Edge, Fog Or Cloud? How The Internet Of Things Is Shaking Up How – And Where – Data Are Handled
Your fridge orders milk when you run low. Your thermostat kicks back on minutes before you return home. Your voice changes a channel or a music playlist.
Enter the world of connected devices, or the Internet of Things (IoT). The IoT market shows no signs of slowing. McKinsey & Company estimates that the worldwide economic impact of the Internet of Things could reach $11.1 trillion by 2025. Meanwhile, Gartner forecasts 20 billion IoT connected devices by 2020.
As more devices connect and more data are collected and processed – an important question arises: Where is it handled? The IoT is making it possible for many applications to process data closer to where their point of collection at the “edge” or in a local area network of IoT devices in the “fog” rather than in the central “cloud.” So why is the “where” important? It all comes down to speedy task processing. For the user, tasks processed nearer the source of the data – at the edge or in the fog – can be accomplished more quickly.
There’s another compelling reason for processing data at the edge or in the fog: increased data security and user privacy protection. Yet even though data are most secure when processed nearest the point at which they’re collected, the security threat surrounding the IoT is rising rapidly. Breaches of smart devices are increasing dramatically, exposing data and threatening user privacy. According to Kaspersky Lab, attacks on smart devices tripled in 2018.
Each new IoT breach highlights security regulations governing the devices. In September 2018, California became the first U.S. state to pass legislation governing IoT devices. As the story often goes in the tech industry, policy is often slow to catch up with innovation. Yet more security regulations are no doubt coming, and everyone involved with IoT devices – whether creating, selling or using them – must anticipate the impact of new regulations.
With more connected devices, risk of breach grows. Earlier this year, a well-publicized string of hacks of a popular home security system led the manufacturer to strengthen the system’s security settings.
In this environment, it’s not surprising to see consumers growing more concerned about their data. In February 2019, several consumer advocacy groups bypassed the manufacturers of IoT devices to call on retailers to ensure the security of the IoT products they sell.
Where Data Are Processed: Edge, Fog Or Cloud
Eric Boyum, managing director and practice leader of U.S. Technology & Communications at Aon, notes the importance of where data are processed and questions of liability should a possible breach occur.
Privacy and security issues around IoT are forcing companies to consider where the data captured by IoT devices are processed, says Boyum. Is it at the edge, where the distributed device performs computational activity at the source of the data, or in the cloud, where data are transmitted to and processed at a centralized data center? Since data at work (processing), data in motion (transmission) and data at rest (storage) all present a different risk environment, “What the computational environment looks like changes the risk,” Boyum explains.
The nature of the task often dictates the best place to process the information. For example, asking your device to play a song or determine the best route to a destination transmits data to the cloud. But devices changing the channel on your television or autonomous vehicles deciding how to avoid possible accidents are tasks best served by the immediacy of processing data at the edge.
The fog has its own best uses, acting as the arbiter that “decides” whether a set of data is processed at the local edge or the unrestricted cloud. Consider an industrial process based on a collection of IoT-enabled devices. Data collected from the edge by the various devices can be processed in the fog, which can then direct the various edge devices to make adjustments as needed to optimize the process.
Boyum notes that as the IoT continues to boom, many companies will have interest in the data the connected devices can capture. The evolving regulatory environment, however, might prompt many to pause and reconsider privacy issues dependent upon where the data are captured.
California’s new IoT security law requires makers of internet-connected devices to ensure the device has “reasonable” security features to protect the device and the data it gathers from unauthorized access. The European Union’s General Data Privacy Regulation (GDPR) sets strict data protection requirements for companies collecting individuals’ data in any fashion, as well as significant penalties for businesses found in violation.
“Companies have thought about cloud computing for a while,” says Boyum. “But now they have to think about data security and network security at the edge, the complexities the fog brings and what data to keep or not to keep.”
New Privacy Regulations, New Challenges
The developing regulatory approach to data privacy and security can be a challenging one for businesses. “Regulations tend to trail the development of technology,” Boyum observes.
In light of California’s new IoT data security law, as well as the broader California Consumer Privacy Act enacted in 2018, many technology companies have begun pushing for national privacy and security regulations in the U.S. to avoid dealing with regulations on a state-by-state basis.
“There are practical business reasons why companies would prefer broader regulations,” says Boyum. “If a U.S.-based company processes a European citizen’s data, they are subject to the California Consumer Privacy Act as well as GDPR.” There’s a cost associated with complying with different sets of regulations. With greater uniformity among regulatory authorities – or at least more consistency – compliance and business operations can become easier.
That sort of national regulation might soon be a reality in the U.S. In January 2019, the U.S. Government Accountability Office submitted a report to Congress suggesting it develop data privacy regulations similar to the EU’s GDPR.
The EU’s GDPR presents its own challenges to companies using and selling IoT technologies, not the least of which is the requirement for opt-in consent by users whose data are collected. Some suggest that the best way to approach compliance is to focus on handling as much data as possible at the edge rather than gathering it in the cloud.
The European Telecommunications Standards Institute (ETSI) recently recommended a global baseline standard for IoT security. Proponents believe the standard would make it easier for IoT-device manufacturers and providers to comply with GDPR requirements.
As companies anticipate and address the regulatory environment developing around IoT privacy, they must consider the specifics of their business models. “An area of developing law can be a very challenging place for companies to do business,” Boyum says.
“It’s not what industry you’re in – it’s what you do, how you do it, for whom you do it, where you do it and at what scale you do it,” says Boyum. “All those things are going to matter when you look at what your exposures are to issues around data, data privacy and security.”
Blending A Physical World With A Digital Future
Today’s connected world is not geographically constrained – what happens in one part of the world can easily affect another. As IoT becomes more pervasive and organizations become more reliant on technology to move business forward, Stephanie Snyder, senior vice president and commercial strategy leader of Cyber Solutions at Aon, suggests all companies should think of themselves as technology companies. Properly understanding the various associated risks, from regulatory compliance to data protection, is imperative to helping to keep organizations safe.
Boyum agrees: “Each new technology changes the one that preceded it. And with that change across laws and privacy, our entire environment is subject to change.”