Hi All,
This Article focuses on typical questions asked by Cloud customers when they are considering privacy and data protection requirements relevant to their use of Cloud services to store or process content containing personal data. There will also be other relevant considerations for each customer to address, for example, a customer may need to comply with industry specific requirements, the laws of other jurisdictions where that customer conducts business, or contractual commitments a customer makes to a third party.
According to the GDPR, “personal data means any information relating to an identified or identifiable natural person,” which is called a data subject.
In this article i would like to give some information to the customers who want to use AWS/GCP/AZURE to store or process content containing personal data in the context of command privacy and data protection considerations
Lets Proceed with Amazon Web Services first
1.Considerations relevant to privacy and data protection
2.Considerations relevant to AWS Storage locations
3.Considerations relevant to Access Management “Who can access What”
4.Privacy and Data Protection Considerations
Considerations relevant to privacy and data protectionShared Responsibility Model
AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the AWS services operate.
Customer is responsible for management of the guest operating system (including updates and security patches to the guest operating system) and associated application software, as well as the configuration of the AWS provided security group firewall and other security- related features.
Customers use third party tools for connecting AWS Services and AWS will not be responsible for connection tools.
Security OF the Cloud
Security Measures the cloud service provider implements and operates.
AWS services are content agnostic, in that they offer the same high level of security to all customers, regardless of the type of content being stored, or the geographical region in which they store their content.
Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS System & Organization Control (SOC)reports, ISO 270015, 270176, 270187 and 90018 certifications and PCI DSS9 compliance reports.
Security IN the Cloud
Security Measures that the customers take for protecting the content or the application that make use of cloud Services.
Customers have complete control over which services they use and whom they empower to access their content and services, including what credentials will be required.Customers control how they configure their environments and secure their content, including whether they encrypt their content (at rest and in transit), and what other security features and tools they use and how they use them.
Customers can implement security of the content by following below practices
Strong Password and Appropriate policies for data protection
Appropriate firewalls and network segmentation
Encryption and properly designed architecture to avoid data loss
Considerations relevant to AWS Storage locations
AWS customers choose the AWS Region or Regions in which their content and servers will be located. This allows customers with geographic specific requirements to establish environments in a location or locations of their choice.
Example : AWS customers in India can choose to deploy their AWS services exclusively in one AWS Region such as the Asia Pacific (Mumbai) Region and store their content onshore in India, if this is their preferred location. If the customer makes this choice, AWS will not move their content from India without the customer’s consent, except as legally required.
Considerations relevant to Access Management “Who can access What”
1.Customers can decide where the content can be stored(regions), access controls, encryption at rest/transit and managing own encryption keys.
2.AWS won’t access the customer data until it is legally required.
3.The local laws that apply in the jurisdiction where the content is located are an important consideration for some customers.
4.Most countries have processes (including Mutual Legal Assistance Treaties) to enable the transfer of information to other countries in response to appropriate legal requests for information (e.g. relating to criminal acts).
Privacy and Data Protection Considerations
Data regulators are nothing but the authorities/bodies/subjects who will take care of data or whose data need to be take care are divided into three types
Data Controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body)
Data Processor is the entity that actually performs the data processing on the controller’s behalf.
Data Subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Data Life Cycle StagesCollection of Personal Data
It may be appropriate or necessary to inform individuals (data subjects) or seek their consent before collecting their personal data.
The customer determines and controls when, how and why it collects personal data from individuals, and decides whether it will include that personal data in customer content it stores or processes using the AWS services.
AWS only uses customer content to provide the AWS services selected by each customer to that customer and does not use customer content for any other purposes.
Using and disclosing personal data
It will likely be appropriate or necessary to only use or disclose personal data for the purpose for which it was collected.
The customer determines and controls why it collects personal data, what it will be used for, who it can be used by and who it is disclosed to
AWS only uses customer content to provide the AWS services selected by each customer to that customer and does not use customer content for other purposes.
Offshoring personal data
If transferring personal data offshore it may be necessary or appropriate to inform individuals (data subjects) of the countries in which the customer will store their personal data, and/or seek consent to store their personal data in that location.
The customer can choose the AWS Region or Regions in which their content will be located and can choose to deploy their AWS services exclusively in a single Region if preferred. AWS services are structured so that a customer maintains effective control of customer content regardless of what Region they use for their content.
AWS only stores and processes each customers’ content in the AWS Region(s), and using the services, chosen by the customer, and otherwise will not move customer content without the customer’s concent except as legally required.
Securing personal data
It will be important to take steps to protect the security of personal data
Customers are responsible for security in the cloud, including security of their content (and personal data included in their content). AWS: AWS is responsible for managing the security of the underlying cloud.
AWS is responsible for managing the security of the underlying cloud environment.
Accessing and correcting personal data
Individuals (data subjects) may need to access their personal data, including for the purposes of correcting it.
Customer retains control of content stored or processed using AWS, including control over how that content is secured and who can access and amend that content.
AWS only uses customer content to provide the AWS services selected by each customer to that customer, and AWS has no contact with the individuals whose personal data is included in content a customer stores or processes using the AWS service
Maintaining the quality of personal data
It may be important to ensure that personal data is accurate, and that integrity of that personal data is maintained.
Customer chooses to store or process content containing personal data using AWS, the customer has control over the quality of that content and the customer retains access to and can correct it.
AWS’s SOC report includes controls that provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Deleting or de- identifying personal data
Personal data typically should not be kept for longer than is reasonably required for the purposes for which the data was collected and otherwise should typically only be retained in accordance with relevant data retention laws.
Customer should delete or anonymize the personal data when no longer needed.
AWS services provide the customer with controls to enable the customer to delete content
Google Cloud Platform
As a current or future customer of Google Cloud, now is a great time for us to begin preparing for the GDPR.
Recommendations
1.Understand your current personal data protection obligations and familiarize with GDPR obligations.
2.Create a list/inventory of personal data you handle.
3.Review your current controls,policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
4.Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances
GCP customers can leverage product features and configurations to further protect personal data against unauthorised or unlawful processing:
Multi-Factor authentication
Google Cloud identity and access management
Data Loss prevention API
Stackdriver Logging and Monitoring
Cloud Identity Aware Proxy
Cloud Security Scanner
Azure
Microsoft Azure identified a four step approach to make the customers journey towards GDPR compliance.
1. Discover: Identify what personal data you have and where it resides.
Example : Azure Information Protection
Azure Data Factory
Azure HDInsight
2. Manage: Govern how personal data is used and accessed.
Example : Azure Role-Based Access Control
Azure Key Vault
Azure Active directory Previlize management
3. Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
Example: Azure Storage Services Encryption
Azure Disk Encryption
4. Report: Keep required documentation, manage data requests, and provide breach notifications
Example: Microsoft Trust center
Certifications and StandardsISO 27001 (Information Security Management)
It specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
ISO 27017 (Cloud Security)
ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Service
ISO 27018 (Cloud Privacy)
ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services.
Conclusion
Cloud services are designed to give customers flexibility over how they configure and deploy their solutions as well as control over their content, including where it is stored, how it is stored and who has access to it. Cloud customers can build their own secure applications and store content securely on Cloud.
The founder of TacoBIG.com.He is a Cloud Architect from Bangalore interested in contributing guidance to Cloud related communities. He loves to read books and share knowledge with others. He is keen on understanding Financial wisdom and sharing thoughts on how to achieve financial freedom.
