The GDPR (General Data Protection Regulation) provides organisations that process data through cloud services with some unique challenges and opportunities.
The GDPR aims primarily to give control back to citizens and residents over their personal data, and it will begin to take effect on 25 May 2018.
Before talking about the GDPR obligations, let us talk a little bit about the cloud shared responsibility model:
From the above table it is easier to understand that both the customer and the cloud service provider have clear responsibilities.
The cloud service provider is responsible for the physical protection (and data centre locations) and over the infrastructure layers (beside the operating system in IaaS model).
The customer is the data owner, and as such, he is responsible for access permissions and auditing. On IaaS and PaaS models, the customer is also responsible for the application layer in terms of access controls, hardening and configuration, encryption, etc.
This model is important to understand, because the GDPR has specific requirements that the cloud service provider is not responsible for, and any organisation storing/processing private data, needs to be aware of and prepare accordingly in-order to be compliant with the GDPR.
Main GDPR requirements related to cloud services:
• Know the location where cloud applications are processing or storing data.
Perform an inventory of all your organisation cloud services and compare them with the cloud service provider’s official web sites, regarding compliance with the GDPR. For example:
Microsoft – https://goo.gl/v7YVMj
AWS – https://goo.gl/SGuVTY
Google – https://goo.gl/hqnnGR
IBM – https://goo.gl/pJA75Y
Oracle – https://goo.gl/43xu2E
Salesforce – https://goo.gl/vDcRT1
Use discovery tools, to locate where sensitive (GDPR related personal data) is located on your cloud services. For example:
Microsoft Azure Data Catalog – https://goo.gl/qu7g4J
• Protect personal data:
Use strong authentication (Multi-factor authentication). For example:
Microsoft – https://goo.gl/7oEHyt
AWS – https://goo.gl/4PjD9W
Google – https://goo.gl/KnzcN4
Monitor security incidents. For example:
Microsoft – https://goo.gl/rPv2ju
AWS – https://goo.gl/46TXsX
Encrypt data at rest. For example:
AWS – https://goo.gl/vkFBnj
Google – https://goo.gl/6QF9Gf
Oracle – https://goo.gl/ixNeQs
Salesforce – https://goo.gl/XTQvYA
Control who has access to your data in the cloud. For example:
Microsoft – https://goo.gl/jTKfcU
Oracle – https://goo.gl/RGErBo
• Data processing agreement (DPA):
Sign a data processing agreement with the cloud service providers, to make sure they properly protect personal data and they commit not to move data outside the EU. For example:
Microsoft – https://goo.gl/tJVQG1
AWS – https://goo.gl/b53Vui
Google – https://goo.gl/JzRqgA
Salesforce – https://goo.gl/yR94Aw
Check the compliance of the cloud service provider against known security standards. For example:
Microsoft – https://goo.gl/qVNUwB
AWS – https://goo.gl/vCUjhP
Google – https://goo.gl/2463Sk
Salesforce – https://goo.gl/9y2ZJY
IBM – https://goo.gl/cL19qW
Eyal Estrin is a Cloud Security Architect.
He is the owner of the blog Security 24/7.
He has more than 20 years of experience in the IT and information security field.
Follow him at @eyalestrin