CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Streamline Deployments » Zero Touch Provisioning (ZTP) » Page 7

Edge Computing Examples

by | Jun 21, 2024 | Application Hosting, Edge Computing, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, Security Service Edge (SSE), Simplify Branch Infrastructure, Streamline Deployments, Vendor Neutral Platform, Zero Touch Provisioning (ZTP)

Interlocking cogwheels containing icons of various edge computing examples are displayed in front of racks of servers

The edge computing market is growing fast, with experts predicting edge computing spending to reach almost $350 billion in 2027. Companies use edge computing to leverage data from Internet of Things (IoT) sensors and other devices at the periphery of the network in real-time, unlocking faster insights, accelerating ROIs for artificial intelligence and machine learning investments, and much more. This blog highlights 7 edge computing examples from across many different industries and provides tips and best practices for each use case.

What is edge computing?

Edge computing involves moving compute capabilities – processing units, RAM, storage, data analysis software, etc. – to the network’s edges. This allows companies to analyze or otherwise use edge data in real-time, without transmitting it to a central data center or the cloud.

Edge Computing Learning Center

Edge computing shortens the physical and logical distance between data-generating devices and the applications that use that data, which reduces bandwidth costs and network latency while simplifying many aspects of data security and compliance.

7 Edge computing examples

Below are 7 examples of how organizations use edge computing, along with best practices for overcoming the typical challenges involved in each use case. Click the links in the table for more information about each example.

Examples Best Practices
Monitoring inaccessible equipment in the oil & gas industry Use a vendor-neutral edge computing & networking platform to reduce the tech stack at each site.
Remotely managing and securing automated Smart buildings Isolate the management interfaces for automated building management systems from production to reduce risk.
Analyzing patient health data generated by mobile devices Protect patient privacy with strong hardware roots-of-trust, Zero Trust Edge integrations, and control plane/data plane separation.
Reducing latency for live streaming events and online gaming Use all-in-one, vendor-neutral devices to minimize hardware overhead and enable cost-effective scaling.
Improving performance and business outcomes for AI/ML Streamline operations by using a vendor-neutral platform to remotely monitor and orchestrate edge AI/ML deployments.
Enhancing remote surveillance capabilities at banks and ATMs Isolate the management interfaces for all surveillance systems using Gen 3 OOB to prevent compromise.
Extending data analysis to agriculture sites with limited Internet access Deploy edge gateway routers with environmental sensors to monitor operating conditions and prevent equipment failures.

1. Monitoring and managing inaccessible equipment in the oil and gas industry

The oil and gas industry uses IoT sensors to monitor flow rates, detect leaks, and gather other critical information about human-inaccessible equipment and operations. With drilling rigs located offshore and in extremely remote locations, ensuring reliable internet access to communicate with cloud-based or on-premises monitoring applications can be tricky. Dispatching IT teams to diagnose and repair issues is also costly, time-consuming, and risky. Edge computing allows oil and gas companies to process data on-site and in real-time, so safety issues and potential equipment failures are caught and remediated as soon as possible, even when Internet access is spotty.

Best practice: Use a vendor-neutral edge computing & networking platform like the Nodegrid Gate SR to reduce the tech stack at each site. The Gate SR can host other vendors’ software for SD-WAN, Secure Access Service Edge (SASE), equipment monitoring, and more. It also provides out-of-band (OOB) management and built-in cellular failover to improve network availability and resilience. Read this case study to learn more.

2. Remotely managing and securing fully automated Smart buildings

Smart buildings use IoT sensors to monitor and control building functions such as HVAC, lighting, power, and security. Property management companies and facilities departments use data analysis software to automatically determine optimal conditions, respond to issues, and alert technicians when emergencies occur. Edge computing allows these automated processes to respond to changing conditions in real-time, reducing the need for on-site personnel and improving operational efficiency.

Best practice: Keep the management interfaces for automated building management systems isolated from the production environment to reduce the risk of compromise or ransomware infection. Use edge computing platforms with Gen 3 out-of-band (OOB) management for control plane/data plane separation to improve resilience and ensure continuous remote access for troubleshooting and recovery. 

3. Analyzing patient health data generated by mobile devices in the healthcare industry

Healthcare organizations use data analysis software, including AI and machine learning, to analyze patient health data generated by insulin pumps, pacemakers, imaging devices, and other IoT medical technology. Keeping that data secure is critical for regulatory compliance, so it must be funneled through a firewall on its way to cloud-based or data center applications, increasing latency and preventing real-time response to potentially life-threatening health issues. Edge computing for healthcare moves patient monitoring and data analysis applications to the same local network (or even the same onboard chip) as the sensors generating most of the data, reducing security risks and latency. Some edge computing applications for healthcare can operate without a network connection most of the time, using built-in cellular interfaces and ATT FirstNet connections to send emergency alerts as needed without exposing any private patient data.

Best practice: Protect patient privacy by deploying healthcare edge computing solutions like Nodegrid with strong hardware roots-of-trust, Zero Trust Edge integrations, and control plane/data plane separation. Nodegrid secures management interfaces with the Trusted Platform Module 2.0 (TPM 2.0), multi-factor authentication (MFA), secure boot, built-in firewall intrusion prevention, and more.

4. Reducing latency for live streaming events and online gaming

Streaming live content requires low-latency processing for every user regardless of their geographic location, which is hard to deliver from a few large, strategically placed data centers. Edge computing decentralizes computing resources, using relatively small deployments in many different locations to bring services closer to audience members and gamers. Edge computing reduces latency for streaming sports games, concerts, and other live events, as well as online multiplayer games where real-time responses are critical to the customer experience.

Best practice: Use all-in-one, vendor-neutral devices like the Nodegrid Gate SR to combine SD-WAN, OOB management, edge security, service delivery, and more. Nodegrid services routers reduce the tech stack at each edge computing site, allowing companies to scale out as needed while minimizing hardware overhead.

5. Improving performance and business outcomes for artificial intelligence/machine learning

Artificial intelligence and machine learning applications provide enhanced data analysis capabilities for essentially any use case, but they must ingest vast amounts of data to do so. Securely transmitting and storing edge and IoT data and preparing it for ingestion in data lakes or data warehouses located in the cloud or data center takes significant time and effort, which may prevent companies from getting the most out of their AI investment. Edge computing for AI/ML eliminates transmission and storage concerns by processing data directly from the sources. Edge computing lets companies leverage their edge data for AI/ML much faster, enabling near-real-time insights, improving application performance, and providing accelerated business value from AI investments.

Best practice: Use a vendor-neutral OOB management platform like Nodegrid to remotely monitor and orchestrate edge AI/ML deployments. Nodegrid OOB ensures 24/7 remote management access to AI infrastructure even during network outages. It also supports third-party automation for mixed-vendor devices to help streamline edge operations. 

6. Enhancing remote surveillance capabilities at banks and ATMs

Constantly monitoring video surveillance feeds from banks and ATMs is very tedious for people, but machines excel at it. AI-powered video surveillance systems use advanced machine-learning algorithms to analyze video feeds and detect suspicious activity with far greater vigilance and accuracy than human security teams. With edge computing, these solutions can analyze surveillance data in real-time, so they could potentially catch a crime as it’s occurring. Edge computing also keeps surveillance data on-site, reducing bandwidth costs, network latency, and the risk of interception.

Best practice: Isolate the management interfaces for all surveillance systems using a Gen 3 OOB solution like Nodegrid to keep malicious actors from hijacking the security feeds. OOB control plane/data plane separation also makes it easier to establish a secure environment for regulated financial data, simplifying PCI DSS 4.0 and DORA compliance.

7. Extending data analysis to agriculture sites with limited Internet access

The agricultural sector uses IoT technology to monitor growing conditions, equipment performance, crop yield, and much more. Many of these devices use cellular connections to transmit data to the cloud for analysis which, as we’ve already discussed ad nauseam, introduces latency, increases bandwidth costs, and creates security risks. Edge computing moves this data processing on-site to reduce delays in critical applications like livestock monitoring and irrigation control. It also allows farms to process data on a local network, reducing their reliance on cellular networks that aren’t always reliable in remote and rural areas.

Best practice: Deploy all-in-one edge gateway routers with environmental sensors, like the Nodegrid Mini SR, to monitor operating conditions where your critical infrastructure is deployed. Nodegrid’s environmental sensors alert remote teams when the temperature, humidity, or airflow falls outside of established baselines to prevent equipment failure. 

Edge computing for any use case

The potential uses for edge computing are nearly limitless. A shift toward distributed, real-time data analysis allows companies in any industry to get faster insights, reduce inefficiencies, and see more value from AI initiatives.

Simplify your edge deployment with Nodegrid

The Nodegrid line of integrated services routers delivers all-in-one edge networking, computing, security, and more. For more edge computing examples using Nodegrid, reach out to ZPE Systems today. Contact Us

Edge Computing vs Cloud Computing

by | Jun 12, 2024 | Application Hosting, Edge Computing, Micro-segmentation, Minimize Impact of Disruptions, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, Secure Access Service Edge (SASE), Security Service Edge (SSE), Simplify Branch Infrastructure, Streamline Deployments, Vendor Neutral Platform, Zero Touch Provisioning (ZTP), Zero Trust Security

A factory floor with digital overlays showing edge computing data analysis dashboards

Both edge computing and cloud computing involve moving computational resources – such as CPUs (central processing units), GPUs (graphics processing units), RAM (random access memory), and data storage – out of the centralized, on-premises data center. As such, both represent massive shifts in enterprise network designs and how companies deploy, manage, secure, and use computing resources. Edge and cloud computing also create new opportunities for data processing, which is sorely needed as companies generate more data than ever before, thanks in no small part to an explosion in Internet of Things (IoT) and artificial intelligence (AI) adoption. This year, IoT devices alone are predicted to generate 80 zettabytes of data, much of it decentralized around the edges of the network. AI, machine learning, and other data analytics applications, meanwhile, require vast quantities of data (and highly scalable infrastructure) to provide accurate insights. This guide compares edge computing vs cloud computing to help organizations choose the right deployment model for their use case.

 Table of Contents

Defining edge computing vs cloud computing

Edge computing involves deploying computing capabilities to the network’s edges to enable on-site data processing for Internet of Things (IoT) sensors, operational technology (OT), automated infrastructure, and other edge devices and services. Edge computing deployments are highly distributed across remote sites far from the network core, such as oil & gas rigs, automated manufacturing plants, and shipping warehouses. Ideally, organizations use a centralized (usually cloud-based) orchestrator to oversee and conduct operations across the distributed edge computing architecture.

Diagram showing an example edge computing architecture controlled by a cloud-based edge orchestrator.

Reducing the number of network hops between edge devices and the applications that process and use edge data enables real-time data processing, reduces MPLS bandwidth costs, improves performance, and keeps private data within the security micro-perimeter. Cloud computing involves using remote computing resources over the Internet to run applications, process and store data, and more. Cloud service providers manage the physical infrastructure and allow companies to easily scale their virtual computing resources with the click of a button, significantly reducing operational costs and complexity over on-premises and edge computing deployments.

Examples of edge computing vs cloud computing

Edge computing works best for workloads requiring real-time data processing using fairly lightweight applications, especially in locations with inconsistent or unreliable Internet access or where privacy/compliance is a major concern. Example edge computing use cases include:

Cloud computing is well-suited to workloads requiring extensive computational resources that can scale on-demand, but that aren’t time-sensitive. Example use cases include:

The advantages of edge computing over cloud computing

Using cloud-based applications to process edge device data involves transmitting that data from the network’s edges to the cloud provider’s data center, and vice versa. Transmitting data over the open Internet is too risky, so most organizations route the traffic through a security appliance such as a firewall to encrypt and protect the data. Often these security solutions are off-site, in the company’s central data center, or, best-case scenario, a SASE point-of-presence (PoP), adding more network hops between edge devices and the cloud applications that service them.  This process increases bandwidth usage and introduces latency, preventing real-time data processing and negatively affecting performance, which is one of the main reasons why organizations are repatriating workloads from the cloud to on-prem.

Edge computing moves data processing resources closer to the source, eliminating the need to transmit this data over the Internet. This improves performance by reducing (or even removing) network hops and preventing network bottlenecks at the centralized firewall. Edge computing also lets companies use their valuable edge data in real time, enabling faster insights and greater operational efficiencies.

Edge computing mitigates the risk involved in storing and processing sensitive or highly regulated data in a third-party computing environment, giving companies complete control over their data infrastructure. It can also help reduce bandwidth costs by eliminating the need to route edge data through VPNs or MPLS links to apply security controls.

Edge computing advantages:

  • Improves network and application performance
  • Enables real-time data processing and insights
  • Simplifies security and compliance
  • Reduces MPLS bandwidth costs

The disadvantages of edge computing compared to cloud computing

Cloud computing resources are highly scalable, allowing organizations to meet rapidly changing requirements without the hassle of purchasing, installing, and maintaining additional hardware and software licenses. Edge computing still involves physical, on-premises infrastructure, making it far less scalable than the cloud. However, it’s possible to improve edge agility and flexibility by using vendor-neutral platforms to run and manage edge resources. An open platform like Nodegrid allows teams to run multiple edge computing applications from different vendors on the same box, swap out services as business needs evolve, and deploy automation to streamline multi-vendor edge device provisioning from a single orchestrator. A diagram showing how the Nodegrid Mini SR combines edge computing and networking capabilities on a small, affordable, flexible platform.

Diagram showing how the Nodegrid Mini SR combines edge computing and networking capabilities on a small, affordable, flexible platform.

Organizations often deploy edge computing in less-than-ideal operating environments, such as closets and other cramped spaces that lack the strict HVAC controls that maintain temperature and humidity in cloud data centers. These environments also typically lack the physical security controls that prevent unauthorized individuals from tampering with equipment, such as guarded entryways, security cameras, and biometric locks. The best way to mitigate this disadvantage is with an environmental monitoring system that uses sensors to detect temperature and humidity changes that could cause equipment failures as well as proximity alarms to notify administrators when someone gets too close. It’s also advisable to use hermetically sealed edge computing devices capable of operating in extreme temperatures and with built-in security features making them tamper-proof.

Cloud computing is often more resilient than edge computing because cloud service providers must maintain a certain level of continuous uptime to meet service level agreements (SLAs). Edge computing operations could be disrupted by network equipment failures, ISP outages, ransomware attacks, and other adverse events, so it’s essential to implement resilience measures that keep services running (if in a degraded state) and allow remote teams to fix problems without having to be on site. Edge resilience measures include Gen 3 out-of-band management, control plane/data plane separation (also known as isolated management infrastructure or IMI), and isolated recovery environments (IRE).

Edge computing disadvantages:

  • Less scalable than cloud infrastructure
  • Lack of environmental and security controls
  • Requires additional resilience measures

Edge-native applications vs cloud-native applications

Edge-native applications and cloud-native applications are similar in that they use containers and microservices architectures, as well as CI/CD (continuous integration/continuous delivery) and other DevOps principles.

Cloud-native applications leverage centralized, scalable resources to perform deep analysis of long-lived data in long-term hot storage environments. Edge-native applications are built to leverage limited resources distributed around the network’s edges to perform real-time analysis of ephemeral data that’s constantly moving. Typically, edge-native applications are highly contextualized for a specific use case, whereas cloud-native applications offer broader, standardized capabilities. Another defining characteristic of edge-native applications is the ability to operate independently when needed while still integrating seamlessly with the cloud, upstream resources, remote management, and centralized orchestration.

Choosing edge computing vs cloud computing

Both edge computing and cloud computing have unique advantages and disadvantages that make them well-suited for different workloads and use cases. Factors like increasing data privacy regulations, newsworthy cloud provider outages, greater reliance on human-free IoT and OT deployments, and an overall trend toward decentralizing business operations are pushing organizations to adopt edge computing. However, most companies still rely heavily on cloud resources and will continue to do so, making it crucial to ensure seamless interoperability between the edge and the cloud.

The best way to ensure integration is by using vendor-neutral platforms. For example, Nodegrid integrated services routers like the Gate SR provide multi-vendor out-of-band serial console management for edge infrastructure and devices, using an embedded Jetson Nano card to support edge computing and AI workloads. The ZPE Cloud management platform unifies orchestration for the entire Nodegrid-connected architecture, delivering 360-degree control over complex and highly distributed networks. Plus, Nodegrid easily integrates – or even directly hosts – other vendors’ solutions for edge data processing, IT automation, SASE, and more, making edge operations more cost-effective. Nodegrid also provides the complete control plane/data plane separation needed to ensure edge resilience.

Get edge efficiency and resilience with Nodegrid

The Nodegrid platform from ZPE Systems helps companies across all industries streamline their edge operations with resilient, vendor-neutral, Gen 3 out-of-band management. Request a free Nodegrid demo to learn more. REQUEST A DEMO

Edge Computing Architecture Guide

by | Jun 6, 2024 | Application Hosting, Edge Computing, Micro-segmentation, Minimize Impact of Disruptions, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, Secure Access Service Edge (SASE), Security Service Edge (SSE), Simplify Branch Infrastructure, Streamline Deployments, Vendor Neutral Platform, Zero Touch Provisioning (ZTP), Zero Trust Security

Edge-computing-architecture-concept-icons-arranged-around-the-word-edge-computing
Edge computing is rapidly gaining popularity as more  organizations see the benefits of decentralizing data processing for Internet of Things (IoT) deployments, machine learning applications, operational technology (OT), AI and machine learning, and other edge use cases. This guide defines edge computing and edge-native applications, highlights a few key use cases, describes the typical components of an edge deployment, and provides additional resources for building your own edge computing architecture.

Table of Contents

What is edge computing?

The Open Glossary of Edge Computing defines it as deploying computing capabilities to the edges of a network to improve performance, reduce operating costs, and increase resilience. Edge computing reduces the number of network hops between data-generating devices and the applications that process and use that data, mitigating latency, bandwidth, and security concerns compared to cloud or on-premises computing.

A diagram showing the migration path from on-premises computing to edge computing, along with the associated level of security risk.

Image: A diagram showing the migration path from on-premises computing to edge computing, along with the associated level of security risk.

Edge-native applications

Edge-native applications are built from the ground up to harness edge computing’s unique capabilities while mitigating the limitations. They leverage some cloud-native principles, such as containers, microservices, and CI/CD (continuous integration/continuous delivery), with several key differences.

Edge-Native vs. Cloud-Native Applications

Edge-Native Cloud-Native
Topology Distributed Centralized
Compute Real-time processing with limited resources Deep processing with scalable resources
Data Constantly changing and moving Long-lived and at rest in a centralized location
Capabilities Contextualized Standardized
Location Anywhere Cloud data center

Source: Gartner

Edge-native applications integrate seamlessly with the cloud, upstream resources, remote management, and centralized orchestration, but can also operate independently as needed. Crucially, they allow organizations to actually leverage their edge data in real-time, rather than just collecting it for later processing.

Edge computing use cases

Nearly every industry has potential use cases for edge computing, including:

Industry Edge Computing Use Cases
Healthcare
  • Mitigating security, privacy, and HIPAA compliance concerns with local data processing
  • Improving patient health outcomes with real-time alerts that don’t require Internet access
  • Enabling emergency mobile medical intervention while reducing mistakes
Finance
  • Reducing security and regulatory risks through local computing and edge infrastructure isolation
  • Getting fast, localized business insights to improve revenue and customer service
  • Deploying AI-powered surveillance and security solutions without network bottlenecks
Energy
  • Enabling network access and real-time data processing for airgapped and isolated environments
  • Improving efficiency with predictive maintenance recommendations and other insights
  • Proactively identifying and remediating safety, quality, and compliance issues
Manufacturing
  • Getting real-time, data-driven insights to improve manufacturing efficiency and product quality
  • Reducing the risk of confidential production data falling into the wrong hands in transit
  • Ensuring continuous operations during network outages and other adverse events
  • Using AI with computer vision to ensure worker safety and quality control of fabricated components/products
Utilities/Public Services
  • Using IoT technology to deliver better services, improve public safety, and keep communities connected
  • Reducing the fleet management challenges involved in difficult deployment environments
  • Aiding in disaster recovery and resilience with distributed redundant edge resources

To learn more about the specific benefits and uses of edge computing for each industry, read Distributed Edge Computing Use Cases.

Edge computing architecture design

An edge computing architecture consists of six major components:

Edge Computing Components Description Best Practices
Devices generating edge data IoT devices, sensors, controllers, smartphones, and other devices that generate data at the edge Use automated patch management to keep devices up-to-date and protect against known vulnerabilities
Edge software applications Analytics, machine learning, and other software deployed at the edge to use edge data Look for edge-native applications that easily integrate with other tools to prevent edge sprawl
Edge computing infrastructure CPUs, GPUs, memory, and storage used to process data and run edge applications Use vendor-neutral, multi-purpose hardware to reduce overhead and management complexity
Edge network infrastructure and logic Wired and wireless connectivity, routing, switching, and other network functions Deploy virtualized network functions and edge computing on common, vendor-neutral hardware
Edge security perimeter Firewalls, endpoint security, web filtering, and other enterprise security functionality Implement edge-centric security solutions like SASE and SSE to prevent network bottlenecks while protecting edge data
Centralized management and orchestration An EMO (edge management and orchestration) platform used to oversee and conduct all edge operations Use a cloud-based, Gen 3 out-of-band (OOB) management platform to ensure edge resilience and enable end-to-end automation

Click here to learn more about the infrastructure, networking, management, and security components of an edge computing architecture.

How to build an edge computing architecture with Nodegrid

Nodegrid is a Gen 3 out-of-band management platform that streamlines edge computing with vendor-neutral solutions and a centralized, cloud-based orchestrator.

A diagram showing all the edge computing and networking capabilities provided by the Nodegrid Gate SR

Image: A diagram showing all the edge computing and networking capabilities provided by the Nodegrid Gate SR.

Nodegrid integrated services routers deliver all-in-one edge computing and networking functionality while taking up 1RU or less. A Nodegrid box like the Gate SR provides Ethernet and Serial switching, serial console/jumpbox management, WAN routing, wireless networking, and 5G/4G cellular for network failover or out-of-band management. It includes enough CPU, memory, and encrypted SSD storage to run edge computing workflows, and the x86-64bit Linux-based Nodegrid OS supports virtualized network functions, VMs, and containers for edge-native applications, even those from other vendors. The new Gate SR also comes with an embedded NVIDIA Jetson Orin NanoTM module featuring dual CPUs for EMO of AI workloads and infrastructure isolation.

Nodegrid SRs can also host SASE, SSE, and other security solutions, as well as third-party automation from top vendors like Redhat and Salt. Remote teams use the centralized, vendor-neutral ZPE Cloud platform (an on-premises version is available) to deploy, monitor, and orchestrate the entire edge architecture. Management, automation, and orchestration workflows occur over the Gen 3 OOB control plane, which is separated and isolated from the production network. Nodegrid OOB uses fast, reliable network interfaces like 5G cellular to enable end-to-end automation and ensure 24/7 remote access even during major outages, significantly improving edge resilience.

Streamline your edge deployment

The Nodegrid platform from ZPE Systems reduces the cost and complexity of building an edge computing architecture with vendor-neutral, all-in-one devices and centralized EMO. Request a free Nodegrid demo to learn more.

Click here to learn more!

DORA Act: 5 Takeaways For The Financial Sector

by | Mar 7, 2024 | Data Center Management, Data Center Resilience, Data Logging, Improve Network Security, Increase Productivity, Micro-segmentation, Minimize Impact of Disruptions, Modernize Legacy Environments, Monitoring & Reporting, Network Automation, Remote Network Management, User Management, Zero Touch Provisioning (ZTP), Zero Trust Security

Thumbnail – DORA Act 5 Takeaways for the Financial Sector

The Digital Operational Resilience Act (DORA) is a regulatory initiative within the European Union that aims to enhance the operational resilience of the financial sector. Its main goal is to prevent and mitigate cyber threats and operational disruptions. The DORA Act outlines regulatory requirements for the security of network and information systems “whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats” (DORA Act website).

Who and What Are Covered Under the DORA Act?

The DORA Act is a regulation that covers all financial entities within the European Union (EU). It recognizes the critical role of information and communication technology (ICT) systems in financial services. DORA applies to financial services including payments, securities, credit rating, algorithmic trading, lending, insurance, and back-office operations. It establishes a framework for ICT risk management through technical standards, which are being released in two phases, the first of which was published on January 17, 2024. The DORA Act will go into effect in its entirety on January 17, 2025.

With cyberattacks constantly in the news cycle, it’s no surprise that governing bodies are putting forth standards for operational resilience. But without combing through this lengthy piece of legislation, what should IT teams start thinking about from a practical standpoint? Here are 5 takeaways on what the DORA Act means for the financial sector.

DORA Act: 5 Takeaways for the Financial Sector

1. Shore-up your cybersecurity measures

The DORA Act emphasizes strengthening cybersecurity measures within the financial sector. It requires financial institutions, such as banks, stock exchanges, and financial infrastructure providers, to implement robust cybersecurity controls and protocols. These include adopting advanced authentication mechanisms, encryption standards, and network segmentation to protect sensitive financial data and critical infrastructure from cyber threats. Part of this will also require organizations to apply system patches and updates in a timely manner, which means automated patching will become necessary to every organization’s security posture.

2. Implement resilience systems

Operational resilience is a key focus area of the DORA Act, aiming to ensure the continuity of essential financial services in the face of cyber threats, natural disasters, and other operational disruptions. Financial institutions are required to develop comprehensive business continuity plans, establish redundant systems and backup facilities, and conduct regular stress tests to assess their ability to withstand and recover from various scenarios. Implementing a resilience system helps with this, as it provides all the infrastructure, tools, and services necessary to continue operating during major incidents.

3. Conduct regular scans for vulnerabilities

The DORA Act mandates financial institutions to implement robust risk management practices to identify, assess, and mitigate cyber risks and operational vulnerabilities. This includes conducting regular assessments, vulnerability scans, and penetration tests, and developing incident response procedures to quickly address threats. This is all part of taking a proactive approach to identify and mitigate cyber incidents, and reduce the impact that adverse events have on financial stability and consumer confidence.

4. Collaborate and share information with industry peers

The DORA Act encourages financial institutions to share cybersecurity threat intelligence, incident data, and best practices with industry peers, regulators, and law enforcement agencies. The ability to monitor systems and collect data will be crucial to this approach, and will require systems that can rapidly (and securely) deploy apps/services during ongoing incidents. This will help financial institutions to better understand emerging threats, coordinate responses to cyber incidents, and strengthen collective defenses against threats and operational disruptions.

5. Segment physical and logical systems to pass regular audits

Through the DORA Act, regulators are empowered to conduct regular assessments, audits, and inspections of systems. This will ensure that financial institutions are implementing adequate controls and safeguards to protect against cyber threats and operational disruptions. A crucial part to this will involve physical and logical separation of systems, such as through Isolated Management Infrastructure, as well as implementing zero trust architecture across the organization. These will help bolster resilience by eliminating control dependencies between management and production networks, which will also help to streamline audits.

Get the blueprint to help you comply with the DORA Act

DORA’s requirements are meant to help IT teams better protect sensitive data and the integrity of financial systems as a whole. But without a proper network management infrastructure, their production networks are too sensitive to errors and vulnerable to attacks. ZPE has created the blueprint that covers these 5 crucial takeaways outlined in the DORA Act. The architecture outlined in this blueprint has been trusted by Big Tech for more than a decade, as it allows them to deploy modern cybersecurity measures, physically and logically separated systems, and rapid recovery processes. Download the blueprint now.

Download blueprint

Zero Trust Edge Solutions: Continuing the Zero Trust Journey

by | Feb 28, 2024 | Application Hosting, Increase Productivity, Monitoring & Reporting, NetDevOps, Network Automation, Out of Band Management, Remote Network Management, Serial Consoles, Simplify Branch Infrastructure, Vendor Neutral Platform, Virtualization, Zero Touch Provisioning (ZTP)

A glowing shield with a 0 on it overlays a glowing map of the world to represent zero trust at the edge.

The zero trust security methodology follows the principle of “never trust, always verify,” which assumes that any account or device could be compromised and should be forced to continuously establish trustworthiness. This sounds like an extreme approach, but with the frequency of high-profile data breaches and ransomware attacks steadily increasing, security teams must pivot their approach away from prevention and toward damage mitigation and recovery. Zero trust security limits the lateral movement of compromised accounts on the network by establishing micro-perimeters around network resources that continually assess an account’s behavior for suspicious activity.

Organizations also must extend zero trust security policies and controls to remote business sites at their network’s edges, such as branches, Internet of Things (IoT) deployments, and home offices. Zero trust edge solutions are software platforms that provide networking, access, and security capabilities designed specifically for the edge. This guide explains what zero trust edge solutions do and the challenges involved in using them before discussing how to build a unified ZTE platform.

Table of contents

What are zero trust edge solutions?

A zero trust edge solution combines edge-centric security functionality with remote access and networking capabilities. ZTE’s core feature is zero trust network access (ZTNA), which securely connects remote users to enterprise applications and resources, similar to a VPN. ZTNA is more secure than VPNs because it only allows users to authenticate to one resource at a time and prevents them from seeing or accessing anything else until they re-establish their identity and credentials. ZTE’s other features and capabilities vary depending on the vendor and deployment type. ZTE solutions come in three different forms:

  • As a service: Companies can purchase ZTE functionality as a cloud-based, vendor-managed service. Remote users connect to regional points of presence (POPs) to reach the ZTE stack in the cloud before being routed to enterprise resources. This deployment style is easier to deploy for organizations with lots of users in the field but few (if any) physical edge locations to host security or networking solutions.
    .
  • With SD-WAN: Some ZTE providers combine zero-trust features with software-defined wide area networking (SD-WAN) capabilities. SD-WAN creates a virtual network overlay that’s decoupled from the underlying WAN infrastructure, enabling centralized control and automation. Packaging ZTE and SD-WAN together helps organizations consolidate their tech stack at physical edge sites like branches, warehouses, and manufacturing plants while still offering ZTNA to work-from-home and field employees.
    .
  • Build your own: Since there are very few mature ZTE providers on the market, and it can be difficult to find pre-made solutions with all the features needed for complex, distributed edge networks, many teams opt to build their own platform by combining tools from multiple vendors. Typically, these organizations have physical branches with existing WAN infrastructure that they use as regional POPs to host ZTNA and other security solutions.

Why build your own ZTE solution?

If pre-made solutions exist, why would companies go through the hassle of creating their own zero trust edge platform? Presently, there aren’t any “complete” ZTE solutions that offer full, zero-trust protection for branches and other physical edge sites.

For example, many ZTE platforms don’t protect management ports on the control plane, leaving critical edge infrastructure like servers, switches, and power distribution units (PDUs) exposed to cybercriminals. Additionally, branch ZTE solutions rely upon production network infrastructure, so if there’s an outage or ransomware attack, remote management teams are completely cut off from troubleshooting and recovery. These solutions also lack helpful edge networking features like fleet management and automation, and their closed ecosystems limit the ability to extend their capabilities.

Building your own zero trust edge platform allows you to combine all the security, networking, and management functionality you need to get full security coverage and streamline branch operations. The key to creating a robust and efficient ZTE solution is starting with a vendor-neutral platform that can unify the entire security architecture.

How Nodegrid simplifies ZTE

Nodegrid edge networking solutions from ZPE Systems provide the perfect vendor-neutral platform for integrated zero trust edge deployments. All-in-one edge gateway routers deliver a full stack of branch networking capabilities, including out-of-band (OOB) management. OOB creates a dedicated control plane on an isolated network so remote teams have continuous access to manage, troubleshoot, and repair edge infrastructure.

Nodegrid protects the management interfaces on the OOB network with robust, zero trust security processes and controls. For example, the encryption keys for each Nodegrid device are destroyed after provisioning so that only the public key is accessible when needed for authentication to our cloud. Nodegrid devices also use the Trusted Platform Module (TPM) as a hardware security module to prevent cybercriminals from tampering with the configuration or storage.

Our platform runs on the Linux-based, x86 Nodegrid OS, which supports VMs and Docker containers for third-party applications. That means you can deploy ZTNA, SD-WAN, and other zero trust edge solutions without purchasing or managing additional hardware at each branch. Nodegrid’s OOB and failover functionality ensure those security and access solutions remain operational during ISP outages, ransomware attacks, and other disruptions. Teams can also run their favorite tools for automation, troubleshooting, and recovery on the Nodegrid platform, streamlining edge operations and ensuring their toolbox is available on the OOB network. Nodegrid also simplifies fleet management with true zero-touch provisioning to securely and automatically deploy configurations at edge business sites.

Want to unify your zero trust edge solutions with Nodegrid?

Nodegrid provides a robust, vendor-neutral platform to unify and extend your zero trust edge capabilities. Request a free demo to see Nodegrid in action. Watch Demo

What to do if You’re Ransomware’d: A Healthcare Example

by | Feb 28, 2024 | Data Logging, Improve Network Security, Micro-segmentation, Minimize Impact of Disruptions, Network Automation, Out of Band Management, User Management, Virtualization, Zero Touch Provisioning (ZTP), Zero Trust Security

What to do if youre ransomwared

This article was written by James Cabe, CISSP, a 30-year cybersecurity expert who’s helped major companies including Microsoft and Fortinet.

Ransomware gangs target the innocent and vulnerable. They hit a Chicago hospital in December 2023, a London hospital in October the same year, and schools and hospitals in New Jersey as recently as January 2024. This is one of the biggest reasons I’m committed to stopping these criminals by educating organizations on how to re-think and re-architect their approach to cybersecurity.

In previous articles, I discussed IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environments), and how they could have quickly altered outcomes for MGM, Ragnar Locker victims, and organizations affected by the MOVEit vulnerability. Using IMI and IRE, organizations find that the key to not only speedy recovery, but also to limiting the blast radius and attack persistence, is isolation.

Why is isolation (not segmentation) key to ransomware recovery?

The NIST framework for incident response has five steps: Identify, Protect, Detect, Respond, and Recover. It’s missing a crucial step, however: Isolate. Stay tuned for a full breakdown of this in my next article. But the reason this is so critical is because attacks move at machine speed, and are very pervasive and persistent. If your management network is not fully isolated from production assets, the infection spreads to everything. Suddenly, you’re locked out completely and looking at months of tedious recovery. For healthcare providers, this jeopardizes everything from patient care to regulatory compliance.

Isolation is integral to building a resilience system, or in other words, a system that gives you more than basic serial console/out-of-band access and instead provides an entire infrastructure dedicated to keeping you in control of your systems — be it during a ransomware attack, ISP outage, natural disaster, etc. Because this infrastructure is physically and virtually isolated from production (no dependencies on production switches/routers, no open management ports, etc.), it’s nearly impossible for attackers to lock you out.

So, what really should you do if you’re ransomware’d? Let’s walk through an example attack on a healthcare system, and compare the traditional DR (Disaster Recovery) response to the IMI/IRE approach.

Ransomware in Healthcare: Disaster Recovery vs Isolated Recovery

Suppose you’re in charge of a hospital’s network. MDIoT, patient databases, and DICOM storage are the crown jewels of your infrastructure. Suddenly, you discover ransomware has encrypted patient records and is likely spreading quickly to other crown jewel assets. The risks and potential fallout can’t be understated. Millions of people are depending on you to protect their sensitive info, while the hospital is depending on you to help them avoid regulatory/legal penalties and ensure they can continue operating.

The problem with Disaster Recovery

Though the word ‘recovery’ is in the name, the DR approach is limited in its capacity to recover systems during an attack. Disaster Recovery typically employs a couple things:

  • Backups, which are copies of data, configurations, and code that are used to restore a production system when it fails.
  • Redundancy, which involves duplicating critical systems, services, and applications as a failsafe in the event that primaries go down (think cellular failover devices, secondary firewalls, etc.).

What happens when you activate your DR processes? It’s highly likely that you won’t be able to, and that’s because the typical DR setup relies on the production network. There’s no isolation.

Think about it this way: your backup servers need direct access to the data they’re backing up. If your file servers get pwned, your backup servers will, too. If your primary firewall gets hacked, your secondary will, too. The problem with backup and redundancy systems — and any system, for that matter — is that when they depend on the underlying infrastructure to remain operational, they’re just as susceptible to outages and attacks. It’s like having a reserve parachute that depends on the main parachute.

And what about the rest of your systems? You just discovered the attack has encrypted your servers and is quickly bringing operations to a crawl. How are you going to get in and fight back? What if you try to log into your management network, only to find that you’re locked out? All of your tools, configurations, and capabilities have been compromised.

This is why CISA, the FBI, US Navy, and other agencies recommend implementing Isolated Management Infrastructure.

IMI and IRE guarantee you can fight back against ransomware

You discover that the ransomware has spread. Not only has it encrypted data and stopped operations, but it has also locked you out of your own management network and is affecting the software configurations throughout the hospital. This is where IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environment) come in.

Because IMI is physically separate from affected systems, it guarantees management access so teams can set up communication and a temporary ‘war room’ for incident response. The IRE can then be created using a combination of cellular, compute, connectivity, and power control (see diagram for design and steps). Docker containers should be used to bring up each step.

Diagram showing a chart containing the systems and open-source tools that can be deployed for an Isolated Recovery Environment

Image: The infrastructure and incident response protocol involved in the Isolated Recovery Environment. These products were chosen from free or open source projects that have proven to be very useful in each of these stages of recovery. These can be automated in pieces for each phase, and then be brought down via Docker container to eliminate the risk of leakage or risk during each phase.

Without diving too far into the technicalities, the IRE enables you to recover survivable data, restore software configurations, and prevent reinfection. Here are some things you can do (and should do) in this scenario, courtesy of the IRE:

Establish your war room

You can’t fight ransomware if you can’t securely communicate with your team. Use the IRE to create offline, break-the-glass accounts that are not attached to email. This allows you to communicate and set up ticketing for forensics purposes.

Isolate affected systems

There’s no use running antivirus if reinfection can occur. Use the IRE to take offline the switch that connects the backup and file servers. Isolate these servers from each other and shut down direct backup ports. Then, you can remote-in (KVM, iKVM, iDRAC) to run antivirus and EDR (Endpoint Detection and Response).

Restore data and device images

The key is to have backup data at its most current, both for patient data and device/software configurations. Because the IRE provides an isolated environment, and you’ve already pulled your backups offline, you can gradually restore data, re-image devices, and restore configurations without risking reinfection. The IRE ensures devices “keep away” from each other until they can be cleansed and recovered.

Things You’ll Need To Build The IMI and IRE

Network Automation Blueprint

We’ve created a comprehensive blueprint that shows how to implement the architecture for IMI and IRE. Don’t let the name fool you. The Network Automation Blueprint covers everything from establishing a dedicated management network, to automating deployment of services for ransomware recovery. Get your PDF copy now at the link below.

Download blueprint

Gen 3 Console Servers To Replace End-of-Life Gear

It’s nearly impossible to build the IMI or deploy the IRE using older console servers. That’s because these only give you basic remote access and a hint of automation capabilities. You’ll still need the ability to run VMs and containers. Gen 3 console servers let you do all of the things for IMI and IRE, like full control plane/data plane separation, hosting apps, and deploying VMs/containers on-demand. They’ve also been validated by Synopsys and have built-in security features I’ve been talking about for years. Check out the link below for resources about Gen 3 and how we’ll help you upgrade.

Upgrade to Gen 3

Get in touch with me!

I’d love to talk with you about IMI, IRE, and resilience systems. These are becoming more crucial to operational resilience and ransomware recovery, and countries are passing new regulations that will require these approaches. Get in touch with me via social media to talk about this!