The recent EdgeX Foundry release, “California”, was the first to introduce security features built right into the platform. Operating on the edge means deploying hardware and running software outside the confines of well managed data centers, making IoT devices more vulnerable to exploitation by hackers. Our new security features make it easier to keep your data safe even when deploying solutions in insecure or untrusted environments.
The two new security services introduced in this release are the Security Secret Store, and the Security API Gateway. Between them they allow you to safely store sensitive information, such as encryption keys or authentication credentials, and restrict access to the data being processed by EdgeX to only authorized users and applications.
Security Secret Store
The Security Secret Store allows microservices to safely store and retrieve sensitive data that is only accessible after the secret store has been unlocked by an authorized service. Your secrets are encrypted both on disk (Consul backend) and during transport (TLS 1.2) to and from the Security Secret Store, ensuring that only the microservices that are authorized to access it can do so.
EdgeX Foundry uses Vault, by Hashicorp, as the reference implementation of the Security Secret Store. Vault provides a well tested secret storage solution with a failover architecture and flexible levels of control over access.
Security API Gateway
EdgeX Foundry is composed of a number of microservices that communicate with one another using standard networking protocols. This allows for a great amount of flexibility in how you deploy parts of the stack in your solution, but it also directly exposes the microservices to anybody who can connect to them. The new Security API Gateway provides a way for you to restrict outside access to your data by acting as a middleware between external applications and the EdgeX platform, requiring authentication before forwarding commands or read requests on to the relevant microservices.
EdgeX Foundry uses Kong as the reference implementation for the Security API Gateway.
For more information:
If you have questions or comments, visit the EdgeX Rocket.Chat and share your thoughts in the #community channel.