Resources referenced

AWS announces all services are GDPR compliant

Lecture Transcript

Hello and welcome to this learning path where I shall be introducing you to a number of AWS services that you can implement and configure to help you maintain GDPR compliance. 

As you have already started this learning path, then you are probably already familiar with what GDPR is and why it matters. However, as an introduction to this learning path, I want to highlight some information surrounding GDPR before we start look at specific AWS services to help you enforce it. 

What is GDPR? It stands for General Data Protection Regulation, and it's the European Union's general data protection regulation, which is effective from the 25th of May 2018. This regulation essentially replaces the existing 1998 Data Protection Act. While there is a lot of focus on the fines that businesses could face for noncompliance, it's important for companies to understand all of the ways the new regulation will impact your organization and the way you do business. 

Who must comply? If your organization collects or processes the data of European Union Citizens, your organization will be required to comply with the GDPR, even if you're based outside the EU. 

What data is included? Within GDPR definitions, the list of information deemed as personal has grown significantly since the previous regulation, the 1998 Date Protection Act. In addition to names and email addresses, social media posts, a computer IP address, photos, medical information, and anything that can be used to identify a person, either directly or indirectly, may be considered personal data under GDPR. 

Will it impact how data is processed? GDPR will impact any procedures that define how, when, and why specific data is collected and retained. In addition to the new procedures, you'll also need to know how to deal with requests such as the right to be forgotten. This is known as the right to erasure. Under GDPR individuals may request to have any personal data that you store and process on them removed and erased from all of your systems, with some exceptions. 

How are data controllers and data processors affected by GDPR? Organizations who act as controllers and processors of data will both be bound by GDPR requirements. A data controller is the party that defines how personal data is collected and why, and data processors are parties that process the personal data on the controllers behalf. You'll want to conduct a thorough assessment to understand the security policies of any third parties classified as data processors for your organization. 

What happens if a breach occurs? If any personal data is compromised in a security breach, you are required to inform the individuals affected and to report the data breach to your data protections authority within 72 hours of your organization's awareness of the breach. Huge fines may be incurred for any breach that is not communicated to the relevant data protection authority. 

What is the cost of noncompliance? Failure to comply with GDPR legislation could result in huge financial penalties. Depending on the violation the Information Commissioners Office, ICO, can impose fines up to 4% of your organizations global annual turnover or up to 20 million euros, whichever is greater. 

It's clear to see that understanding how your environment can remain compliant with GDPR is key to your business. So how can AWS help you with maintaining your compliance with GDPR? On the 26th of March 2018, AWS announced that all of it's services are GDPR compliant. Meaning that the services meet the required levels of security and privacy needed to meet this regulation. To learn more about this announcement, you can view the blog post here. Although all AWS services are compliant, there are a number of key services that can help your business to meet the compliance within your own environment, which governs the data that you store that might fall under the umbrella of GDPR related data. These services specifically allow you to enable compliance through various security, auditing, alerting, monitoring, and reporting features that can help you enforce the stringent security and compliance controls that must be adhered to when storing personal data. 

This learning path has designed specifically to introduce you to five of these services, allowing you to understand what they are used for and how to configure them as well as an awareness of all of their features to help you implement and maintain your own levels of security at different levels as required. These services include AWS CloudTrail. 

AWS CloudTrail is a service that has a primary function to record and track all AWS application programming interface requests made, APIs. These API calls can be programmatic requests initiated from a user using an SDK, the AWS Command Line Interface, the CLI, from within the AWS Management Console, or even from a request made by another AWS service. For example, if your user initiates a ListBucket request or DeleteSecurityGroup request, these API requests are all recorded by CloudTrail as an event which contains additional metadata such as the user, their IP address, and date stamp. 

Amazon Macie. This service provides an automatic method of detecting, identifying, and also classifying data that you are storing on Macie enabled storage services, such as Amazon S3. The services backed by machine learning allow your data to be actively reviewed as different actions are taken. Machine learning can spot access patterns and user behavior by analyzing CloudTrail event data to alert against any unusual or irregular activity. Any findings made by Amazon Macie are presented within a dashboard, which can trigger alerts, allowing you to quickly resolve any potential threat of exposure or compromise to your data. 

Amazon GuardDuty. This is a regional based intelligent threat detection service, the first of its kind offered by AWS, which allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail event logs, VPC Flow Logs, and DNS Logs. It then uses the data from the logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources such as IP addresses and URLs. 

AWS Config. This service provides a way of performing the following. Capturing resource changes within your environment, it acts as a resource inventory, it can store configuration history for individual resources. It can provide a snapshot in time of current resource configurations, enables notifications of when a change has occurred on a resource, provides information on who made the change and when through AWS CloudTrail integration. It can enforce rules that checks the compliance of your resources against specific controls. It can perform security analysis within your AWS environment, and it can also provide relationship connectivity information between your resources. 

Amazon Inspector. This is a managed service that is used to help you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment. This is automatically achieved through a series of assessments against specified resources, based on hundreds of best practices and known security weaknesses covering common vulnerabilities and exposures, CVEs, the Center for Internet Security Benchmarks, Security Best Practices, and Runtime Behavior Analysis. 

Feedback on our learning paths here at CloudAcademy are valuable to both us as trainers and any students looking to take the same learning path in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you can contact support@cloudacademy.com. That brings me to the end of this introduction. 

Let me now introduce you to our first service, AWS CloudTrail, which is integrated into many of the other services discussed within this learning path.