Now I had a session at Hackcon this week about security in the cloud, one of the important aspects of it is guidelines and regulations that all cloud provides need to follow. One of this regulations is GDPR which will be taken into effect in May 2018. Now there is alot of information in the regulation but I wanted to summerize the highlights.
* The regulation applies if the data or processor (organization) or the data information is based in the EU. Furthermore, the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. Which many of the current cloud providers do.
* It gives more power back to us consumers in terms right we have about the provider.
* It describes more in detail in how we as consumers can get insight in how a provider handles our data and uses our information.
* It allows us to easier get the ability “get deleted” or be “forgotten” at a provider like Google or Microsoft
* It allows us to ask a provider to move our information from one provider to another
* If data is to be collected or data be used, it would be needed to consented upon and can also be withdrawn at any time
If any data breaches happen, the provider would need to notify the supervisory authority straight away and notify the affected invididuals as well if impact is determined, within 72 hours.
Now why would businesses spend the time to comply with this regulation? Well they couldn’t affoard it. If a business doesn’t have proper documentation to comply with the regulation or have a serious data breach they could be fined with up to 20,000,000 € or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
You can read the entire information in the regulation here –> http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Now many of the cloud providers are already getting ready or are done with GDPR since it requires a lot of changes to their infrastructure and tools they have in place. Of course getting GDPR approved or certified requires alot of investment and money and is of course a good indication that a vendor has invested to high level of security (they wouldn’t afford otherwise, if a data breach happend for instance, because of lacking routines.
GDPR will also most likely seperate the larger cloud providers from the small ones, since the small ones might not have the money to invest into follow the GDPR guidelines, which might put them in the shadow of the large providers which has technical invested and have guidelines in place.
So this is now close to one year away before going into effect, where are the cloud providers in terms of GDPR?
Microsoft has already written alot of information and guidelines on using their services for GDPR –> https://www.microsoft.com/en-us/trustcenter/privacy/gdpr on a technical sidenote Microsoft has stated that their services will be GDPR compliant within May 2018.
AWS is also a long step on the way in terms of getting compliant with GDPR –> https://aws.amazon.com/blogs/security/aws-announces-cispe-membership-and-compliance-with-first-ever-code-of-conduct-for-data-protection-in-the-cloud/ but AWS does not have some much information available as Microsoft has on GDPR.
But regardless of cloud provider it is important how the shared responsibility is and who is responsible if something happens in a public cloud setup.
So if we look at the shared responsibility model that AWS (Which is the same as other cloud providers has) If we as a customer has a web services running on top of AWS/Azure/GCP and we are using their services to host web services to our customers, for instance an ecommerce website. In this case we might handle multiple end-customers with sensitive information.
If an malicious attacker managed to get trough our web service and access that sensitive information we might store on our web services, we as a customer will be responsible for the data breach and will be therefore subject to the fines that come with GDPR. Now in this case the cloud provider is of course responsible for all the physical aspects of it, and therefore not our responsibility. If we were to manage this ourselves we would be responsible for the entire stack and therefore have a higher level of responsibility.
So to summarize: If you are looking to using cloud services or not, see how the vendor is approaching GDPR which will be an important aspect moving forward. If you are using cloud services think about what is your responsibility, if you are hosting services towards customers see how GDPR affects your services and what countermeasures you need to make.