With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.
While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more than just technology. Companies will also need to invest time and resources to prepare internal cloud teams to correctly and effectively design secure, auditable, and traceable cloud solutions that also meet the demands of your business. Here are 4 steps to get your cloud deployments GDPR ready for compliance.
#1 Make sure your cloud partners are GDPR compliant
In the cloud, the entire security framework operates under a shared responsibility model between the provider and the customer.
From an infrastructure perspective, the cloud service provider is responsible for providing a secure cloud environment, from their physical presence to the underlying resources that provide compute, storage, database, and network services.
Customers who import data and utilize the provider’s services are responsible for using them to design and implement their own security mechanisms such as access control, firewalls (both at the instance and network levels), encryption, logging, and monitoring.
Under GDPR, both customers (as controllers who define how and why personal data is collected) and cloud providers (as processors who manage, process, or store personal data on behalf of the controller) must be compliant.
Enterprises should make sure that their cloud partners and any third party that processes, manages, or stores personal data of EU citizens on their behalf have the proper compliance and controls in place.
#2 Audit your systems for personal data
Personally identifiable information (PII) as defined by GDPR includes a range of data types, from names, email addresses, and phone numbers, to photos, genetic data, and IP addresses. But how much of the personal data that you store is actually required for your business?
GDPR is an opportunity to take a critical look at the types of data you collect and why. Use cloud services like AWS’s Amazon Macie to audit and assess the type of data currently in your data stores and determine which ones will be impacted by GDPR. Do they contain data that is outdated or personal data that is unnecessary for your business? Take this opportunity to redefine your processes for the type of data that you will collect going forward.
#3 Put proactive security services in place
A cloud security breach is more than just the loss of data. Exposed S3 buckets and other high-profile breaches that left millions of pieces of PII exposed in 2017 could prove fatal for a business under the new regulations. Under GDPR, a breach that results in exposure of personal data could result in fines of up to 4% of annual turnover or €20 million.
GDPR is an opportunity for companies to implement broader, more comprehensive cloud security and data protection in your deployments at every level. Amazon Web Services, Microsoft Azure, and Google Cloud Platform each have a range of services in place to support your security and compliance requirements. These include:
- Access: Identity and access management (IAM) mechanisms allow you to provide granular levels of permissions to any given user, group, and service. Multi-factor authentication should also be used for any user with an elevated set of permissions.
- Encryption: Encryption should be used where possible for any data at rest and in transit. Encryption in transit should be used when transferring data to and from the cloud and when moving data between internal cloud services using protocols such as TLS (Transport Layer Security). The leading cloud service providers offer specific services that allow you to manage data encryption: AWS’s Key Management Service, Microsoft Azure’s Key Vault, and Google Cloud Platform’s Cloud Key Management Service.
- Monitoring: Use monitoring services to identify changes in the environment, security loopholes, noncompliant resources, malicious activity, irregular trends, or brute force attacks. AWS has a range of services including CloudTrail and Amazon CloudWatch, Azure has Monitor and the Azure Security Center, while Google offers Stackdriver and Cloud Security Scanner.
- Threat detection: Specific services that analyze log data—for data flows, events, DNS—are designed to identify threats. New “intelligent” services such as AWS GuardDuty assesses log data against multiple security feeds to detect suspicious activity in traffic, malicious URLs, etc.
#4 Empower teams for compliance
A regulation as far-reaching as GDPR will impact your organization at the technology, process, and people levels. A shared understanding by your teams of the regulation and how it impacts your organization from the point of view of technology and the business will be an essential component of your compliance efforts.
- Make sure your planning addresses your GDPR training needs for both the general concepts and the required skills and experience that teams will need to implement the appropriate levels of compliance and security in your cloud services.
- Start by instilling a culture of transparency around adherence to security best practices in each organizational unit that touches any cloud initiative.
- Identify any skill gaps and implement measurable, performance-driven training plans to keep skill development on track.
- Create a continuous training strategy to ensure that team knowledge and skills stay ahead of the next disruption and that teams are up to date with the latest vendor releases, privacy policies, and best practices.
A best practices approach will be key to get your cloud deployments GDPR ready and to prepare for any security and compliance challenges that your business will face.