Staying GDPR compliant in the cloud

More and more firms are moving towards public cloud platforms such as Google Cloud, Microsoft Azure and Amazon’s AWS to support digital transformations, customer support, supply chain management and employee collaboration.

Ensuring cloud environments are protected by the upcoming EU General Data Protection Regulation (GDPR) is essential, as personal data is more than likely to be stored, processed and shared.

Firms must safeguard EU customer data held in public clouds by the 25 May 2018 by having complete visibility into their public clouds, as well as good security in environments such as the DevSecOps pipeline protection, web app scanning, vulnerability management and a good configuration of controls.

Compliance issues

In the cloud, it can be tricky to adapt processes and security controls because firms don’t have a lot of control, or the know-how through tools and processes, to securing public clouds.

The Cloud Security Alliance (CSA) identified the following areas to be the most significant area for compliance issues when moving to the cloud:

  • Data breaches
  • Weak identity, credential and access management
  • Insecure APIs
  • System and application vulnerabilities
  • Account hijacking
  • Malicious insiders
  • Advanced persistent threats (APTs)
  • Data loss
  • Insufficient due diligence
  • Abuse and nefarious use of cloud services
  • Denial of service
  • Shared technology vulnerabilities

Staying compliant

To stay compliant, the Cloud Industry Forum recommends the following:

  1. Know the location where cloud apps are processing or storing data: You can accomplish this by discovering all of the cloud apps in use in your organisation and querying to understand where they are hosting your data. The app vendor’s headquarters are seldom where your data are being housed. Also, your data can be moved around between an app’s data centres.
  2. Take adequate security measures: You need to know which apps meet your security standards, and either block or institute compensating controls for ones that don’t. Netskope has automated the discovery process by measuring cloud apps against 45+ parameters with our Cloud Confidence Index, so you can easily see where apps are lacking and quickly compare among similar apps.
  3. Close a data processing agreement with cloud apps: Once you discover the apps in use in your organisation and consolidate those with overlapping functionality, sanction a handful and execute a data processing agreement with them to ensure that they are adhering to the data privacy protection requirements set forth in the GDPR.
  4. Collect only necessary data: Specify in your data processing agreement (and verify in your DLP policies) that only the personal data needed to perform the app’s function are collected by the app from your users or organisation and nothing more, and that there are limits on the collection of “special” data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
  5. Don’t allow cloud apps to use personal data: Ensure through your data processing agreement, as well as verify in your app due diligence, that apps state clearly in their terms that the customer owns the data and that they do not share the data with third parties.
  6. Ensure you can erase data: Make sure that the app’s terms clearly state that you can download your own data immediately and that the app will erase your data once you’ve terminated service. If available, find out how long it takes for them to do this. The more immediate (in less than a week), the better, as lingering data carry a higher risk of exposure.

Written by Leah Alger