How To Achieve GDPR Compliance in the Cloud – Across AWS, Microsoft Azure and Google Cloud

The world’s top three cloud services providers, Amazon Web Services, Microsoft Azure and Google Cloud (GCP) have all announced compliance with GDPR. But imagine a world where you can view all your geo-located online instances and protected assets across multiple public cloud platforms – all within a single user-friendly portal. That’s where the activereach Dome9 Compliance Engine comes in.

With the GDPR compliance deadline only weeks away, we are sharing a blog from our technology partner Dome9 who have recently announced a GDPR readiness bundle within their public cloud Compliance Engine.  This offers an out-of-the-box assessment and ongoing monitoring for compliance with the security requirements of GDPR. Combined with other capabilities of the Dome9 platform, this will help customers prepare to meet the security requirements of the EU regulation. So read on…

I. How does GDPR apply to me?

The GDPR regulation has a major impact on companies in many ways:

  1. It regulates the transfer of personal identifiable (PII) data outside of EU by enforcing pseudonymization and encryption.
  2. It introduces a shared liability between the data controllers (organizations that store end user data) and the data processors (e.g. cloud providers) – processors will now be subject to penalties for the first time.
  3. It creates transparency around how data will be used, how long it will be retained, etc.
  4. It ensures ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  5. Data ownership, data protection, and data storage are key requirements for GDPR compliance.

Organizations need a cost-effective way to evaluate whether they are at risk of failing a GDPR compliance audit. To achieve and maintain GDPR compliance, you need to ensure you have all the right security and privacy measures in your cloud environments or face the sizable consequences of non-compliance. Hence, this initiative requires companies to rethink their data protection strategy and supporting tools in order to maintain a competitive advantage.

You may also like: GDPR Compliance: The Legal & Financial Consequences Of Technology Failure – A Guide For Security Professionals (Part 1 of 5)

II. GDPR compliance in the cloud. How does Dome9 help?

Dome9 offers powerful visualization, control and active cloud protection capabilities that help customers manage GDPR compliance in their public cloud environments. For example, the Dome9 Compliance Engine is an automation framework that allows customers to automatically assess their cloud environments against regulatory standards and security best practices. They can use pre-packaged test suites that check for compliance against regulatory standards or security best practices, or they can easily create their own test suites that capture their organization’s unique requirements.

Let us dive into more detail of how Dome9 gets your cloud ready for GDPR:

Visibility into your Cloud Assets

With Dome9, you can easily get a real-time picture of all your cloud assets in one place. A company needs to have full visibility into cloud assets in order to comply with GDPR since you cannot protect information that is not on your radar.

Dome9 GDPR Portal

GDPR Compliance in the Cloud: Visibility of Cloud Assets

Visibility of Assets by Geography

1. Visualize all of your assets via an intuitive global map to get a high-level glance:

GDPR Compliance in the Cloud: Global View of Assets

2. You can then visualize your assets that are either within or outside a specific region. The Dome9 platform monitors these assets continuously alerts you when there are exceptions. For example – you can see below how easy it is to view all your assets outside of Europe in AWS:

GDPR Compliance in the Cloud: Easy to Manage

3. In addition, you can view detailed settings for your cloud environments (i.e. VPC or SG relationships for assets within a specific region):

GDPR Compliance in the Cloud: Visibility of Cloud Assets across Regions

Cloud Security Compliance

The Dome9 Compliance Engine offers built-in frameworks for standards such as ISO 27001, NIST 800-53, HIPAA and PCI. These compliance suites are an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). When a company has implemented the Dome9 built in AWS CIS Foundations Benchmarks v1.1.0, NIST 800-53, PCI-DSS 3.2 or any other compliance frameworks, they have made considerable progress (~50%) in attaining GDPR compliance by minimizing the risk of a breach.

Continuous Compliance

 

Continuous compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as emal, SNS notification message or PDF report.

Dome9 capabilities presented above can help your company with the following GDPR Sections:

Article 25 – “Data protection by design and by default” with Dome9 Data Access Controls:

Multi-factor authentication (MFA)
API-request authentication
Geo-restrictions
IAM controls

Article 30 – “Records of processing activities” with Dome9 Logging and Monitoring:

Asset-management and configuration
Compliance auditing and security analytics

Article 32 – “Security of processing” with Dome9 Data Protection and Risk Assessment:

Encryption of your data
IPsec tunnels into AWS with using VPC configs
Cloud security risk assessment

Additional Sections of GDPR Dome9 Arc can help with – Articles 5, 12-23, 34, 44, 76:

Breach notification by reducing investigation time
Automation and visualization of you cloud asset inventory
Apply Dome9 out of box security best practices, AWS CIS Foundation’s benchmarks for overall security hygiene, as well as compliance and risk assessment frameworks to continuously monitor and remediate security and compliance gaps

III. Get Started Today with Dome9 for GDPR

Below you can see an example of the compliance engine evaluating whether assets are in compliance with specific GDPR sections:

GDPR Compliance in the Cloud: AWS GDPR Readiness

GDPR Compliance in the Cloud: Compliance Warnings

As a security and compliance solution provider, Dome9 takes the security of its own platform and organization seriously. At activereach we understand the complexities of ensuring you have the right tools and technologies in place to demonstrate compliance with the GDPR. Please contact activereach to arrange an initial GDPR technology consultation, or visit our public cloud security page to find out more.

Additional Helpful Resources:

GDPR Compliance on AWS
https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf

CSA code of conduct
https://gdpr.cloudsecurityalliance.org/resource/csa-code-of-conduct-for-gdpr-compliance/.

CISPE code of conduct
https://cispe.cloud/code-of-conduct/

EU CLOUD Code of Conduct
https://eucoc.cloud/en/home/

GDPR vs EU Data Protection – Key differences
https://www.cloudlock.com/blog/eu-gdpr-vs-data-protection-directive/

You can get started today – Sign up for a Live Demo of the Dome9 SaaS platform

This article was first published on the Dome9 blog by MARINA SEGAL, MARCH 19, 2018.

THIS POST IS INTENDED FOR INFORMATION PURPOSES ONLY. IT DOES NOT CONSTITUTE LEGAL ADVICE CONCERNING THE GDPR OR ANY OTHER MATTER, AND MAY NOT BE USED OR RELIED ON FOR SUCH PURPOSES.