GDPR: Raising the Bar for Security & Compliance Across the EU
•Download as PPTX, PDF•
1 like•244 views
The European Union’s General Data Protection Regulation (GDPR) protects European Union citizens’ fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance. Come learn how to work with AWS to build your security and data protection strategy, and how to transform the way your organisation processes data. In this session, we will examine GDPR as the baseline for data protection, with the belief that organisations should aim higher. The cloud makes this a realistic goal.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR: Raising the Bar for Security & Compliance Across the EU
Similar to GDPR: Raising the Bar for Security & Compliance Across the EU (20)
More from Amazon Web Services
More from Amazon Web Services (20)
GDPR: Raising the Bar for Security & Compliance Across the EU
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tim Rains EMEA Leader Security & Compliance GDPR: Raising the Bar for Security & Compliance Across the EU
- 2. What is the GDPR?
- 3. What is the GDPR? • The "GDPR" is the General Data Protection Regulation, a significant, new EU Data Protection Regulation • Introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance across the EU • The GDPR is enforceable 25 May 2018, and it replaces the EU Data Protection Directive (Directive 95/46/EC) • Territorial scope: Organisations established in the EU and those without an EU presence who target or monitor EU individuals
- 4. Content vs. Personal Data Content = anything that a customer (or any end user) stores or processes using AWS services, including: Software ǀ Data ǀ Text ǀ Audio ǀ Video Personal Data = information from which a living individual may be identified or identifiable (under EU data protection law) • Customer’s “content” might include “personal data”
- 5. What Else Comes With GDPR? Individuals have the right to a copy of all of the personal data that controllers have regarding him or herself. It also must be provided in a way that facilitates reuse.
- 6. What Else Comes With GDPR? This gives individuals the right to have certain personal data deleted so third parties can no longer trace them.
- 7. This helps to facilitate the inclusion of policies, guidelines, and work instructions related to data protection in the earliest stages of projects, including personal data. What Else Comes With GDPR?
- 8. Controllers must report personal data breaches to the relevant supervisory authority within 72 hours. If there is a high risk to the rights and freedoms of data subjects, they must also notify the data subjects. What Else Comes With GDPR?
- 9. How AWS can help customers achieve GDPR compliance?
- 10. All AWS Services GDPR ready
- 11. Bringing it all together Data Subjects Customers are Controllers AWS as Processor Controllers and Processors have obligations under GDPR
- 12. Data Subjects Customer as Processor AWS as Processor Controllers and Processors have obligations under GDPR Customer’s customer as Controller Bringing it all together
- 13. Transferring Content Region and number of availability zones New region (coming soon) Customers decide where their data will be stored Customers may choose to transfer content that includes personal data From EEA to a country outside the EEA: Data Processing Addendum includes the Standard Contractual Clauses/Model Clauses From EU to US: EU-US Privacy Shield Framework
- 14. Under GDPR, controllers and processors are required to implement appropriate technical and organisational measures (TOMs) … (1) Pseudonymisation and encryption of personal data (2) Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services (3) Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident (4) Process for regularly testing, assessing, and evaluating the effectiveness of TOMs GDPR in Practice: Implementing TOMs
- 15. What AWS provides Tools and Services Compliance Framework Partner Network §§ Data Protection Terms§§
- 16. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the cloud AWS is responsible for the security OF the cloud
- 17. GDPR is also a “shared responsibility” Legal Compliance (both controllers and processors) System Security and Data Protection by Design (both controllers and processors; AWS has tooling to help) Records of Processing Activities (both controllers and processors; AWS has tooling to help) Encryption (both controllers and processors; AWS has have tooling to help) Security of Personal Data (controller responsibility) Managing Data SubjectConsent (controller responsibility) Managing Personal Data Deletion (both controllers and processors; AWS has tooling to help) Managing Personal Data Portability (controller responsibility)
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Navigating GDPR Compliance with AWS Services ‘Security of processing’‘Data protection by design and default’ ‘Records of processing activities’ AWS Snowball Amazon Virtual Private Cloud (VPC) Amazon API Gateway AWS KMS AWS CloudHSM Server-side Encryption AWS Identity and Access Management SAML Federation Active Directory Integration AWS Service Catalog AWS CloudTrail AWS Config
- 19. The controller “shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” Multi-factor authentication API-Request Authentication Temporary Access Tokens GDPR Compliance Tools
- 20. AWS & The GDPR Access Control
- 21. GDPR Compliance Tools “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” CloudTrail Amazon Inspector Macie AWS Config
- 22. AWS & The GDPR Monitoring and Logging
- 23. AWS & The GDPR Amazon GuardDuty
- 24. GDPR Compliance Tools Organisations must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data.” Encryption of your data at rest with AES256 (EBS/S3/Amazon Glacier/RDS) Centralised (by Region) with Key Management (AWS KMS) IPsec tunnels into AWS with the VPN-Gateways Dedicated HSM modules in the cloud with CloudHSM
- 25. AWS & The GDPR Encryption
- 26. GDPR Compliance Tools Appropriate technical and organisational measures may need to include “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services.” SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70) / SOC 2 / SOC 3 PCI DSS Level 1 ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018 FIPS 140-2 C5
- 27. AWS Foundation Services AWS Global Infrastructure Your own accreditation Meet your own security objectives Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Customers GDPR Code of Conduct
- 28. GDPR – Code of Conduct CISPE Code (Cloud Infrastructure Service Providers in Europe) The CISPE Code of Conduct: • An effective, easily accessed framework for complying with the EU’s GDPR • Excludes the re-use of customer data • Enables data storage and processing exclusively within the EU • Identifies cloud infrastructure services suitable for different types of data processing • Helps citizens to retain control of their personal and sensitive data • AWS CISPE certified • CISPE Code of Conduct in evaluation by Article 29 WP
- 29. AWS Marketplace: One-stop shop for familiar tools
- 30. AWS Partner Network (APN) & the GDPR Consulting Partners APN consulting partners can help your customers get ready for GDPR. Technology Partners APN technology partners offer security & identity solutions to help with GDPR. /
- 31. AWS Professional Services Objective • Educate and enable customers on how to architect their AWS environment to support data protection and privacy Audience • Legal/Privacy Teams • Regulatory & Compliance Staff • Application, Systems, & Database Architects Duration • One-day workshop © 2018 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Level of Effort: One day
- 32. Key Activities Earn Trust • Introduction/Review of AWS Compliance Programs • Review AWS Compliance Programs supporting Data Privacy Learn & Educate • Provide concept of Data Protection as a Shared Responsibility • About the customers current architecture • Learn about how the customer has interpreted the regulation and the controls • AWS services and features to support technical implementations • Data Processing Addendum Identify • Identify APN Partners and Solutions which can be leveraged in development and operations to achieve data protection efforts © 2018 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!
Editor's Notes
- Let’s take some time to go over some of the basics of the General Data Protection Regulation.
- 1. Applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. Applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. Applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
- Content [CLICK] <<read contents of the box>> For example, a customer’s “content” includes objects that the customer stores using S3, files sorted on EBS or the contents of an Amazon DynamoDB table. Personal Data [CLICK] <<read contents of the box>> “Personal data” includes names, email addresses, social security numbers, payroll ID numbers, etc. There’s also a recent line of cases in Europe that have determined that, in some cases, IP addresses can be “personal data”.
- The Right to data portability The GDPR creates a new right for individuals to have more control over their own personal data. In practice this means that controllers have to have the ability to provide the data subject with a copy of all the personal data that they have regarding him or her; and the ability to transfer the data to another data controller or service provider. It’s important to ensure the portability of all personal data that the individual has provided actively and knowingly. This includes information the individual has provided to you by using the service or device, such as location data or their heartbeat from a fitness tracker. This could therefore be a large collection of data. Furthermore, the data must be provided in a way that facilitates reuse. An example of this would be an email being provided in a format that preserves all the meta-data to allow effective reuse.
- The right to be forgotten The right to be forgotten gives individuals the right to have certain personal data deleted so that third parties can no longer trace them. In practice, this means that such personal data needs to be deleted entirely from the controller’s system and, if the controller has made the information public,such as on the internet, then the controller has to ensure that all links to the information has been erased.
- Privacy by design The concepts of privacy by design and privacy by default help to promote compliance with data protection laws and regulations from the earliest stages of projects involving personal data. Clear policies, guidelines, and work instructions related to data protection should be developed and the input of a privacy specialist should be sought to assist with applying these requirements. Development methods that are used within the organization, such as agile or waterfall methodologies, must be taken into account in order to apply the concepts throughout the entire development process. This will enable the development teams to take appropriate measures in the relevant phases. Finally, when a design has been completed, it must be adopted by the organization and monitored throughout its lifetime.
- Data breach notification If security measures are breached and personal data is unlawfully processed, the controller must report such a breach to the supervisory authority within 72 hours. Also, if there is a high risk to the rights and freedoms of data subjects or other individuals, the controller must also notify the data subjects.
- Let’s take some time to go over some of the basics of the General Data Protection Regulation.
- The Right to data portability The GDPR creates a new right for individuals to have more control over their own personal data. In practice this means that controllers have to have the ability to provide the data subject with a copy of all the personal data that they have regarding him or her; and the ability to transfer the data to another data controller or service provider. It’s important to ensure the portability of all personal data that the individual has provided actively and knowingly. This includes information the individual has provided to you by using the service or device, such as location data or their heartbeat from a fitness tracker. This could therefore be a large collection of data. Furthermore, the data must be provided in a way that facilitates reuse. An example of this would be an email being provided in a format that preserves all the meta-data to allow effective reuse.
- Customers decide where their content will be stored. The AWS infrastructure is built around Regions and Availability Zones. A Region is a location in which there are multiple Availability Zones. Availability Zones consist of one or more discrete data centres. AWS currently has three Regions in the EU—Ireland (Dublin), UK (London) and Germany (Frankfurt) This set-up allows customers with specific geographic requirements to establish environments in a location of their choice. For example, AWS customers in Europe can choose to deploy their AWS services exclusively in the Germany region. [CLICK] Customers may choose to transfer content that includes personal data cross border. AWS offers customers a data processing addendum that includes the Standard Contractual Clauses/Model Clauses that would apply where a customer transfers data containing personal data from the EEA to a country outside the EEA. The EU data protection authority, known as the Article 29 Working Party, has approved the AWS Data Processing Addendum and Model Clauses. This approval means that customers who require the Model Clauses can rely on the AWS DPA as providing sufficient contractual commitments to enable international data flows in compliance with the EU data protection Directive. In addition to the AWS DPA and the Model Clauses, customers who wish to transfer content that includes personal data from an EU Region to a US region benefit from AWS’ participation in the EU-US Privacy Shield Framework.
- Let’s take some time to go over some of the basics of the General Data Protection Regulation.
- We look after the security OF the cloud, and you look after your security IN the cloud.
- To protect your application, AWS invests in a broad portfolio of security, identity, and management tools to help ensure your applications are secure and operate in a compliant manner. --NETWORKING-- Amazon VPC: Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. With Amazon VPC, you can make the Amazon cloud a seamless extension of your existing on-premises resources. AWS WAF: AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules. --ENCRYPTION— AWS KMS: AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. AWS CloudHSM: The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM. Server-side Encryption: AWS allows data to be encrypted with AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys. We also make the AWS Encryption SDK freely available to help developers correctly generate and use encryption keys, as well as protect the key after it has been used. --IDENTITY-- AWS IAM: AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. AWS Directory Service: AWS Directory Service makes it easy to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, domain join Amazon EC2 instances, as well as simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads. SAML Federation: AWS IAM supports SAML 2.0 to allow identity integration with most major identity management solutions. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html] --COMPLIANCE— AWS Service Catalog: AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need. AWS CloudTrail: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. AWS Config: AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
- Segway to talk about FedRAMP potentially and share your experiences from around the world!
- As Esther mentioned, GDPR encourages industries to develop codes of conduct to help enable the Controller to demonstrate their compliance. The CISPE code is one such code of conduct
- Data Collection: Have you taken into account the definition of “personal data” to determine what your organization is collecting? From where? & What mechanisms are used? Access Controls: Can you identify who has access to personal data? Data Storage/Retention: Can you inform on where personal data is stored? Data Rights: Do you support means for customers to control access to their data? Breach Notification: Is your organization currently supporting a breach notification program and does it meet/exceed the GDPR timelines? Data Transfer: Do you use transfer mechanisms to process personal data?