Processing of personal data
Any business is considered a controller if it stores or processes personal information for its customers or employees. In addition, the company may be considered as a data processor if it processes personal data on behalf of other controllers or their data processors.
Processing personal data puts in place substantial requirements for information security and internal control. Bringing cloud services into the mix makes it even a bit more complicated – how can the company secure personal data when they do not own the servers and applications where the data is processed and stored? Let’s see if we can get this figured out!
Identity Management – control over roles and access
As a “data processor”, the company must ensure that personal data is only processed by authorized personell and only within a necessary extent. It is important to give your employees the right user roles and manage their access and rights. It is even more important to prohibit access from employees who no longer work with a given project or in the same company.
If it is too much to keep track of manually, digital solutions within identity and access management are helpful. IAM solutions provide automated identity management and can give employees access to the right cloud applications and resources needed for a given purpose. ANy and all access can also be withdrawn when it is no longer needed – automatically.
IAM provides reports covering access and user roles and ensures that the company always knows who has access to personal information.
Single Sign-On with adaptive multi-factor authentication – Secure Login to the company’s cloud solutions
GDPR places high requirements on information security. The company has is obligated to prove that they continuously ensure the confidentiality, integrity, availability and robustness of systems and services which process personal data. The use of SaaS, PaaS and IaaS solutions often increases availability and robustness when applications are located on larger, secure platforms, but what happens if credentials are stolen?
Single Sign-On solves problems connected to using different passwords for different services, by removing the need and possibility for storing local passwords throughout the cloud and by encapsulating the authentication process to prevent malicious attackers from interferring. Combined with multifactor authentication (MFA), this provides adequate protection against phishing and other situations where the employees can lose track of their login details.
Furthermore, adaptive-MFA provides an additional layer of security: deviations associated with geographical locations, unusual login times and unknown login devices, trigger a system awareness which then requires additional information from the user trying to log in. All these elements ensure the improvement of confidentiality and integrity.
CASB og DLP in the cloud – overview and control of information flow and sensitive data
GDPR requirements also apply to more than the actual access to resources. Do you have control over who the personal information in your business is shared with? Are you sure that files containing personal information were not uploaded to a poorly secured cloud storage service by an unwary employee? Or that a database containing personal information about your customers, isn’t dumped into an employee’s private email address?
A Cloud Access Security Broker (CASB) can determine which cloud services are used by employees, as well as what type of data is being sent and stored. The service allows you to allow or block selected services, for instance based on their location. GDPR does not allow personal data to be transferred to countries outside the EU/EEA who do not have a sufficient level of protection.
Using built-in DLP (Data Loss Prevention) rules, alarms can be set off upon detecting attempts at sending personal information to external e-mail addresses, shared with others or published publicly.
GAP analysis – check your current situation with the desired level of security in the cloud
Our security architects have composed a GAP analysis customized for the requirements of GDPR and cloud services. This allows your company to find out how it measures up to the GDPR legislation and the desired level of security, as well as the remaining items.
Whether you’re already using SaaS, IaaS or PaaS solutions, or considering moving your services to the cloud, we can help you do that securely and in compliance with rules and regulations!
Cloudworks’ Cloud Security Framework – security in your cloud solution
Cloudworks’ Cloud Security Framework is a framework designed to preserve the security of our customers in their IaaS and PaaS solutions. Here, we prioritize the confidentiality, integrity, accessibility and robustness of the systems, which often process personal data. The framework is adapted to the customer’s needs, as well as the rules that they are required to comply with.
Cloudworks‘ Cloud Security Framework consists of a GAP analysis, secure configuration of the customer’s IaaS / PaaS-solution and training. If your business is considering migration to the cloud or already has and needs expert advice on how to structure and manage the solution in compliance with GDPR requirements, then this is definitely something for your consideration!
Want to know more? Our experienced IAM consultants and security architects can help you with your challenges regarding GDPR, information security and cloud solutions – contact us today!
