GDPR: Wichtige Fragen, die Sie Ihrem Cloud-Anbieter stellen sollten

This is the third in a series of blog posts designed to prepare security professionals and business leaders for the 2017 General Data Protection Regulation (GDPR).

Are you considering moving applications to the cloud? If so—and what company isn’t—have you considered the impact of the EU General Data Protection Regulation (GDPR) on these plans?

At McAfee, we believe that the GDPR presents an opportunity for security transformation—an opportunity to abandon a compliance-focused approach to security and move toward a strategy of data protection and security by design.

The GDPR moves away from previous compliance regimes, and instead of prescribing a checklist of security technology controls, it now requires companies to develop sustainable security capabilities. It therefore offers you an opportunity to review your entire data and security strategy and build resilience, rather than creating checklists. We believe the GDPR presents an opportunity to view security as a key enabler of business, particularly as a key enabler for the secure use of cloud services.

Whether you are moving legacy applications to the public cloud, using cloud storage, or using cloud-based business applications such as Office 365, you need to consider the specific implications of GDPR and the opportunity to review or develop a broader cloud security strategy.

Was ist zu tun und zu beachten

At McAfee, we want your business to say yes to cloud adoption. Therefore, below are some key questions and considerations to help you have a hands-on conversation with your cloud service provider about GDPR and the necessary security measures:

Does your cloud service provider have a data protection policy? Solid and transparent security policies are the first step. In many cases, the GDPR requires the appointment of a Data Protection Officer (DPO) to oversee the program. Also, request a meeting with the DPO at your cloud provider.

How does your cloud service provider use the collected data?

Providers are required to disclose how they may use the data collected through their service and how they protect that information. Many companies use collected data for analytics or other legitimate purposes. However, these processes should not pose any additional risk to you.

What security frameworks, standards, or certifications does your cloud service provider follow or have they achieved for your service?

There are various industry-specific guidelines and processes that specify standardized requirements and controls for protecting cloud services. FedRAMP, for example, is a comprehensive cloud service authorization process for the U.S. government. However, this process is based on NIST and could be used more widely. At the international level, there is the ISO 27002 standard, for which the Cloud Security Alliance provides additional guidance. Cloud providers should use one of the available frameworks to assess and continuously monitor maturity.

Can your cloud service provider cite a case of data compromise and their response?

Statistically, more than half of all data breaches are discovered by external companies. Given that the GDPR requires notification to the relevant supervisory authority within 72 hours of the company discovering an incident, it’s critical to have the ability to detect potential data breaches and respond accordingly with a proven process. Ask your cloud provider if they have a Security Control Center (SOC) or Computer Security Incident Response Team (CSIRT) in-house or as a managed service with these capabilities.

Where does your cloud service provider store and process the collected data?

Where data is stored is perhaps the biggest issue when it comes to cloud services and GDPR preparation. Does your cloud provider have data centers in the EU or exclusively in the US? Where does it store and process the data? Is the data being moved from the EU to the US? These are just a few of the issues in this area, but they can be addressed with encryption of stored data, access control, and key management.

These are all the considerations regarding GDPR and cloud service providers, although this is not an exhaustive list. Hopefully, as a user of these services, you have been sufficiently informed and are now well-equipped to prepare for GDPR. Most importantly, these practices will ensure more secure cloud usage by companies.