Skip to main content

4 Best Practices to Get Your Cloud Deployments GDPR Ready

With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.

While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more than just technology. Companies will also need to invest time and resources to prepare internal cloud teams to correctly and effectively design secure, auditable, and traceable cloud solutions that also meet the demands of your business. Here are 4 steps to get your cloud deployments GDPR ready for compliance.

#1 Make sure your cloud partners are GDPR compliant

In the cloud, the entire security framework operates under a shared responsibility model between the provider and the customer.

From an infrastructure perspective, the cloud service provider is responsible for providing a secure cloud environment, from their physical presence to the underlying resources that provide compute, storage, database, and network services.

Customers who import data and utilize the provider’s services are responsible for using them to design and implement their own security mechanisms such as access control, firewalls (both at the instance and network levels), encryption, logging, and monitoring.

Under GDPR, both customers (as controllers who define how and why personal data is collected) and cloud providers (as processors who manage, process, or store personal data on behalf of the controller) must be compliant.

To date, AWS, Google Cloud, Microsoft Azure have announced their compliance (in the case of AWS) and of their commitment to GDPR (Google and Microsoft) by the May 25 deadline.

Enterprises should make sure that their cloud partners and any third party that processes, manages, or stores personal data of EU citizens on their behalf have the proper compliance and controls in place.

#2 Audit your systems for personal data

Personally identifiable information (PII) as defined by GDPR includes a range of data types, from names, email addresses, and phone numbers, to photos, genetic data, and IP addresses. But how much of the personal data that you store is actually required for your business?

GDPR is an opportunity to take a critical look at the types of data you collect and why. Use cloud services like AWS’s Amazon Macie to audit and assess the type of data currently in your data stores and determine which ones will be impacted by GDPR. Do they contain data that is outdated or personal data that is unnecessary for your business? Take this opportunity to redefine your processes for the type of data that you will collect going forward.

#3 Put proactive security services in place

A cloud security breach is more than just the loss of data. Exposed S3 buckets and other high-profile breaches that left millions of pieces of PII exposed in 2017 could prove fatal for a business under the new regulations. Under GDPR, a breach that results in exposure of personal data could result in fines of up to 4% of annual turnover or €20 million.

GDPR is an opportunity for companies to implement broader, more comprehensive cloud security and data protection in your deployments at every level. Amazon Web Services, Microsoft Azure, and Google Cloud Platform each have a range of services in place to support your security and compliance requirements. These include:

  • Access: Identity and access management (IAM) mechanisms allow you to provide granular levels of permissions to any given user, group, and service. Multi-factor authentication should also be used for any user with an elevated set of permissions.
  • Encryption: Encryption should be used where possible for any data at rest and in transit. Encryption in transit should be used when transferring data to and from the cloud and when moving data between internal cloud services using protocols such as TLS (Transport Layer Security). The leading cloud service providers offer specific services that allow you to manage data encryption: AWS’s Key Management Service, Microsoft Azure’s Key Vault, and Google Cloud Platform’s Cloud Key Management Service.
  • Monitoring: Use monitoring services to identify changes in the environment, security loopholes, noncompliant resources, malicious activity, irregular trends, or brute force attacks. AWS has a range of services including CloudTrail and Amazon CloudWatch, Azure has Monitor and the Azure Security Center, while Google offers Stackdriver and Cloud Security Scanner.
  • Threat detection: Specific services that analyze log data—for data flows, events, DNS—are designed to identify threats. New “intelligent” services such as AWS GuardDuty assesses log data against multiple security feeds to detect suspicious activity in traffic, malicious URLs, etc.

#4 Empower teams for compliance

A regulation as far-reaching as GDPR will impact your organization at the technology, process, and people levels. A shared understanding by your teams of the regulation and how it impacts your organization from the point of view of technology and the business will be an essential component of your compliance efforts.

  • Make sure your planning addresses your GDPR training needs for both the general concepts and the required skills and experience that teams will need to implement the appropriate levels of compliance and security in your cloud services.
  • Start by instilling a culture of transparency around adherence to security best practices in each organizational unit that touches any cloud initiative.
  • Identify any skill gaps and implement measurable, performance-driven training plans to keep skill development on track.
  • Create a continuous training strategy to ensure that team knowledge and skills stay ahead of the next disruption and that teams are up to date with the latest vendor releases, privacy policies, and best practices.

A best practices approach will be key to get your cloud deployments GDPR ready and to prepare for any security and compliance challenges that your business will face.

Written by

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.

Related Posts

— May 7, 2018

AWS Summit London 2018: Our Top Picks

Cloud Academy is proud to be a sponsor of AWS Summit London coming up May 9-10 at the ICC, ExCeL, London.Join us in booth S24, Level 1 where our AWS experts will be on hand to answer your questions and walk you through our latest content and newest platform features.Book a meeting w...

Read more
  • AWS Summits
  • GDPR
  • Security
— April 26, 2018

Top Cloud Skills in Demand for 2018: Big Data, AI, Machine Learning

Cloud is a pathway to innovation. Where yesterday’s cloud deployments were about moving an on-premises infrastructure in your data center to a cloud environment, companies today are using cloud platforms to build new features for their products and services that are integrated at a soft...

Read more
  • Big Data
  • GDPR
  • Machine Learning & AI
— March 26, 2018

GDPR Compliance: Low Cost, Zero-Friction Action Items

George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic....

Read more
  • GDPR
  • Security