Separating the control plane from the data plane
Running a security-free network is not an option, yet most network-based tools have not yet caught up to the GDPR. Innovation is often born from necessity, thus attributes like IP addresses, device identifiers, geographic location, and user credentials form the basis for many current technologies’ security policies and enforcement decisions. It could be years before product makers change how they address security control in the face of EU mandates.
Rather than wait for your vendors to catch up or pay hefty sums of money to lawyers and/or data protection officers to advise on the best strategies to protect (and identify, audit, or remove) personal data in your systems, Edgewise has already leveled the playing field, allowing companies to balance privacy, security, and GDPR requirements. Edgewise does not rely on IP addresses, ports, or protocols—potential personally identifying information—to make access control decisions and prevent adversaries from accessing private data. We’ve moved the control plane away from the network layer and onto networked assets themselves—applications, hosts, and services. Cryptographic properties of network resources constitute the resources’ “identities,” which means that attributes like IP address don’t necessarily need to be used as an identifier.
This method allows Edgewise to move control decisions closer to the assets targeted for breach or likely to leak information—for instance, applications and databases containing consumer or employee information—without infringing upon the personal data of the user requesting access to the resource. Further, as a microsegmentation technology that isn’t dependent on network information or user data, Edgewise security is ever-present in ephemeral environments like cloud, serverless, or container architectures. This means that organizations can be confident that the data they’re storing or processing on EU citizens is protected from unauthorized access, tampering, or improper use, even when the network changes.
Reducing cybersecurity regulatory burden
Cybersecurity and data privacy regulations like GDPR place a data governance burden on organizations. Even if your company is not subject to GDPR (e.g., the company does not do any business in the EU, any information collected by an EU citizen visiting your site is immediately deleted or destroyed), it’s likely that similar regulations in your region already exist or are on the near horizon. Consequently, it’s advisable to implement technologies and processes that do not encroach upon the very regulations they’re trying to enforce.
Contact Edgewise today to learn more about how our technology protects your networks and applications without relying on personally identifiable information.