GDPR and the compliance conundrum
- By Mark Baker
- May 03, 2018
Like a train speeding down the track, enforcement of the European Union’s General Data Protection Regulation (GDPR) begins in mere weeks, on May 25. Not only does all personally identifiable customer data need to be accounted for – an extremely challenging task for many organizations and their complex IT environments -- – but internal processes also have to be updated and employees need to be educated to ensure companies don’t run afoul of the regulation.
GDPR applies not only to organizations within the EU, but to any, regardless of location, that processes personal data of EU citizens. This makes GDPR a major concern for any organization in the U.S. that handles Europeans’ personal data.
An unexpected consequence of GDPR, however, is that it has many businesses second-guessing cloud computing. Concerns primarily stem from a misconception that cloud platforms, with data held by third parties on shared systems, will be a more difficult undertaking than traditional in-house systems and potentially less secure.
But the truth is very different.
Public cloud services can be extremely secure and often can be a safer option than in-house systems. So, what exactly is behind this misconception and why should businesses be trusting public cloud services with their compliance needs?
On the face of things, it’s easy to see why many people would assume on-premise infrastructure is more secure and easy to manage. In theory, businesses know exactly where their data is being stored and who has access to it, both of which provide comfort for organizations.
They can also design the architecture to suit their own specific needs and preferences, as well as reduce the risk of data loss if a public cloud provider goes out of business. One could argue that such a setup would be particularly appealing to businesses operating in highly regulated industries, such as healthcare and financial services, which need to have greater visibility and control over how their data is managed.
However, firms would be wise to remember that operating their own private cloud places the responsibility of security and compliance squarely on their shoulders. They’re at the mercy of the whims of nature and the resilience of their local power grid, potentially leaving them helpless if something goes wrong.
It also leaves those organizations vulnerable to disgruntled employees and internal data theft. Employees may have easy access to confidential data, sometimes with very little to stop them from stealing corporate information simply by pulling a disk from a server and leaving the building with it. Often employees can also connect USB drives, which have been used in home systems and may contain malware or viruses. Huge faith is placed in the firewall as an effective means of keeping intruders out, yet backdoors may well exist in the form of legacy and unsecured modem connections, as well as poor access control processes that leave user credentials in place long after the relevant employee has left the company.
So just because infrastructure is in your data center doesn’t mean it is inherently more secure, resilient or suitable to meet the needs of regulatory compliance than public cloud.
While some businesses may feel more comfortable knowing their data is being stored within their own walls, data location is only one small aspect of security and compliance.
Along with the provision of innovative new services to enable business growth, it is the job of public cloud providers to protect their customer’s data. A central component of their value proposition, therefore, is the delivery of systems, tools and continuity plans that make their cloud infrastructure safe and secure.
This applies to both virtual and physical means of protection. Corporate data will be stored in a secure facility with multiple layers of physical security that are often not present if businesses opt to run their cloud infrastructure in-house.
Public cloud providers are also likely to carry out software patching on a more regular basis, which is essential to managing the data protection elements of GDPR. Businesses running their own private clouds generally are slower to patch security gaps, leaving themselves exposed to potential data breaches and compliance holes. The recent Spectre and Meltdown vulnerabilities are a great example of this, with Google, Microsoft and Amazon all patching their system quickly after the problems became public. Meanwhile, many businesses will still be trying to determine what local systems they need to patch and how they go about doing it.
Furthermore, public cloud providers tend to have highly skilled and experienced IT teams, which isn’t something that can be said for all businesses. The skills gap issue is extremely prevalent in the cloud world and businesses are finding it harder than ever to attract talented developers. This is causing problems when it comes to addressing the more technical compliance challenges, which could be solved using third-party infrastructure.
Add in the fact that businesses will not be alone when defending against attacks and the skills argument provides compelling support for the merits of using third-party providers to ensure legislative compliance.
The combination of these factors means that in many cases, public cloud can actually be a better option than a private cloud for systems with high security and compliance requirements . It can certainly be a less complicated option for businesses and help to give them peace of mind amidst shifting regulatory landscapes.
GDPR is indisputably a landmark law, requiring a massive overhaul in how organizations approach data privacy. But rather than shying away from public infrastructure, organizations should be embracing it as part of a hybrid cloud offering on their journey to compliance.
Mark Baker is a field product manager for Canonical.