Cloud Service Providers Guide To GDPR

In the past the term cloud has made the security conscious professional nervous as it implied convenience over security.  Even today businesses take a cautious approach to building their solutions in the cloud.  Often expressing a reluctance in placing confidential data, or, more topically personal identifiable information into the cloud.  Historically, international standards haven’t made it easy to embrace cloud as there have been very little provisions for multitenant solutions.  However, there are many benefits cloud solutions bring to businesses.  Take mobile devices for example and how they allow you to seamlessly move from one device to another and work collaboratively with other business users and systems utilising cloud services.   Cloud data allows us to analyse data in ways not possible before, allowing innovation and advances in the fields of science, healthcare and engineering whilst allowing business owners to spot patterns and trends.  Cloud systems have always been put under the microscope from a security prospective as cloud in a nutshell is a term used for shared systems, shared infrastructure on shared networks within a data centre facility anywhere in the world.   This has often raised a number of questions e.g. where is my data? Who am I sharing the systems with? How often are vulnerabilities spotted and systems patched? What happens if my data is compromised, lost or stolen? Who else can see my data or has access to my data?  These are all relevant questions but are often left unanswered as there hasn’t been a regulation that forces data controllers to think in this way.

This is all about to change come 25 May 2018 when GDPR becomes enforceable.  But, what should cloud providers do to ensure they are meeting the standard and what should they expect to supply data subjects or controllers?  Firstly, as a cloud service provider you need to identify where the data is located, transferred to, or where it is processed.  This is extremely important as GDPR allows for the free movement of data within the EU and the EEA however, if personal data is transferred outside the EU article 27 (controllers and processors outside the EU) and article 44 (international transfers) apply.  GDPR has territorial reach meaning that anyone processing EU citizens’ data must comply with the regulation, failure to do so will mean you will be processing data illegally.   In order to comply you must ensure you have binding corporate rules, appropriate safeguards, certificates and codes of conduct.  It is important to note that breaches of international transfers under article 83 (General conditions of applying administrative fines) carry the highest tier of penalty which is the well documented 4% of global turnover or 20m euros.  Therefore, it is important for you to check where data flows within the systems you provide.

Article 28 Processor Paragraph 1 clearly outlines the data controllers responsibilities in vendor selection stages and will increase the amount of due diligence the controller will need to perform when choosing a cloud service provider.

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Article 28 gives clear instructions in the way the processor should behave outlining rules of engagement, how data is processed and deleted, working with the controller to demonstrate technical operational measures, providing evidence/assistance with audits or inspections and adhering to certifications (Article 42) or codes of conduct (Article 40).  This will inevitability mean the contract between the controller and processor will require more detail regarding data protection and how each party complies with the regulation.

Technical and Operational Measures (TOMs) are a big part of GDPR and are referenced throughout the regulation.  This is because it is one of the core 6+1 principles of the regulation.   Article 5 (f),   Principles relating to processing of personal data outlines the following:

“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”

As a cloud service provider what should you be doing to ensure your TOMs meet with the regulation?  From a technology standpoint, you will be required to have adequate monitoring in place to be able to react to security threats or breaches.  This is extremely important as article 33 Notification of a personal data breach to the supervisory authority (SA) mandates that the controller has 72 hours to notify the SA of a breach.  This would suggest processors will have tighter SLAs in contract to give the controller time to meet this deadline.  Data leakage prevention systems will also be necessary to be able to protect the confidentiality and integrity of data.   Cloud based SaaS applications will come under scrutiny and will need to follow coding standards, secure product engineering and deployment be subjected to Governance and Regulatory Compliance Audits and have Third-Party SaaS Security Assessments.  As well as monitoring a systems security it will be necessary to ensure vulnerabilities are dealt with accordingly which will involve strict patching routines.  It is considered a breach if the personal data becomes unavailable, therefore better controls and safeguards need to be in place from DDoS attacks, disaster recovery etc.  As a cloud service provider you will need to work closely with the controller in the event of a data subject access request.  The controller only has 30 days to respond and resolve a Data Subject’s Access Request (DSAR) this will inevitability place pressure on the processor where personal data held is within their systems.  The sensible approach here will be to have standard operating procedures that exist between both parties to ensure that a data subject’s data can be quickly identified so that appropriate action can be taken in the event of a DSAR.

Article 42 certificates and 40 codes of conduct have been discussed previously but what should cloud service providers think about in relation to their governance risk and compliance strategy (GRC).   Although there is not a standard that governs GDPR to ensure we all comply, the following certifications have been recognised as de facto standards when it comes to cloud computing and will go a long way in changing a business’s security culture whilst meeting compliance, reducing risk and helping to win opportunities.  Cloud service providers are advised to consider the following as the data controller will demand evidence and assurance that they have the necessary TOMs in place.

Cloud Control Matrix CCM v3 is a comprehensive control set that helps build a cloud environment to high quality security standards.  You can download the controls for free from the Cloud Security Alliance.  You can then architect your cloud services by working your way through the controls checklist.  What I particularly like about the controls is that you can see how each control maps directly to a standard such as COBIT ISO, NIST, PCI and how they apply.

ISO 27001:2013 with ISO 27018:2014, in terms of cloud services having these standards within your organisation are the gold standard of certification.  ISO 27001 is an internationally recognised standard that covers the entire business with a top down approach.  Meaning everyone from senior management right the way through to the cleaner knows the importance of security to your organisation.  This standard contains 114 controls and 18 control categories covering everything from how you manage your supply chain, access control to your information security policies etc.  This means a company’s statement of applicability should be bought into question by the data controller as some companies may only choose to certify one department and claim their whole business is compliant.  For cloud service providers ISO 27018 Cloud Security is rapidly becoming known as the 19th control category for cloud service providers.  Meaning if you host cloud services the sensible approach for most is ISO 27001 + 27018.   This standard is designed to address Personal Information within a cloud environment and goes a long way in changing the mind set of how cloud systems are architected.

Although Certifications and Codes of Conduct are detailed within the regulation they are by no means a guarantee that the cloud services you provide meet with the regulation.  GDPR expects every service provider, controller or processer to do their homework as ultimately you are accountable for the data you hold.  My advice to any cloud service provider is to ensure you have the polices and processes in place to meet DSARs, your communications with the data subject need to be clear, fair and transparent which can be achieved by privacy notifications.  Where you handle PII you must assess the risks and look to the principles to challenge your business e.g. is the information you hold accurate, lawful, stored for only as long as required etc.?  Breach notifications need to adhere to the strict timelines outlined in the regulation and your contracts need to detail your responsibilities.  If data is transferred outside of the EU do you have the correct binding corporate rules in place, appropriate safeguards etc.?

Accountability has been added to GDPR to ensure liabilities are not backed off to contract.  Controller and Processors are bound by the regulation and are accountable for their own processing.  This means penalties are joint and several therefore in the event of a breach the party failing to meet compliance will be found guilty of processing data illegally and as such will be imposed sanctions outlined in Article 83.

GDPR is not meant to penalise any business and it should not be seen a way to impose fines. Its goal is to allow the free movement of data whilst protecting data subjects rights.  The regulation should be seen as an enabler, an opportunity in creating operational efficiencies, addressing and challenging business process and performing house-keeping on our data to ultimately change the way we think about security of data in the modern age.