Edge Computing & Security: Rethinking Compliance & Data Protection in a Mobile-First Environment

Written by

Use the phrase “enterprise IT,” and most people will think about desktops. An army of beige machines that stored our data, ran our applications and held our email; they existed for decades, tended by armies of systems administrators. However, use of IT today is no longer solely linked to specific machines sitting on desks; the growth of mobile and remote working means that users have more options on what devices they use, how they use them and where they get work done.

This overall shift can be described as a move to “edge computing” where the focus is on the devices that employees use rather than centrally controlled IT assets and services. Work is carried out on mobile phones, tablets and laptops rather than IT managed desktops; the data that these tasks create often remains on those devices, rather than being stored centrally inside the traditional corporate security boundary. 

The move to cloud applications rather than on-premise versions might seem like an opportunity to bring those services back to the center. However, they actually represent another “edge,” as these apps are run by third-party organizations and public cloud providers.

For IT teams, dealing with multiple devices per user can be difficult, especially when it comes to data protection and security. Desktop virtualization technologies can help centralize management and reduce headaches, while still meeting the needs of users for more flexibility. However, these approaches can add more back-end complexity for IT.

At this point, it is worth evaluating whether to try and recapture the genie in the bottle at all. Rather than playing catch-up with end-users working on multiple devices and trying to apply central IT management approaches to edge data, it’s more important to match security requirements to data at the point of creation. This requires a new approach to data protection processes.

Forging Ahead on Compliance and Information Management
Part of this data governance paradigm shift is accepting that IT doesn’t currently know everything. Users often create copies of files to work on remotely or while they are travelling, then share those versions with colleagues via file sharing services like Dropbox. These copies of data can be incredibly valuable in their own right, yet will the IT team be able to track their existence when those laptops hardly ever come on to the network?

According to research by iGov Survey, these cloud applications don’t get as much attention from IT as they should – in the UK, 30% of local government organizations felt they could adequately track sensitive data being used within cloud services, while only 23% of those in NHS IT could track data. As more services move to running in the cloud compared to running inside a company’s data center, this ability to track data over time will be more critical.

The release of the final version of the European Union’s General Data Protection Regulation (GDPR) should help this process, as all files containing customer data have to be adequately managed and protected. While IT can ensure that the right rules and processes are in place around centrally held data, files at the edge can be more problematic.

Tracking the lifecycle of all information across the business will have to change in order to keep up. Spotting new files that might contain customer data can help, regardless of where those files are getting created. By looking for specific strings of data that can represent customer records or other sensitive information within files as they are created, files can be automatically flagged for protection centrally.

By automating the process of identifying files that may contain sensitive information like personal health information (PHI), personally identifiable information (PII) and confidential Intellectual Property (IP) data, the IT team can quickly assess and take action around non-compliance on end-user data that would be covered by compliance requirements.

This approach is different to traditional data compliance methods that concentrate on ensuring that central data is protected. However, capturing the data that people create at the edge is not enough on its own. It’s also important to understand how these files might be audited too – for example, looking at the work that an end-user carried out around a file that was on a lost or stolen device alongside the security process put in place. 

Saving a copy of that file centrally has to be complemented with accurate meta-data on all the actions that took place around the file as well. In this example, knowing when the file was created and what changes were made over time can help ensure that all the required steps for security were in place around that sensitive data, which would assist during an audit or compliance event.

Similarly, this audit trail can help with GDPR compliance around the destruction of data. If a customer asks for their data to be deleted, and that request is reasonable, then the data should be destroyed. However, many companies would find it difficult to prove that all copies of that data had actually been deleted. The record may remain in a copy of the data that is stored on a mobile device, or within a copy of a file used for archives.

For the staff responsible for GDPR compliance in the future, not having that accurate overview of all data would represent a serious risk. Without this insight, it would be impossible for them to state that adequate steps had been taken to destroy data where it was required for this to take place. Equally, the archived copy of a file that retained that customer record may have to remain in place to meet other information compliance requirements internally, so finding the right balance here will be a challenge over time.

Looking ahead, the process for managing the lifecycle of data will have to adapt to the wider spread of data across organizations. The use of more mobile devices and cloud applications will force IT to think about how to track information, data and files as they are created, used and saved for the future. Taking a more proactive approach to tracking the lifecycle of information can help.

What’s hot on Infosecurity Magazine?