Purpose

The purpose of this document is to describe the security architecture of edgeEngine, particularly with regard to access permissions and data security.

Intended Readers

The intended readers of this document are software developers, system engineers, application architects, deployment and security personnel as well as other technical professionals who want to understand the details of edgeEngine Security Framework.

What You Will Learn from this Document

After reading this document, you will:

• Understand the general security framework of the edgeEngine ecosystem
• Understand how security tokens protect access to microservices on devices running the edgeEngine Runtime.
• Understand how data is secured and protected during information exchanges between microservices in an edgeEngine cluster

What You Need to Know Before You Start

In order to get the full benefit from reading this document, you need to have:

• The general principles of network security
• An understanding the the edgeEngine Runtime and how it supports microservices

The Essentials of edgeEngine Security

The edgeEngine Runtime provides secure access and communication to and between microservices by making it so that a unique Access Token is required to interact with the edgeEngine Service Mesh to do discovery about edgeEngine enabled nodes and devices within a hybrid edge cloud. Then once a node is discovered, the same Access Token is used to work with the microservice within the given node.

Finally, all communication between microservices in an edgeEngine enabled Hybrid edgeCloud is conducted within encrypted data exchange channels. Encoding and decoding data between microservices is facilitated using the Access Token that is unique to the particular edgeEngine device.

Using Security Tokens to access an edgeEngine microservice

The particulars of the Access Token are discussed in the Key Concepts section, Understanding edgeEngine Tokens

Understanding edgeEngine Data Encryption

As mentioned previously, all data exchanged between microservices is encrypted. Developers use the edgeEngine Context Object to decrypt data received from a microservice running under the edgeEngine Runtime. (The particulars of the edgeEngine Context Object are discussed in the Key Concepts section, Understanding the edgeEngine Context Object.)

The following code snippet shows how the edgeEngine Context Object is used to decrypt data:

1: context.edge.decryptEncryptedNodesJson({
2:     type: 'local',
3:     data,
4:     token,
5:     success: function(result) { // success option
6:         response.end(JSON.stringify(JSON.parse(result.data), null, 2));
7:     },
8:     error: function(err) {
9:         response.end(err.message);
10:     }
11: });

WHERE

• type indicates the cluster type
• data is the encrypted data received from an API running under the edgeEngine Runtime
• token is the Access Token for the particular device
• success is the JavaScript function that will process the decrypted data in result.data
• error is the JavaScript function that will process an error that's raised when executing decryptEncryptedNodesJson

[MORE TO COME]