Many writings about GDPR is beginning with an introduction to scope, responsibility, accountability and the sanctions with its extremely high fines. Total Cloud Consulting is examining the general question whether Amazon Web Services (AWS) unleashes or ties the companies during their preparation for General Data Protection Regulation (GDPR).
We must emphasize that GDPR is about compliance and not just simply a matter of security in the cloud. By that any vendors’ marketing brochure providing single, one-stop-shop for all GDPR related issues should be handled with doubts in our mind. If a company must comply with GDRP, its primary goal is simply to ’comply’, meaning to be able to provide evidence to the supervisory authority.
Although the regulation contains some technical phrases (e.g. encryption and pseudonymizing in Art 6.), it is clearly not a question of applied technology. When dealing with GDPR we can use cloud to provide a compliant environment for our data, and most probably can create a collection of useful tools to help us to be compliant. From the perspective of clouds Art. 25 (Data Protection by Design or by Default), Art. 20 (Data Portability) and Art. 33 (Data Breaches) are especially important.
In case of cloud services we should not forget shadow IT, a part of corporate IT infrastructure operating without the approval, support (or even knowledge) of corporate IT. Storage spaces like Dropbox, Google drive or cloud applications are relevant in GDPR, therefore, data lifecycle must be managed by processes accordingly.
AWS and GDPR
Separating the responsibility
We must highlight: If we avoid information processing (handling, storing) of Personally Identifiable Information (PII) in the cloud, we have no GDPR issue in the cloud. The simplest way to comply is applying non-PII processing microservices in the cloud and let backend systems to process it and be in-scope to GDPR.
Any services at AWS applies the so-called shared responsibility model. According to that, AWS is responsible for the security of regions, zones, server and the running operating systems on them, while the customer retains control of what security measures they choose to implement to protect their own content, networks, applications, firewall configurations, encryption keys etc.
In case of GDPR the provider follows the same rule. AWS’s Data Processing Addendum (DPA) includes commitments to be GDPR compliant on the service providers’ side. In its technology and industry background of AWS leverages CISPE code of conduct (see cispe.cloud), a codex created by a group representing cloud infrastructure providers across Europe. CISPE pushes the customers' responsibility toward being a data processor whenever it is possible. In return, we gain a lot: if we are PII data processors applying AWS services during the data processing lifecycle, we automatically will get evidence of the GDPR compliance of those resources. A basic example is an in-house Security Incident and Event Monitoring (SIEM) system, to which those cloud based services can provide input - from sources automatically compliant and auditable.
From an architectural point of view, we must spot that AWS offers solutions on per usage base, which would be extremely expensive if we had to implement them in the form of a project at an on-premise location, and we have to take care about the maintenance (support) of those solutions as well. During a project access control is a continuous pain. The multi-factor authentication offered by AWS, the possibility of object based access control, geo-location based storage of data and other mechanism are built-in tools in AWS, which provides evidence of compliance during the whole project lifecycle.
SIEM will have a key role in GDPR compliance. Asset management, configuration management, the CloudTrail auditing tools and security analytics or logging any activity related to PII mean fundamental sources of information. Having an insight of network traffic flows (flow logs), which really is a useful feature, usually available only on perimeter security devices, and analyzing the internal traffic flows usually remains an expensive dream project.
- Encryption - AWS key management
One of the most important techniques GDPR itself suggests as a tool to address proper compliancy is encryption. The proper encryptions algorithms and tool are available for data at rest or in transit, and the central key management is also available at AWS. To add more: we have an opportunity to use a dedicated Hardware Security Module (HSM).
All AWS services are under continuous control regarding compliance, security and assurance programs assessed by a third-party, independent auditors and result in a certification, audit report, or attestation of compliance.
Any items those must be acquired due to the GDPR compliancy, automatically bring up the question: Should I invest money because I must make my previous investments compliant, or should I provide compliancy of those elements by applying services?
Let us remember: a GDPR compliant system must be audited to prove and provide evidence about its compliancy, periodically and in case of modifications, which results a recurring due and cost. The cost pressure of GDPR automatically draws our attention to cloud technologies.
- GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
- It becomes enforceable from 25 May 2018.
- The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
- It will replace the data protection directive (officially Directive 95/46/EC) from 1995.
- Individual country regulations will be replaced. Decreasing trust in data handling and processing became an explicit handicap in digital economy that affected business actors as well.
- A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organizing joint operations.
- Sanctions can be imposed from a warning in writing in cases of first and non-intentional non-compliance to a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise.
- Development of compliant systems – without regards to the company profile – is not cheap.
- Any company or institution based on a service provider’s audited, compliant services, is expected to be more effective and has less duties regarding this compliance.
- AWS is a service provider of this kind.
Why Total Cloud Consulting?
The experts at Total Cloud Consulting help you in being GDPR compliant with optimal costs by providing continuous compliancy. Our goal is proving that digital economy really can boost business productivity.