GDPR, Cloud and the Shared Responsibility Model

Eyal Estrin
Cloud Security
June 9, 2020

The GDPR (General Data Protection Regulation) provides organisations that process data through cloud services with some unique challenges and opportunities.

The GDPR aims primarily to give control back to citizens and residents over their personal data, and it will begin to take effect on 25 May 2018.

Before talking about the GDPR obligations, let us talk a little bit about the cloud shared responsibility model:

‍From the above table it is easier to understand that both the customer and the cloud service provider have clear responsibilities.

‍From the above table it is easier to understand that both the customer and the cloud service provider have clear responsibilities.

The cloud service provider is responsible for the physical protection (and data centre locations) and over the infrastructure layers (beside the operating system in IaaS model).

The customer is the data owner, and as such, he is responsible for access permissions and auditing. On IaaS and PaaS models, the customer is also responsible for the application layer in terms of access controls, hardening and configuration, encryption, etc.

This model is important to understand, because the GDPR has specific requirements that the cloud service provider is not responsible for, and any organisation storing/processing private data, needs to be aware of and prepare accordingly in-order to be compliant with the GDPR.

Main GDPR requirements related to cloud services:

• Know the location where cloud applications are processing or storing data.

Perform an inventory of all your organisation cloud services and compare them with the cloud service provider’s official web sites, regarding compliance with the GDPR. For example:

Microsoft – https://goo.gl/v7YVMj

AWS – https://goo.gl/SGuVTY

Google – https://goo.gl/hqnnGR

IBM – https://goo.gl/pJA75Y

Oracle – https://goo.gl/43xu2E

Salesforce – https://goo.gl/vDcRT1

Use discovery tools, to locate where sensitive (GDPR related personal data) is located on your cloud services. For example:

Microsoft Azure Data Catalog – https://goo.gl/qu7g4J

• Protect personal data:

Use strong authentication (Multi-factor authentication). For example:

Microsoft – https://goo.gl/7oEHyt

AWS – https://goo.gl/4PjD9W

Google – https://goo.gl/KnzcN4

Monitor security incidents. For example:

Microsoft – https://goo.gl/rPv2ju

AWS – https://goo.gl/46TXsX

Encrypt data at rest. For example:

Microsoft:  https://goo.gl/BQSF9p

AWS – https://goo.gl/vkFBnj

Google – https://goo.gl/6QF9Gf

Oracle – https://goo.gl/ixNeQs

Salesforce – https://goo.gl/XTQvYA

Control who has access to your data in the cloud. For example:

Microsoft – https://goo.gl/jTKfcU

Oracle – https://goo.gl/RGErBo

• Data processing agreement (DPA):

Sign a data processing agreement with the cloud service providers, to make sure they properly protect personal data and they commit not to move data outside the EU. For example:

Microsoft – https://goo.gl/tJVQG1

AWS – https://goo.gl/b53Vui

Google – https://goo.gl/JzRqgA

Salesforce – https://goo.gl/yR94Aw

Check the compliance of the cloud service provider against known security standards. For example:

Microsoft – https://goo.gl/qVNUwB

AWS – https://goo.gl/vCUjhP

Google – https://goo.gl/2463Sk

Salesforce – https://goo.gl/9y2ZJY

IBM – https://goo.gl/cL19qW

Eyal Estrin is a Cloud Security Architect.

He is the owner of the blog Security 24/7.

He has more than 20 years of experience in the IT and information security field.

Follow him at @eyalestrin

 


Eyal Estrin

Eyal Estrin

Author, Cloud Security Architect, Public columnist, Focus onCloud & Cybersecurity


Keep Reading

Newsletter EuropeClouds.com

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form