The GDPR and Its Implications On Cloud Services · may include elements of SaaS, IaaS, and PaaS requires a logical set of steps. As Gartner has noted, “An organizaon cannot simply

The GDPR and Its Implications On Cloud Services

September2017NormBarber,ManagingDirector([email protected])

ArapidlygrowingandsuccessfulRedmond,WA-basedsoluGonsdeveloperwithsignificanttechnicalresourceslocatedintheUSandIndia.OurglobalfocusisonCloud,Cybersecurity,Compliance(regulatory)andCost.

EffecGvelymigraGngfromatradiGonal,on-premisesITenvironmenttoaHybridITenvironmentthatmayincludeelementsofSaaS,IaaS,andPaaSrequiresalogicalsetofsteps.AsGartnerhasnoted,“AnorganizaGoncannotsimply‘jump’totheCloud.Thereneedtobeac5vi5esthatarepartofaphasedevalua5onandplantomovetotheCloud.”

Discover Assess Target Migrate Monitor

UnifyCloud LLC – General Background

TheGeneralDataProtecGonRegulaGon(GDPR)impactstheenGreCloud(SaaS,IaaS,PaaS)journey

3

ThispresentaGonisacommentaryontheGDPR,asUnifyCloudLLCinterpretsit,asofthedateofpublicaGon. We’vespentalotofGmewithGDPRandliketothinkwe’vebeenthoughùlaboutitsintentandmeaning. ButtheapplicaGonofGDPRishighlyfact-specific,andnotallaspectsandinterpretaGonsofGDPRarewell-sealed.Asaresult,thispresentaGonisprovidedforinformaGonalpurposesonlyandshouldnotberelieduponaslegaladviceortodeterminehowGDPRmightapplytoyouandyourorganizaGon. WeencourageyoutoworkwithalegallyqualifiedprofessionaltodiscussGDPR,howitappliesspecificallytoyourorganizaGon,andhowbesttoensurecompliance. UNIFYCLOUDLLCMAKESNOWARRANTIES,EXPRESS,IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISWHITEPAPER. ThispresentaGonisprovided“as-is.”informaGonandviewsexpressedinthispresentaGon,includingURLandotherInternetwebsitereferences,maychangewithoutnoGce.

Disclaimer

4

• WhatistheGDPR

• HowtointerprettheGDPR• AddressingGDPRcomplianceintheCloud

• GDPRBaselineapproach•  CaseStudy:ManagingGDPRinAzure

Today’s GDPR briefing topics

5

Controller(fromGDPR)“…thenaturalorlegalperson,publicauthority,

agencyorotherbodywhich,aloneorjointlywithothers,

determinesthepurposesandmeansoftheprocessingof

personaldata;wherethepurposesandmeansofsuch

processingaredeterminedbyUnionorMemberState

law,thecontrollerorthespecificcriteriaforits

nominaGonmaybeprovidedforbyUnionorMember

Statelaw.”

Audience poll: GDPR key roles that will impact you

Processer(fromGDPR)“…anaturalorlegalperson,publicauthority,agencyor

otherbodywhichprocessespersonaldataonbehalfof

thecontroller.”

Solu5onPurveyor•  CSV

•  ISV

•  Consultant

6

7

GDPR key drivers for May 25, 2018 enforcement (in effect as of 5/4/16)

Source:

•  Updatesandmodernizestheprinciplesofthe1995DataProtecGonDirecGve

•  SetsouttherightsoftheindividualandestablishestheobligaGonsofthoseprocessingandthoseresponsiblefortheprocessingofthedata.

•  EstablishesthemethodsforensuringcomplianceaswellasthescopeofsancGonsforthoseinbreachoftherules.

•  AppliestoallorganizaGonsdoingbusinessintheEUregardlessoflocaGon.

8

GDPR data definitions regardless of nationality or EU residence

PersonalData(fromGDPR)“…meansanyinformaGonrelaGngtoanidenGfiedoridenGfiablenatural

person('datasubject');anidenGfiablenaturalpersonisonewhocanbe

idenGfied,directlyorindirectly,inparGcularbyreferencetoanidenGfier

suchasaname,anidenGficaGonnumber,locaGondata,anonline

idenGfierortooneormorefactorsspecifictothephysical,physiological,

geneGc,mental,economic,culturalorsocialidenGtyofthatnaturalperson.”

Examples:

•  Name

•  IdenGficaGonnumber(e.g.,SSN)

•  LocaGondata(e.g.,homeaddress)

•  OnlineidenGfier(e.g.,e-mailaddress,screennames,IPaddress,deviceIDs)

•  GeneGcdata(e.g.,biologicalsamplesfromanindividual)

•  Biometricdata(e.g.,fingerprints,facialrecogniGon)

“TheGDPRalsorequirescompliancefromnon-EUorganizaGonsthatoffergoodsorservicestoEUresidentsormonitorthebehaviorofEUresidents.”

Source:Brief:YouNeedAnAc0onPlanForTheGDPR;ForresterResearch;October2016

9

GDPR compliance is a challenge for both controllers and processors

“Bytheendof2018,over50%ofcompaniesaffectedbytheGDPRwillnotbeinfullcompliancewithitsrequirements.”Gartner-FocusonFiveHigh-PriorityChangestoTackletheEUGDPR;September30,2016

Enhanced personal privacy rights

Increased duty for protecting data

Mandatory breach reporting

Significant penalties for non-compliance

The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.

10

Controller’s (or your customer’s) GDPR compliance model GD

PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  ProvidenoGficaGontodatasubjects,inclearandplainlanguage.

2.  Requestandobtainthedatasubject’saffirmaGveandgranularconsent.

3.  DisconGnuewithprocessingacGviGesifthedatasubjectdeniesconsent.

4.  Provideamechanismfordatasubjectstowithdrawconsent.

5.  ObtainaffirmaGveconsentfromachild’s(underageof16)parentorguardian.

“…organizaGonsmustdemonstratethattheyhaveimplementedappropriatemeasurestomiGgateprivacyrisks.Evenintheabsenceofaprivacybreachorcustomercomplaint,regulatorsmayrequirefirmstoexhibitevidenceoftheircomplianceandriskmanagementstrategies,includingaprivacyimpactassessment(PIA)whenappropriate.”


*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon

11


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  ProvidenoGceofprocessingacGviGesattheGmepersonaldataisobtained.

2.  ProvidenoGceofprocessingacGviGesifpersonaldatahasnotbeenobtaineddirectly.

3.  ProvidethedataprivacynoGceatallpointswherepersonaldataiscollected.


12


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  ProvidemechanismforvalidaGngidenGtyoftherequesGngdatasubject.

2.  Providemechanismfortorequestaccesstotheirpersonaldata.

3.  Provideamechanismtorespondtorequestsonpersonaldataaccess.

4.  Maintainthetechnologicalabilitytotraceandsearchpersonaldata.

5.  ProvidemechanismtorequestrecGficaGonandrecGfypersonaldata.

6.  Provideamechanismtorequesttheerasureofpersonaldata.

7.  Maintainthetechnologicalabilitytolocateanderasepersonaldata.

8.  TracktowhichaddiGonalcontrollerspersonaldatahasbeentransferred.


13


PRRegulaG

on(2

61pages)

43GDPRRequirements* 9.  Whenpersonaldataismadepublic,contactthoseenGGesfordataerasure.

10. ProvidemechanismtorequesttherestricGonofdataprocessing.

11. Maintainthetechnologicalabilitytorestrictprocessingofpersonaldata.

12. Providemechanismtorequestcopiesandtransmitpersonal.

13. Providemechanismtorespondtodataportabilityrequests.

14. Locatepersonaldataandexportinstructured,machine-readableformats.

15.  IfprocessingfordirectmarkeGng,providemechanismtoobject.

16. MaintainthetechnologicalabilitytodisconGnuethedataprocessing.


14


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  Maintainaudittrailstodemonstrateaccountabilityandcompliance.

2.  Maintaininventoryofdatadetailingcategoriesofdatasubjects.

3.  MaintainauditabletrailsofprocessingacGviGes.4.  CarryoutdataprotecGonimpactassessmentsof

processingoperaGons.5.  Providethede-idenGficaGonofpersonaldatafor

archivingpurposes.


15


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  Embedprivacycontrols(inserviceanddevelopmentlifecycle).

2.  Embedprivacydesignedtominimizetheamountofpersonaldatacollected.


16


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  Providemechanismtopseudonymize,encrypt,orotherwisesecurepersonaldata.

2.  Implementsecuritymeasuresintheservice.3.  ConfirmongoingconfidenGality,integrity,and

availabilityofpersonaldata.4.  Providemechanismtorestoretheavailabilityand

accesstopersonaldata.5.  FacilitateregulartesGngofsecuritymeasures.


17


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  ControllersnoGfyDPAwithin72hoursintheeventofadatabreachincident.

2.  ControllersnoGfyaffecteddatasubjectsofahigh-riskdatabreachincident.

3.  ProcessorsnoGfycontrollerswithoutunduedelayofadatabreachincident.


18


PRRegulaG

on(2

61pages)

43GDPRRequirements* 1.  Trackandrecordpersonaldatathatisforwardedtothird-parGes.

2.  ProvidemechanismfortrackingandrecordingdatatransfersinandoutoftheEU.

3.  Maintaininventoryofdatatransfercontractswiththird-parGes.

4.  Provideappropriatesafeguards(e.g.,PrivacyShield)foreffecGvelegalremedies.


19


PRRegulaG

on(2

61pages)

BusinessProcesses&UserControls

ApplicaGons&WorkloadFeatures

ITInfrastructureControls

OnPremisesCompliance

InternalAudit

20


PRRegulaG

on(2

61pages)


SaaSApplicaGons&WorkloadFeatures

CloudComplianceModel

CloudITInfrastructureControls

InternalAudit

21


PRRegulaG

on(2

61pages)


SaaSApplicaGons&WorkloadFeatures

CloudComplianceModel

InternalAudit“Soadashboardthroughwhichyourteamcaneasilytrackthat(capabiliGes)willcomeinhandy.”


22

23

Understanding a Cloud shared responsibility model for GDPR

Source:MicrosoFSource:AmazonWebServices

•  ImplemenGnginterconnecGvitybetweenCloudandon-premisesresources.

•  SecurityDevelopmentLifecycleforapplicaGons.

•  ApplicaGonQApriortomovingtoCloudproducGon.

•  MonitoringthesecurityofapplicaGons.

•  Reviewingandapplyingpublicsecurityandpatchupdates(IaaS).

•  ReporGngtheincidentsandalertsspecifictosystemsandsubscripGons.

•  SupportGmelyresponseswithCloudplaòrm.

•  ImplemenGngredundantsystemsforhot-failover.

•  Controlsoveraccount/subscripGonIDsandpasswordsandaccesstoapplicaGons.

•  Compliancewithapplicablelaws/regulaGons.

•  DeterminingandimplemenGngencrypGonfordata.

•  SecuringcerGficatesusedtoaccessapplicaGons.

•  SelecGonofaccessmechanismfordata.

•  DeterminingtheServicesconfiguraGons.

•  Backupofdatatolocal/Cloudstorage.

•  ProtecGonofthesecretsassociatedwithaccounts.

24

ControlsandreporGngaswellasconfiguraGonoversightexcludedfromaCSVplaòrmSOCreport

What “managed by customer” means (from a typical SOC* report)…

* AICPAServiceOrganizaGonControl(SOC)Reports(TypeIandTypeII)formerlyStatementonAudiGngStandardsNo.70:ServiceOrganizaGons(SAS70)

25

AnCloudServiceGDPRBaselineshouldinclude:•  CloudServicesComplianceValidaGon(ISO,SOC)•  ServicesSewngValues•  DevOpsRulesforCloudServices

Using a GDPR baseline approach

“However,intermsofsecurity,whilefewrespondentsreportedadecreaseinproducGonsecurity,thisisanareawhereDevOpshasnotyetcontributedsignificantimprovement.(SeeFigure9)ThismaynotbethefaultofDevOpspracGcesthemselves–increasingsecurityrequiresadeliberateeffort–butitcouldpointtoanopportunityfortoolsvendors.”

26

•  130deployableAzureServices(lastcount)•  SomeServicesarecandidatesforGDPRdefined

“personal&sensiGvedata””

o  BlobStorage

o  DataFactory

o  DatalakeStore

o  SQLDatabase

o  SQLDataWarehouse

o  StorSimple

•  SomeServicesarecapabiliGestohelpmeetGDPRrequirements:

o  AzureAD

o  AzureInformaGonProtecGon

o  KeyVault

o  MulG-factorAuthenGcaGon

Case Study: GDPR Baseline Dashboard for Azure

27

Azure Services and GDPR compliance roles

S.No. CloudService HighLevelDescription(fromCapstoneGDPRWhitepaper) Discover Manage Protect Report Enabler Target

1 ActiveDirectory

Anidentityandaccessmanagementsolutioninthecloud.ItmanagesidentitiesandcontrolsaccesstoAzure,on-premises,andothercloudresources,data,andapplications.WithAzureActiveDirectoryPrivilegedIdentityManagement,youcanassigntemporary,Just-In-Time(JIT)administrativerightstoeligibleuserstomanageAzureresources.

Yes Yes Yes

2 KeyVaults

Itoffersaneasy,cost-effectivewaytosafeguardkeysandothersecretsinthecloudbyusinghardwaresecuritymodules(HSMs).ProtectcryptographickeysandsmallsecretslikepasswordswithkeysstoredinHSMs.

Yes Yes

3 StorageAccount(Classic)

AnAzurestorageaccountgivesyouaccesstotheAzureBlob,Queue,Table,andFileservicesinAzureStorage.YourstorageaccountprovidestheuniquenamespaceforyourAzureStoragedataobjects.Bydefault,thedatainyouraccountisavailableonlytoyou,theaccountowner. Yes Yes

4 DataFactories

Itisamanagedservicewhichletsyouproducetrustedinformationfromrawdataincloudoron-premisessources.Easilycreate,orchestrateandschedulehighly-available,fault-tolerantworkflowsofdatamovementandtransformationactivities.

Yes Yes

5 MultifactorAuthentication

Ithelpspreventunauthorizedaccesstoon-premisesandcloudapplicationsbyprovidinganadditionallayerofauthentication.Followorganizationalsecurityandcompliancestandardswhilealsoaddressinguserdemandforconvenientaccess.

Yes Yes

6 SiteRecoveryIthelpsyouprotectimportantapplicationsbycoordinatingthereplicationandrecoveryofprivatecloudsforsimple,cost-effectivedisasterrecovery.

Yes Yes

7 SQLService

Itisarelationaldatabase-as-aserviceusingtheMicrosoftSQLServerEngine.SQLDatabaseisahigh-performance,reliable,andsecuredatabaseyoucanusetobuilddata-drivenapplicationsandwebsitesintheprogramminglanguageofyourchoice,withoutneedingtomanageinfrastructure.

Yes Yes Yes

JourneyStage Compliance

28

GDPR baseline setting guidance for Azure Services

S.No. CloudService CloudOriginFunctionality Value Subject GDPRCitation IssueActiveDirectory->IntegrationwithlocalAD->DomainsverifiedforDirectorySync 1 DataSubjectRights Art.15-17 Providemechanismforvalidatingidentity

oftherequestingdatasubject.

ActiveDirectory->IntegrationwithlocalAD->DomainsplannedforSingleSign-On 0 DataSubjectRights Art.15-17 Providemechanismforvalidatingidentityoftherequestingdatasubject.

ActiveDirectory->IntegratedApplications->Usersmaygiveapplicationspermissiontoaccesstheirdata

NO RighttoRestriction Art.18,Sec.1,Sub.(a)–(d) Maintainthetechnologicalabilitytorestrictprocessingofdatasubjects’personaldata(orforMicrosoftcustomerstodosoinaccordancewithrequestsofdatasubjects).

ActiveDirectory->IntegrationwithlocalAD->DirectorySync Activated DataSecurity Art.32,Sec.1,Sub.(a) Providemechanismtopseudonymize,encrypt,orotherwisesecurepersonaldata.

ACTIVEDIRECTORY_INTEGRATEDAPPLICATIONS_USERSMAYADDINTEGRATEDAPPLICATIONS No DataSubjectRights Art.15-17 Providemechanismforvalidatingidentityoftherequestingdatasubject.

ACTIVEDIRECTORY_USERACCESS_ALLOWINVITATIONS Yes Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.

ACTIVEDIRECTORY_USERACCESS_ALLOWGUESTSTOINVITE No Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.

ACTIVEDIRECTORY_USERACCESS_LIMITGUESTACCESS Yes Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.

ActiveDirectory1

29

Creating a GDPR baseline

30


31


32


33

Monitoring a GDPR baseline

34


35


36


37

• GDPRisineffectnowandwillbeenforcedstarGngonMay25,2018

•  CloudsoluGons(IaaS/PaaSandSaaS)willbepartofacontroller’scompliancemodel

• Understand/interprettheGDPRrequirementsandmaptoprocessorfeatures/controls

•  ConsiderusingaGDPRbaselineapproachforareaswherecerGficaGonsdonotapply

•  Forvendors…doNOTimplyusingyoursoluGonwilldirectlyguaranteeGDPRcompliance

•  Thankyou!AnyfinalquesGons?

Summary

The GDPR and Its Implications On Cloud Services

September2017NormBarber,ManagingDirector([email protected])

AcopyofthispresentaGonwillbemadeavailabletoyoua{erthesessionends.Visitwww.cloudatlasinc.comforaddiGonalinformaGonaboutoursoluGons.

Documents

The GDPR and Its Implications On Cloud Services · may include elements of SaaS, IaaS, and PaaS requires a logical set of steps. As Gartner has noted, “An organizaon cannot simply