myDRE can be used outside the EER / USA / etc
If your organization allows remote access (e.g. working from home) then there is no reason why myDRE cannot be used regardless of the geographic area you are in.
Bypassing geo-restrictions is easy by using VPN and therefore at best this is a hurdle for normal users, but it offers no real protection. What does help is to have active monitoring in-place like anDREA has to alert for unexpected activities, like changes in key vault, activating Privileged Identity Management in order to get access to the anDREa Azure Active Directory.
myDRE is built for collaboration. It is very easy to invite anybody into your Workspace regardless of where this person physically is. However, when processing data of Europeans this is subject to the GDPR. Equally, processing data of Californians are subject to the CCPA. And probably there are more.
The GDPR, CCPA and alike are there to protect the interest and privacy of individuals. These laws are not made to make your work as difficult as possible. The key is to have demonstrable proof of having the technical and organizational measures in place that can reasonably be expected. That the decisions that were made and were documented with consideration for the privacy of individuals. That the basis for processing is well-argued prior to the processing itself.
How to be compliant to GDPR, etc
By using the default Workspace of myDRE you have proof that:
- only authorized people and processes had access to your Workspace
- only authorized people were allowed to egress data
- data was stored and processed in a specific region
- people agreed to the End User License Agreement
- at a minimum every 24h members have to use Multi-Factor Authentication (MFA), trusted devices are not allowed
- access to VMs is by on-demand whitelisting of the IP address of the user for which a prerequisite is MFA
What you can do yourself for example:
- Be considerate in whom to give the role Owner for are privileged with self-authorization for downloads
- Make sure everybody signs a Processing Agreement and possibly other documents that describe the rules and policies they need to adhere to
- Train people in how to handle the data and keep a record of this
- Remove people quickly if they are no longer part of the work in the Workspace or if they fail to comply with the agreements they signed
- Ensure you stick to the principles relating to the processing of personal data (e.g. GDPR Article 5)
- Ensure you have a valid basis for processing (e.g. GDPR Article 6) documented and approved prior to processing
With the above demonstrable, you have proof that you protect the interest and privacy of individuals.
This will never protect you nor anDREa from:
- Authorized people with malicious intent
- Authorized people forced by others to cooperate
- Well funded and equipped people gaining access while they were not invited by you into your Workspace
None of the laws expects you to take measures against what you cannot control, like the last three bullet points. In the end, if somebody wants access to the data and are willing to go the mile, they will obtain it. You and anDREa will be held accountable for how easy they were able to obtain the data. Together we need to provide evidence that the data breach was not due to neglect on our part and extraordinary skills. That effort was required for which no reasonable measurements could be taken given the processing that was required.
Where is the data stored and processed?
By default, all the data of a Workspace is stored and processed in the same Microsoft Azure Region. This region is determined by the Tenant. Data will not leave this region unless data is egressed from that Workspace to a Workspace residing in a different Microsoft Azure Region, or when downloaded in a country that resides outside the EU.
Interacting with the data is through Remote Desktop Protocol (RDP). The RDP implementation does not allow you to copy/paste between your local machine and the virtual machine; it captures an image of the VM and displays this to you, it captures keyboard strokes and mouse and sends this to the VM. How is this different from having the data local and processing it on your machine? Even sending this 'image' is secured (SSL).
You can shut down your local machine, you can open an RDP session on another machine, your internet connection might drop, your access might be blocked, your machine can explode, this does not cause data loss, nor does it affect the data stored nor the processing that might be running. This is only possible if the data is not stored nor processed on your machine.
Not the physical location of the user, but the Microsoft Azure Region determines where the data is stored and processed.
myDRE, and documents and approvals
version: 2022-10-15 type: opinion This article should be considered as an opinion article, please consult the organization's policies and in doubt verify with the privacy contact person, privacy officer, or legal department. Introduction Do we need a ...
Navigating through support.mydre.org
anDREa makes use of ZohoDesk Enterprice version. This enables you to configure the following items. Please read the information about these changes below carefully. Creating tickets for users Users can create new DRE tickets through the ‘Add ticket’ ...
Activating your new @mydre.org account
Before you can access your DRE workspace(s) at mydre.org, you need to activate your @mydre.org account. Below, we explain the steps in this activation process, along with screenshots for illustration. Prerequisite: your new @mydre.org username, which ...
Why is my support.mydre.org account different from my @mydre.org account?
We get this question regularly now and here is why: Your @mydre.org account may look like an e-mail address, but it is not. It has no e-mail functionality and it is strictly your username on the mydre.org platform. For support.mydre.org however, you ...
Shiny Server in a myDRE Workspace
Version = 2023-02-02 This instruction is used to get Shiny Server up and running in a Workspace. For your actual workloads you might need other size VMs. Also there is much more to be configured, but being able to get Shiny up and running is a good ...