Public Cloud and Compliance
Introduction
Some organisations struggle with bringing (personal) (sensitive) data to the cloud. The purpose of the article is to provide some of my, Stefan van Aalst, personal observations and insights.
My opinions are driven by the generic key requirement: demonstrable fulfilling the care-of-duty.
The need for being able to demonstrate the fulfilment of care-of-duty is based on the following thought experiment: assume a very unlikely or not even considered event happened, time to stand trial (be it only with your own conscience), can a demonstrable claim be made that it was not due to (willful) negligence or culpable offence?
Please note, as is laid out in the premises below, this article assumes that GDPR Art 32 or that similar law is relevant. In situations where this is not the case, none of this article is relevant.
Related articles
Premises
This article is written based on the following premises:
- Data must be stored and processed
=> if there is no must when it comes down to personal data, it is a violation of GDPR Art 5 Principles relating to processing of personal data - All data to be stored or processed must be accessible at some point (in time)
=> any access point (in time) is a potential attack vector - Attacks are driven by 'want' and 'available resources'
=> Security measures provide a threshold, but no threshold is unlimited and can therefore be breached - GDPR Art 32 requires to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk"
=> the GDPR requires an organization to be demonstrable in taking care of its care-of-duty, it does not require to fend off the unfendable
IMHO the above premises result in the following:
- If there is no must to store or process data, data should not be stored or processed
- When data must be stored or processed:
- Prohibiting solutions should not be based on absolute requirements (for this creates a contradictio in terminis with the fact that data must be stored or processed)
- Allowing or choosing must be based on the solution being equally or less bad than its alternative
- Prohibit solutions for which there is a better alternative
Foreign governments and other malicious state actors
While there are many considerations for looking or prohibiting the Cloud, a returning subject is that a foreign government can force a cloud provider to give access to data. IMHO, this is explained below a bit more, this is a more emotional than factual driven discussion. Regardless of whether an organization allows the Cloud or not, if somebody really wants access to the data, they can get it. And regardless of whether the Cloud is allowed or not, in all cases, the same GDPR Art 32 applies "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk".
Very few organizations are really air-gapped; have no connection to the outside, people can work from home, work with email, etc. Even so, the solutions still run on hardware and software, and it is operated by people; any of those provide attack vectors. While these settings might ward off the 'small fry hackers', state actors with interest have more resources and are less ethically constrained. Even 'friendly states' can not be excluded.
One needs to have zero know-how to get access to the most sensitive data, one only need to know who can access that data and what is valuable for that person; the less ethical one is, the more likely that one can obtain or (have) the data (modified).
How does a 'local' infrastructure implementation compare, for instance, to Microsoft with over 8,500 security experts? Cyber security moves fast, how can a local organization keep up?
Microsoft, IBM, AWS, Google, all these companies are based in the United States and can be forced to hand over data regardless of where this data resides. The Patriot Act can enlist any person with an American passport to 'cooperate'; even when he lives and is fully employed by an organization in the EEA. Organizations that do business in the United States can be forced. The United States is not unique, other states can and do the same thing; not unlikely EU is doing the same thing with respect to other nations.
The forces in play to 'make this happen', cannot be fended off by anything that reasonably can be assumed to be part of what GDPR Art 32 requires "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". For those forces, 'requesting' data via Microsoft, etc is one of the options to obtain the data; not necessarily even the easiest or prefered one. The blowback of a whistleblower that provides evidence that one of the cloud providers was forced to actively hand over sensitive information is way worse than that a local company/organization was hacked.
If GDPR Art 32 or similar law is relevant, the Cloud can be used as long as the appropriate technical and organisational measures are implemented. The Cloud does not provide risks that are not present in 'local' solutions. In situations where GDPR Art 32 or similar law is irrelevant, none of this article is relevant. When GDPR Art 32 or similar law is applicable, it boils back to being demonstrable fulfilling the care-of-duty, and this can be done by using the following guideline:
- If there is no must to store or process data, data should not be stored or processed
- When data must be stored or processed:
- Prohibiting solutions should not be based on absolute requirements (for this creates a contradictio in terminis for data must be stored or processed)
- Allowing or choosing must be based on the solution being equally or less bad than its alternative
- Prohibit solutions for which there is a better alternative
Related Articles
EU Data Protection Code of Conduct for Microsoft Azure
Trust in cloud computing is essential (copied from euroc.cloud) It has never been more true than today to assert that without user trust, technology will not be able to advance to reach its full potential. At the core of building trust is robust data ...Cookie Policies
Introduction The purpose of this document is to describe anDREa’s Cookie Policies. This document will be updated at least annually and when significant change happens to the relevant areas covered. Cookie Policy Cookies are temporary text files that ...GDPR Compliance Assessment
First version: 2021-05-16 Last updated: 2024-03-12 Last change: Fixed links to GDPR articles to refer to the official EC website. Introduction The purpose of this document is to describe anDREa’s compliance with the GDPR. This document also describes ...A.18 Compliance
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Theo Koster Edward Robinson Initiation document. 2022-05-20 1.1 Edward Robinson Additions/changes as part of ...anDREa Public Management Reports
First version: 2024-01-25 Last updated: 2024-05-10 Last change: Added pentest management summary Introduction This article provides an overview of all public anDREa management reports. This page will be regularly updated once new reports are ...