels and vertical encryption devices.

  • Secure Data Usage

    • Edge applications must be authorized to use the external API and SDK of EnOS Edge.

    • Perform authentication on each call of the API and SDK and strictly controls access to the stored data for edge applications to meet data confidentiality requirements.

Edge Application Security

Edge application security is the fundamental security requirement for third-party edge application development and operation, preventing malicious applications from influencing the security of the edge computing platform itself and other applications. EnOS Edge provides full lifecycle security measures in the following aspects:

  • Registration and Development of Applications

    • All apps that release to EnOS Edge need to be registered for a unique service account in the EnOS Cloud application center.

    • Administrators need to authorize apps with access to Edge devices in the Edge management center so that the edge apps can access to the data resources on the Edge devices.

    • In the process of edge application development, the app developer needs to authenticate with his authorized service account each time he calls the API and SDK of Edge. And then the data on EnOS Edge can be actually obtained for consumption.

  • Launch, Operation, and Maintenance of Applications

    • Support launching applications through virtual machines and containers. The applications and EnOS Edge are deployed in different virtual machines or containers. This isolation effectively prevents the negative impact of one edge application on the Edge and other applications.

    • Support the monitoring of the performance, traffic, and bandwidth usage of applications.

  • User Login Rights and Access Control

    • Support built-in lightweight IAM to help manage user identities and control access to resources in EnOS Edge.

    • Edge applications on EnOS Edge support RBAC authorization and management through the App Portal, and also support user logins in separate roles to prevent illegal elevation of user rights.

    • Enforce password modification after initial logins to prevent device security risks caused by password leakage.

Edge Security Lifecycle Management

EnOS Edge integrates security processes into the requirements, development, testing, operation, and various stages of the development life cycle of edge computing platforms and applications, with one or more security activities in each stage to mitigate any security issues. At the same time, the number and severity of vulnerabilities in the platform and applications are minimized through the existence of a complete process, including the development of supporting security systems and the necessary security training.

  • Third-Party Component Security

    Quickly and comprehensively identify potential vulnerable third-party components and run regression tests to ensure the product functionalities, thus avoiding security risks for applications due to security vulnerabilities in third-party components.

  • Secure Development

    Introduce security principles at all stages of software development to minimize security vulnerabilities in the edge computing platform. That includes security requirement analysis and risk assessment for the requirements stage, threat modeling for the design stage, standard tool usage and static analysis for the development stage (security development specification and code audit), exception defect assessment, and black and white box testing for the test and validation stage, and final security audit for release and maintenance.

  • Code Audit

    By introducing a defensive programming methodology in the development process and using static code analysis to perform source code weaknesses identification and analysis before software release, EnOS Edge discovers errors, security vulnerabilities, and codes that violate the programming specifications from the source, thus improving the underlying security of our software.

  • Bug Fix

    • EnOS Site Reliability Engineering team (EnOS SRE) regularly scans product bugs of system interfaces, configurations, and other aspects, and timely fixes the discovered ones.

    • Any new security incidents or vulnerabilities will be immediately reported to EnOS SRE. The team will review the applicability and risk level and assign to the related EnOS personnel for resolution.

    • The latest applicable security patches and configurations will be immediately applied to all operating systems, containers, applications, infrastructures to reduce the risk of vulnerabilities exposure.

  • Penetration Test

    EnOS SRE regularly perform penetration test to continuously identify vulnerabilities in existing products and remediate potential vulnerabilities.

  • Operations and Maintenance Management

    • EnOS SRE develops the management strategy and processes for edge security operations and maintenance, and develops a security incident handling process.

    • EnOS SRE manages the security operation and maintenance of critical edge computing systems and devices, including the maintenance of digital forensics and incident response (DFIR) functions, to timely detect and address system risks.