Encryption at the Edge: The Holy Grail of Security, Customer Protection and Data Residency

Just a few short years ago, encryption was something special that we might have consciously applied to particularly sensitive files. We might see the HTTPS “lock” icon appear next to the login URL of our banking website and know that something critical is happening.

Today encryption has spread to everything, including meme generators, online quizzes, and Twitter. Probably some, or all, of your devices have their entire storage systems encrypted. You may even be accessing an encrypted website right now, over an encrypted VPN, over an encrypted WIFI or mobile connection, and for each layer, your device will dutifully encrypt the already-encrypted data and the device on the other end will decrypt it, all without any human really knowing or caring about it.

Encryption has become ubiquitous and almost banal. And you’d expect your security and fraud prevention company to be using encryption. So what?

What most encryption provides is session-based security. For example, a sender and a receiver on a network will agree on a key to communicate, or you log into your PC and the keys to your disk becomes accessible by programs. The encryption is tied to a specific time and place. The data cannot be intercepted between the endpoints of the session, but on each side, it’s freely available.

We chose to do things differently at Darwinium. When data is encrypted, it stays encrypted. And we only use a truly anonymized version of that encrypted data.

In terms of a security and fraud prevention solution that is designed to automatically detect fraud and abuse, knowing the actual names, addresses, phone numbers and emails of real people isn’t even particularly useful. The software only cares about the context, not the actual values. All it ever needs is a highly anonymized version of the personal data designed to preserve relationships.

In an ideal scenario, this threat detection is enough and the data’s usefulness ends there.

However, should the case ever need to be investigated by a real human, this is not sufficient. The original personal data needs to be preserved so that if the situation arose, an investigator authorized by the data’s owner could contact the parties involved and coordinate with permitted third parties such as law enforcement.

The point is, however, that although this personal data may be needed in the future, it isn’t needed by the fraud prevention vendor. Ever. Only by the data owner / permitted third parties authorized by the law and the data owner.

In fact, even the potential for a fraud prevention vendor to be able to view personally identifiable information (PII) in the clear is a liability. Data breaches are an omnipresent feature in global news, and the reality is that wherever personal data is present in computer memory, there is always the potential for accidental leakage.

This could happen through careless logging, improper classification or incorrect processing. Data could even be exposed in debugging artefacts such as core dumps and no development or operational processes can really prevent this.

Darwinium has taken a privacy-by-design approach to this problem to future proof the solution against the risk of data leakage. The obvious solution is to use Public-key cryptography so that we can encrypt data, without giving ourselves the ability to decrypt it.

But the next question becomes, where should this encryption take place?

Darwinium is unique in that it is designed to perform most of its important work within Content Delivery Networks (CDNs) via edge workers. CDNs are services that bring copies of websites closer to their users. CDN edge worker platforms are an extension of this concept that brings the software that runs websites closer to these users too.

Darwinium removes the complexity of deploying edge solutions with different CDN providers that have different capabilities. It is worth noting, however, that CDN providers take different approaches to how edge workers can be executed. Businesses should ask their CDN provider whether they provide native support for either Rust or WebAssembly, as this allows approach allows Darwinium capabilities to be seamlessly compiled into edge workers.

The game changer here is that Darwinium has moved data classification, encryption and anonymization into these edge workers – protecting our customers, their end users, and their personal data.

The advantages of this approach are:

• The use of CDNs is ubiquitous amongst medium to large websites, however, unencrypted data will always be present within a website that is collecting PII. By encrypting data on the edge, in front of web traffic, businesses are better protected from the risk of exposing unencrypted data.
• Given that data is encrypted on the edge, via third-party CDNs, Darwinium has no access to logs or debugging tools that would permit us to accidently access personal data.
• CDNs by their very nature, have a network of servers and data centers that are geographically located nearer to an end user. This means that encrypted data can remain within that user’s geographical jurisdiction and directed to a designated local data server or sent to the business’s own S3 bucket.
• Only the business that owns this personal data has the appropriate keys to decrypt it.
• Darwinium uses a fully anonymized version of this data that can be processed globally for security and fraud prevention purposes. The original data is not recoverable.

In summary, by encrypting PII on the edge, the businesses we serve can better protect the security of their end users’ personal data, while complying with data residency regulations. Darwinium only uses a truly anonymized version of this data, future-proofing our ecosystem from decryption attacks of the future.