Only five years ago, many business leaders and technical departments were skeptical about cloud infrastructures. The basis for this skepticism was security and business continuity issues, as existing information systems and their architecture didn’t take into account new trends in cloud infrastructures.
Over the past few years, cloud providers have proven that the services and infrastructure they supply are more reliable than many on-premises solutions, although there have been major outages. And in order to solve security-related issues, the providers have introduced a wide range of new services. Additionally, new tools have been developed, which help to migrate and adapt existing information systems and databases to the cloud.
Most customers choose cloud platforms from top providers such as AWS, GCP, and Azure. Many large companies see operators as additional resources for existing local information systems. We analyzed the popularity of each of the top platforms among customers to find out the main selection criteria.
For instance, one of our customers from Switzerland chose Azure due to its physical presence, as the processing requirements in this country are very strict.
Many of the clients are puzzled, first of all, with local regulatory requirements, which impose restrictions on the territory of information processing and storage. There are situations when a customer presents in many markets, and compliance with the information security legislation of several countries is required.
There was a difficult case when a customer of ours was developing a global business and presented in America, Europe, and Australia. AWS, due to its geographical distribution, allowed sharding the database correctly and complying with the requirements of local regulators in each of the locations.
As part of our analysis, we selected three regions in AWS for storing personal data: New York, Frankfurt, Sydney. The application was sharded across the given regions and was configured to use regional DBMS for storing personal data.
Using the GDPR as an example, we will consider the most important areas to focus on when building infrastructure for complying with requirements:
Determining whether the GDPR applies to the activities of an enterprise is crucial for the company to be able to meet its compliance obligations.
Data subject rights
The GDPR expands the rights of data subjects in several ways. It is necessary to make sure you are able to take into account the rights of data subjects when processing their personal information.
Data breach notifications
As a data controller, a company must report breaches to protection authorities without undue delay. Under all circumstances, the message must be sent within 72 hours from the detection of the violation.
Data Protection Officer (DPO)
It may be necessary to appoint a DPO who will monitor data security and other matters related to personal information processing.
Data Protection Impact Assessment (DPIA)
Some situations require an assessment to be conducted and a report to be filed to the DPIA Supervisory Authority.
Data Processing Agreement (DPA)
In order to be GDPR compliant, a DPA can be required, especially if personal data is transferred outside the European Economic Zone.
Not all services of cloud operators meet the requirements of the regulator, and such cases can be highly non-trivial. Even with a strong technical team, it’s not always possible to figure out the subtleties and build an infrastructure in compliance with data protection requirements. For instance, widely popular services ECS and EKS do not support data encryption, which makes it difficult to use dockerized applications and the extra benefits of cloud providers.
This does not mean using these services is impossible; what this means is that one needs to use them correctly and ensure data encryption by other means, or use these services only as a concomitant to the data processing core.
This is just one small example. Nowadays, there are many more services and, obviously, business needs, so many other requirements must be met: HIPAA, PCI-DSS, ISO 27017, ISO 27018.
The analysis of companies’ infrastructures showed that one in two companies, where the infrastructure had been designed independently, has compliance problems. Today, in order to ensure the required level of data security, Cloud Security Engineers dive into the very essence of customer’s processes in order to understand them. They determine what a customer needs to run the business and how to ensure business continuity.
As a rule, standards and requirements illustrate the general nature of problems, and we simply must solve them. However, they don’t describe the necessary means for solving those problems. The services provided by operators only partially solve them.
It is necessary to adapt both the company’s processes and applications. It should be borne in mind that compliance with the requirements doesn’t make the systems secure. It is necessary to build protection for infrastructure, information systems, and a business in an integrated manner. Because not only data but also the intellectual property and the company's reputation must be protected.
My name is Irek, I am a Head of Cybersecurity at Andersen. We consult for companies from the FinTech, Retail, Healthcare, and other sectors, in the field of cybersecurity. We help organize continuous data protection and identify vulnerabilities in the infrastructure.
If you have any questions, contact me: firstname.lastname@example.org