Podcast: How the internet of things affects storage and compliance

The rise of the internet of things (IoT) is bringing a proliferation of endpoint devices and a multiplication in volumes of data. And just like any data, IoT-produced data is subject to legal and regulatory compliance. It may, however, be under the radar of existing compliance teams’ scrutiny.

In this podcast, Mathieu Gorge, CEO of Vigitrust, talks about the ways IoT data can be sensitive to compliance requirements, including to GDPR, and about how to ensure you map and classify that data, plus tools that can help.

Antony Adshead: What’s new in IoT?

Mathieu Gorge: I think it’s fair to say that IoT devices are spreading. There are more and more connected devices everywhere we look. And we find now that those devices are actually in the office, and in public places – not just at home where the whole IoT concept started.

So, each of those devices is creating data – structured and mostly unstructured. We have more and more data to deal with, and this includes data that is not necessarily being dealt with by compliance and storage teams, which is creating a number of challenges.

In addition to that, IoT devices are now being linked to artificial intelligence (AI). One of the issues here is that a number of devices are being trained, so to speak, to become independent, responsive and autonomous. This means they are creating yet more data, and again even more unstructured data that we may or may not have plans to deal with.

So, we end up creating a lot of sensitive data, and although it is not obvious if you look at behavioural devices – devices that map your geo-location, how you behave within your organisation and within the business, within buildings and so on – we end up with all that accumulated data that is not necessarily on the radar screen, so that’s creating a number of headaches for security and compliance.

Adshead: What are the effects of new developments in IoT on storage and compliance?

Gorge: So, pretty much the same as any other type of assets, you need to map your IoT devices and understand the role the device plays within the environment, whether it is at home or in the office.

All of those devices will create different types of data and, as mentioned, a lot of that data is unstructured, so you need to make sure you understand where the data might be located.

Is it stored on the device, or on the application that the device is connected to? And does it end up being stored on the cloud that you may or may not have any control over, which actually creates a number of security issues and privacy issues.

For instance, if you look at GDPR, it mandates that you take appropriate security measures to protect data pertaining to data subjects. So, if some of the data – for instance, behavioural data – is at risk because you haven’t mapped it and don’t know where it is and you don’t control it and you don’t secure it, then you’re not technically taking appropriate security measures.

Remember that GDPR requires you to have privacy by design. So, if you design an application that is linked to IoT devices, the overall ecosystem you provide for customers must ensure that you protect information pertaining to data subjects.

Again, in case of a data breach, if you need to go back to find out, for instance, that one of the devices, one of the IoT devices was the root cause of the breach, then do you keep access to the logs linked to that device, do you know who accessed the device, do you know the last good state of the device, have you a way to do deep behavioural analysis on what happened with the device and with the data that it was collecting, processing, transmitting or even potentially restructuring?

So, that’s why we’re seeing the rise of new solutions that are essentially aimed at understanding what’s happening with all of those devices, for instance with some new technology from a company called Cyberreason that is very interesting in looking at how you can manage all those devices.

So, I think we will see a lot more new players on that front, and their role will be to manage the IoT landscape, allowing you to essentially understand how you can remain compliant and how you should store the data that is created by this new environment that we clearly haven’t mastered just yet.