On May 25, 2018, the long-awaited EU General Data Protection Regulation (GDPR) will come into effect. GDPR aims to bring consistency around how the data of EU customers and users is protected. The regulation makes organizations responsible to maintain best practices to secure EU data anywhere it resides. Lack of compliance can lead to sizable legal consequences and can cost companies dearly, including hefty fines.
Dome9 recently announced a GDPR Readiness bundle in the Dome9 Compliance Engine that offers out-of-the-box assessment and ongoing monitoring for compliance with the security requirements of GDPR. Combined with other capabilities of the Dome9 platform, this will help customers prepare to meet the security requirements of the EU regulation.
I. How does GDPR apply to me?
The GDPR regulation has a major impact to companies in many ways:
- It regulates the transfer of personal identifiable (PII) data outside of EU by enforcing pseudonymization and encryption.
- It introduces a shared liability between the data controllers (organizations that store end user data) and the data processors (e.g. cloud providers) – processors will now be subject to penalties for the first time.
- It creates transparency around how data will be used, how long it will be retained, etc.
- It ensures ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Data ownership, data protection, and data storage are key requirements for GDPR compliance.
Organizations need a cost-effective way to evaluate whether they are at risk of failing a GDPR compliance audit. To achieve and maintain GDPR compliance, you need to ensure you have all the right security and privacy measures in your cloud environments or face the sizable consequences of non-compliance. Hence, this initiative requires companies to rethink their data protection strategy and supporting tools in order to maintain a competitive advantage.
II. How Does Dome9 Help with GDPR Compliance?
Dome9 offers powerful visualization, control and active cloud protection capabilities that help customers manage GDPR compliance in their public cloud environments. For example, the Dome9 Compliance Engine is an automation framework that allows customers to automatically assess their cloud environments against regulatory standards and security best practices. They can use pre-packaged test suites that check for compliance against regulatory standards or security best practices, or they can easily create their own test suites that capture their organization’s unique requirements.
Let us dive into more detail of how Dome9 gets your cloud ready for GDPR:
Visibility into your Cloud Assets
With Dome9, you can easily get a real time picture of all your cloud assets in one place. A company needs to have full visibility into cloud assets in order to comply with GDPR since you cannot protect information that is not on your radar.
Visibility of Assets by Geography
1. Visualize all of your assets via an intuitive global map to get a high level glance:
2. You can then visualize your assets that are either within or outside a specific region. The Dome9 platform monitors these assets continuously alerts you when there are exceptions. For example – you can see below how easy it is to view all your assets outside of Europe in AWS:
- In addition, you can view a detailed settings your cloud environments (i.e. VPC or SG relationships for assets within a specific region):
Cloud Security Compliance
The Dome9 Compliance Engine offers built-in frameworks for standards such as ISO 27001, NIST 800-53, HIPAA and PCI. These compliance suites are an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). When a company has implemented the Dome9 built in AWS CIS Foundations Benchmarks v1.1.0, NIST 800-53, PCI-DSS 3.2 or any other compliance frameworks, they have made considerable progress (~50%) in attaining GDPR compliance by minimizing the risk of a breach.
Continuous Compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as emal, SNS notification message or PDF report.
Dome9 capabilities presented above can help your company with the following GDPR Sections:
Article 25 – “Data protection by design and by default” with Dome9 Data Access Controls:
- Multi-factor authentication (MFA)
- API-request authentication
- IAM controls
Article 30 – “Records of processing activities” with Dome9 Logging and Monitoring:
- Asset-management and configuration
- Compliance auditing and security analytics
Article 32 – “Security of processing” with Dome9 Data Protection and Risk Assessment:
- Encryption of your data
- IPsec tunnels into AWS with using VPC configs
- Cloud security risk assessment
Additional Sections of GDPR Dome9 Arc can help with – Articles 5, 12-23, 34, 44, 76:
- Breach notification by reducing investigation time
- Automation and visualization of you cloud asset inventory
- Apply Dome9 out of box security best practices, AWS CIS Foundation’s benchmarks for overall security hygiene, as well as compliance and risk assessment frameworks to continuously monitor and remediate security and compliance gaps
III. Get Started Today with Dome9 for GDPR
Below you can see an example of the compliance engine evaluating whether assets are in compliance with specific GDPR sections:
We talk the talk and we walk the walk! As a security and compliance solution provider, Dome9 takes the security of its own platform and organization seriously. In our next blog we will discuss how Dome9 establishes and demonstrates compliance with the most rigorous standards and the GDPR. Stay tuned!
Additional Helpful Resources:
GDPR Compliance on AWS
CSA code of conduct
CISPE code of conduct
EU CLOUD Code of Conduct
GDPR vs EU Data Protection – Key differences
You can get started today with a 2-week free trial on Dome9.
THIS POST IS INTENDED FOR INFORMATION PURPOSES ONLY. IT DOES NOT CONSTITUTE LEGAL ADVICE CONCERNING THE GDPR OR ANY OTHER MATTER, AND MAY NOT BE USED OR RELIED ON FOR SUCH PURPOSES.