By Shiji Sujai, IOD Expert
Compliance audits are that part of the year when the whole IT department scrambles around checking and rechecking the security perimeters, combing through logs, and updating documents to ensure that not a hair is out of place when the auditor shows up.
Yes, been there, done that!
Having faced many internal and external compliance audits representing my team, I sure know how draining the experience can be. You close all loopholes and keep your fingers crossed that Murphy’s Law takes the day off when the audit happens. Still it’s quite possible that the auditor spots that chink in your shiny armor that was hiding from you in plain sight!
The chink in question is often a clause or requirement related to data privacy that goes unnoticed. With GDPR coming into effect last May 28, organizations with business interests in EU are now mandated to tackle this, hands on.
GDPR is an European privacy law focused on the privacy rights of customer data irrespective of the location where it is stored, transmitted, or processed. GDPR raises the bar on how data privacy is managed, especially in public cloud environments. Azure is one of the leading public cloud service providers and Microsoft has come up with clear guidelines and checklists to help customers in their GDPR compliance journey.
In this blog, we will review the different aspects of GDPR, as well as some of the sanity checks that can be followed by customers to ensure their Azure deployments are GDPR-ready.
Should I Worry About GDPR?
The answer is yes. You should worry about GDPR if you are not taking personal data protection of your customers very seriously!
GDPR in a broad sense is applicable for any establishment in EU that handles personal data of individuals. It is also applicable for any organization outside EU, but stores or process personal data of individuals in EU as part of providing goods and services. Personal data is defined as following in the official GDPR document:
“’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
Employee information, customer service database, health records and history, financial information, biometrics, CCTV footage, and even pseudonymized data linked to an individual is considered personal data. More stringent rules are applicable for sensitive personal data like ethnicity, health records, sexual orientation, and political opinions. Customers are empowered to initiate civil litigation against organizations handling their data in the event of a GDPR breach. Such an infringement could also lead to financial penalties with fines up to maximum of €20 Million or 4% of annual turnover of the organization, whichever is greater.
6 Principles of GDPR
GDPR requirements are aligned with the following six principles of data protection:
- Organizations should practice transparency, fairness, and lawfulness in handling personal data. Individuals have the right to know if their personal data is being processed by an organization. They could revoke access to the data, request the data to be deleted, or direct the data be used for specific purposes only.
- Data should be collected and processed for legitimate purposes only and for a specific duration.
- Reduce the amount of data collected, restricting it to what is required for data processing. This will minimize the exposure risk in the event of an unauthorized data access.
- Take measures to ensure accuracy of the personal data stored. Any errors should be addressed and corrected to keep the data up-to-date.
- Personal data that is no longer processed or used should be removed from the system to protect privacy.
- It is important to ensure security, confidentiality, and integrity of the stored data. This points towards appropriate processes and technical configurations that should be in place to keep the personal data secure.
IOD is a content creation and research company working with some of the top names in IT.
You can be too! JOIN US.
The 4-Step Approach to GDPR Compliance in Azure
To ensure GDPR compliance in Azure, Microsoft recommends a 4-step approach: Discover. Manage. Protect. Report.
Discover – Identify Personal Data and Where It Resides
Organizations should start with inventory of data stored in an Azure cloud platform to understand the personal data storage location, how it is collected, stored, processed, and retained after processing. The following tools and services in Azure are helpful in this phase:
- Azure Data catalog is a fully managed cloud service that helps with discovery and analysis of data sources. It can act as single point of reference for your data hosted in Azure and can be used for discovery and annotation of data assets. Once a data source has been registered with Azure Data Catalog, its metadata is indexed by the service so that you can easily search to discover the data you need.
- Azure Information protection (AIP can be used for classification of documents and emails based on sensitivity of the data. The persistent metadata used for classification includes a clear-text label that can be fed into other DLP solutions and applications.
Manage – Govern Usage and Access of Personal Data in an Organization
Once the data inventory is completed, the next step is to develop and implement data governance policies. It’s important to define the access levels to data, with clear definitions on who is authorized to access the data along with the purpose and duration of access. Organizations also should have processes in place to meet demands of individuals for transfer of their data, updates, and error correction, as well as implementation of additional restrictions. The following tools and services can help with implementation of data governance in line with GDPR requirements:
- Azure Role-Based Access Control (RBAC) helps you manage access to your Azure resources at the administrative layer. It enables you to implement fine-grained access control to resources based assigned user role. There are many in-built user roles as well as provision to create custom user roles in RBAC, making it easier to grant only the required permissions that users need to perform their jobs.
- Azure Active Directory Privileged Identity Management can also be leveraged to restrict access to personal data of users. It can be used to assign temporary access to data using Just-In-Time (JIT) administrative rights. It also keeps a track of activities done using administrative access for audit review purpose.
- Azure Key Vault enables you to safeguard your cryptographic keys, certificates, and passwords that help protect your data. Key Vault uses hardware security modules (HSMs) in the backend for enhanced security. It helps in segregation of roles where only authorized personnel has access to your keys and passwords. You can monitor and audit use of your stored keys with Azure logging, and import your logs into Azure HDInsight or your security information and event management (SIEM) system like OMS for additional analysis and threat detection.
Protect – Robust Security Mechanisms to Protect from Data Breaches
Azure data centers are built adhering to international security standards to ensure round the clock physical security. Microsoft personnel such as support engineers or subcontractors cannot access data unless authorized by customers. Any government requests for customer data is intimated to customers and transparency is maintained in the process. Additional security mechanisms in Azure can be leveraged by customers to define security at administrative and data layer. In addition to Azure Key Vault explained in the Manage phase, the following tools and services can help protect personal data in Azure:
- Azure Storage Service encryption is enabled by default for all Azure storages, which uses 256-bit AES algorithm to encrypt data before it is written to the storage. This takes care of protection of data-at-rest in Azure Storage. In addition to keys managed by Microsoft, customers can also use their own keys for encryption.
- Azure Disk encryption is another feature that enables encryption of data-at-rest for Azure Virtual machine disks. It leverages Keyvault to store the disk-encryption keys and uses Bitlocker in Windows and DM-Crypt in Linux for volume encryption.
- Transparent Data Encryption in Azure SQL database helps to protect the data stored by encrypting the DB storage using a symmetric key called database encryption key. This key is in turn protected by using a transparent data encryption protector which could be a service managed certificate, or an asymmetric key stored in Keyvault.
- Azure Security Center helps you prevent, detect, and respond to threats related to your Azure deployment. It does a continuous assessment of the security posture of your cloud environments against defined policies and best practices. Any vulnerabilities are flagged with actionable recommendations that ensures security of all deployed resources.
- Data-in-transit can be protected using multiple tools and configurations. In the case of hybrid architectures, use site-to-site or point-to-site VPN for secure communication to resources in Azure. All data in this case is transmitted over an encrypted tunnel over internet. Another option for secure connectivity is to use Expressroute which enables a dedicated connection between an on-premise network and Azure. While using Azure storage, it is recommended to enforce transport layer encryption using the Secure transfer required option.
- Azure Backup and Azure Site Recovery services can be leveraged to meet the high availability and disaster recovery requirement of personal data cited in GDPR regulation.
Report – Manage Data Subject Requests, Report Data Breaches, and Maintain Documentation
Record-keeping is another important aspect of maintaining compliance, where the information related to storage and processing of personal data is tracked and documented for auditing purposes. There are many monitoring and auditing tools available in Azure that help in this process:
- Azure Monitor is a platform level monitoring tool for data collected from the Azure infrastructure (Activity Log), as well as individual Azure resource (Diagnostic Logs). You can use Azure Monitor to alert you on security-related events that are generated in Azure logs.
- The Log Analytics component of Operations Management Suite can be used for logging and analysis of data from Azure resources. Data from Azure Monitor can be routed directly to Log Analytics, so you can see metrics and logs for your entire environment in one place.
- Any data breaches in Azure where Microsoft holds full or partial responsibility is handled through the Security Incident responsibility management process.
Microsoft has released a GDPR blueprint which is helpful in building applications in Azure that meet the requirements of GDPR. Additional resources that provide guidance on achieving GDPR compliance in Azure can be found from the GDPR page in Microsoft Trust center.
When it comes to cloud adoption or migration, data privacy is the quintessential “elephant in the room” that organizations tend to willfully ignore. Data privacy is often considered a byproduct of security, the implementation of which habitually lacks attention to detail. This narrative changes with GDPR, though, as organizations should take personal data protection seriously to sail through.
Stay compliant! Stay happy!