A Guide to GDPR Compliance for Containers and the Cloud
If you’ve played a role in designing or managing cloud environments in any way during the past several years, you’re probably already familiar with the General Data Protection Regulation, or GDPR. The GDPR, which took effect in 2018, is one of the most recent major compliance frameworks to come online. As such, it was designed especially with cloud computing in mind, in ways that older compliance frameworks (like HIPAA and PCI DSS) were not.
The GDPR certainly doesn’t prevent businesses from running workloads in the cloud, but it does establish a number of rules that many organizations must follow in order to host applications or data in the cloud. In this article, we explain what the GDPR means for cloud computing, which businesses need to comply with GDPR mandates, and how to secure cloud environments in ways that promote GDPR compliance.
What Is the GDPR?
The GDPR is a European Union regulation designed to protect digital privacy rights. It regulates how businesses store and process what it calls “personal data,” which is defined in article 4 as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Where Does the GDPR Apply?
Although the GDPR is a European Union regulation, it has broad implications for companies around the world.
That is because the GDPR applies to any organization that collects or processes the personal data of E.U. residents – even if the organization itself is based outside of the E.U. and does not use E.U.-based infrastructure to store or process that personal data. If you host a website on a server in California or you run a SaaS app out of a data center in Japan, you may be subject to GDPR if E.U. residents use your site or app, even if your business has no direct presence in the E.U.
Note, too, that unlike some compliance frameworks, the GDPR doesn’t provide exemptions for small organizations. It applies to all entities regardless of their size. It does simplify certain compliance procedures for businesses with fewer than 250 employees, but it doesn’t actually exempt them from any core GDPR requirements.
What Are the GDPR Requirements?
The full text of the GDPR is quite long. But its key takeaways, which are summarized in article 5, boil down to seven key principles that organizations must follow when storing or processing personal data:
- Lawfulness, fairness, and transparency: Organizations must be transparent about how they use personal data, and they must manage it in ways that the GDPR deems reasonable based on established law.
- Purpose limitation: Organizations must use data for specific and limited purposes; they can’t collect personal data and store it indefinitely for no reason, for example.
- Data minimization: Organizations should restrict personal data collection to the least necessary to achieve business objectives.
- Accuracy: Organizations must strive to ensure that the data they collect and store about individuals is accurate, and they must give consumers the ability to correct inaccurate data.
- Storage limitation: Organizations should not store personal data for longer than is needed.
- Integrity and confidentiality (security): Organizations must implement reasonable security measures to prevent the abuse or unauthorized access of personal data.
- Accountability: Organizations must be able to demonstrate that they adhere to the principles of the GDPR.
While these principles define the what of the GDPR, the GDPR itself is not very specific about how the principles should be applied. It doesn’t state exactly how long organizations are allowed to store data, for instance; it simply enforces a principle of reasonable storage limitations. Nor does it specify exactly how to secure environments that contain sensitive data; it just says that organizations should take reasonable steps to secure them.
Thus, the GDPR leaves it mostly up to organizations to determine how to translate its principles into practice. Best practices for GDPR compliance will therefore vary significantly from one business to the next depending on which types of workloads they run.
What Are the Implications of GDPR Non-Compliance?
The GDPR is quite straightforward about non-compliance fines. They can be as high as 20 million euros or 4 percent of an entity’s annual revenue, whichever is greater. Note that the fines are imposed on a per-infringement basis, which means that a company could end up paying multiples of these figures if regulators find it guilty of multiple non-compliance infringements.
However, GDPR compliance fines are assessed based on the severity of the non-compliance incident, and lower fees are possible. Because the GDPR remains relatively new, there have been few enforcement cases to date that demonstrate how much GDPR non-compliance can cost in practice under different types of circumstances. But there have been some steep fines already, most notably Amazon’s €636 million fine.
GDPR Cloud Compliance Best Practices
Because the GDPR is not very specific about how to implement its principles, there are no hard-and-fast rules about how to design and manage a GDPR-compliant cloud environment. However, there are some standard best practices to follow.
Use a GDPR-Compliant Cloud
First and foremost, make sure that your cloud provider complies with GDPR mandates when managing its own infrastructure. All of the major clouds promise GDPR compliance for most of their services, so this shouldn’t be a challenge, although you may want to do your research to determine whether the provider has had GDPR compliance issues in the past.
Although data anonymization does not guarantee that personal data won’t be exposed to unauthorized access, anonymizing any data you store or process in the cloud is a best practice for mitigating the risk of GDPR compliance issues.
Use Cloud Data Lifecycle Policies
Most public clouds provide data lifecycle management tools that can, among other things, automatically delete data when it reaches a specified age. Consider using these tools to help implement the storage limitation principle of the GDPR without having to rely on manual data deletion.
Encrypt Cloud Data
Encrypting cloud storage buckets, databases, and other storage locations is another best practice for helping to mitigate the risk of exposing personal data. You should also encrypt network connections that transfer sensitive data, as well as minimize the extent to which sensitive data is transferred within your cloud environment or between the cloud and external locations.
Tag and Classify Cloud Resources
Use your cloud provider’s tagging or labeling systems to classify and organize cloud resources. Although failure to use tags is not itself a compliance issue, tags can reduce the risk that you’ll accidentally store or process sensitive data somewhere in your cloud environment without knowing about it – a risk that can pose a real problem in large-scale cloud environments shared by multiple users or teams.
Enforce Cloud Access Controls
Use your cloud provider’s IAM to restrict which users, applications, and services can access personal data in the cloud. Just as important, automatically scan your IAM configurations to detect oversights that may lead to unauthorized access, such as an IAM rule that allows anyone on the Internet to view data that should not be public.
GDPR Compliance for Containers
The practices above apply to virtually any type of cloud-based workload. However, there are some additional GDPR compliance considerations to bear in mind when working with container-based environments.
Container Image Scanning
Container image scanning can help you identify malware, vulnerabilities, or other risks that may exist within container images. If you run containers, image scanning is part of the reasonable security controls that you should implement for GDPR compliance.
If you use Kubernetes, you can take advantage of Kubernetes audit logging to detect potential security issues in your containerized environment. Audit logging may help demonstrate accountability under the GDPR. It may also be considered a basic security control that organizations are expected to implement.
Managing Container Data
Managing personal data can be especially challenging when working with containers. In some cases, personal data may at first exist inside containers, then be moved to an external location, such as a Kubernetes storage volume. It’s important to ensure that you encrypt personal data as it passes through all layers of your container infrastructure. You should also make sure to encrypt and otherwise secure network connections between containers and microservices, which you can do using tools like service meshes.
Container RBAC Tooling
While cloud IAM frameworks are useful for enforcing generic access controls across your cloud environment as a whole, they lack the granularity and nuance of tools like Kubernetes RBAC and security contexts when securing containers specifically. You should take advantage of whichever container-specific access control tooling is available in your environment to augment your GDPR container compliance.
Although the GDPR has major implications for how organizations across the world use the cloud and containers, it’s feasible enough to comply with its rules. Doing so starts with understanding the fundamental compliance and security principles that the GDPR is designed to enforce, then determining which tools and practices you can implement in your environment to meet the GDPR requirements.