Is your cloud GDPR compliant?
25th May 2018, Friday is nothing less scary for many as Friday the 13th. Well, at least for those who are struggling to meet the compliance requirements of GDPR.
It was revealed in the RSA Conference 2018 that 97 percent of worldwide IT professionals are using some type of cloud service. It further revealed that more than 80% organizations store sensitive data on public cloud. Right from customer information, information about IPs, network pass cards, personal staff data and more – all of it is available on the cloud. Organizations trust their cloud service providers and are unlikely to decrease their cloud investment in the years to come. Malware and other security concerns continue to mar the adoption of cloud but if a cloud service provider follows some of industry’s best practices, it is unlikely that they will have a dire situation as far as cloud security is concerned.
Image Source: https://cdn.pixabay.com/photo/2018/02/11/23/45/cloud-3147119_960_720.png
If cloud service providers follow DevOps and DevSecOps can help reduce the data breaches and improve code quality. Automation is also known to reduce the exploits and vulnerabilities. With a single platform to manage multiple cloud services can help reduce the complexity of managing security.
It looks like that just encryption and authentication are not enough to control data breaches. These are just basic security practices that are inadequate to protect workloads. As we are already aware that EU has taken a huge step to enforce data protection. The General Data Protection Agreement (GDPR) is EU’s move in the direction. On 25th May 2018, GDPR tenet will become effective and will give the right to an individual to protect his/her data.
GDPR is expected to adversely affect public cloud service providers and teams dealing in enterprise compliance in that region. Every business must meet a threshold requirement to be GDPR compliant. If anyone breaches GDPR requirements, the fine is quite high (in Euros of course). There are many companies that provide services across the globe and they must meet the requirements of GDPR as well. For example, AWS and Google, major public cloud service providers, are taking some serious action to meet the GDPR requirements. But unfortunately, the use of compliant cloud service will alone not suffice.
The basic requirement of GDPR is for organizations that initiate the personal data collection or are cloud environment operators should be able to provide proof that data is protected at all stages that is while it is in transit or processed or stored.
Key steps to ensure GDPR compliance
- Perform a thorough data protection audit and ensure that the primary cloud provider using on-premises or other applications are compliant to the need of GDPR
- You must own the encryption keys for data sets that your business owns. Even backup encryption requires you to review the compliance report from your software vendor, if necessary
- Apply all possible encryption and authentication standards to all the personal data of users that you might be dealing with. Most of the cloud service providers will provide you with the apt tools and services that can help with this
- You must be careful about who can access the personal data. Limit the access of sensitive data and create stricter norms for fewer eyes for the user data
- You can also deploy software that can help you to manage accessibility and detect any intruders to the software. It is nearly impossible to stop all attacks but it can detect a few.
- Take help from specialized service providers who can help your business to comply with the GDPR standards. It might cost you a fee but it might be better than paying a hefty non-compliance fee
GDPR is a commitment and meeting its requirements need all departments to be involved. As far as your cloud hosting service provider is concerned, you must have a contract with them that defines all the security standards and requirements clearly. If you wish to discuss more about GDPR or its impact, we are waiting to hear from you.
