Vice President - Infrastructure & Security at Oman Airports
Automate Your GDPR Compliance Audits with Runecast Analyzer
About GDPR Compliance
The European Union introduced the General Data Protection Regulation (GDPR) in 2016, and all organizations are required to be compliant as of May 25, 2018. It was primarily based on the United Kingdom’s Data Protection Act (DPA) 1998, a piece of legislation criticised by many as widely talked about and rarely enforced. While this applies to data of EU citizens, the legislation covers companies holding or processing the data of those EU citizens, regardless of where they are. This is an important point and uses the terms Data Controller (the person accountable to demonstrate compliance with the Regulation) and Data Processor (any third party who processes data on behalf of the Data Controller) to highlight those responsible.
Article 5.1-2 of GDPR details the seven fundamental principles of Data Protection. These are described below:
- Lawfulness, fairness and transparency – Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation – You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization – You should collect and process only as much data as necessary for the purposes specified.
- Accuracy – You must keep personal data accurate and up to date.
- Storage limitation – You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality – Processing must be done in such a way as to ensure appropriate security, integrity, and privacy (e.g. by using encryption).
- Accountability – The Data Controller is responsible for demonstrating GDPR compliance with all of these principles.
The implications of violating GDPR are severe, with two tiers of penalties maxing out at the higher of €20 million or 4% of global revenue. As you can imagine, the consequences of non-compliance can also be reputational. Compliance is, therefore, high on the list of priorities for organizations doing business with EU citizens.
Automated checks for your AWS Infrastructure
Like other regulatory standards such as ISO27001, GDPR covers three core areas: people, processes and technologies. As a compliance automation platform, Runecast Analyzer focuses on the latter. Using our automated checks, you can gain visibility into risks in your AWS infrastructure that you may well have missed. Things like ensuring that you have both data-at-rest and end-to-end encryption in place, ensuring that Role-Based Access Control (RBAC) is in use, and enforcing least privilege access. All of these small checks can help to reduce the attack surface of your AWS infrastructure.
The Importance of Audit Automation
While many organizations have traditionally thought of an audit as a manual thing that happens annually, the main reason for regulatory compliance is to enforce better security and make it harder for bad actors to ply their trade. These bad actors don’t wait for you to say that you’re ready before they attack, and so continuous monitoring of the environment is vital. GDPR states that Data Controllers must be able to demonstrate compliance with the regulations. If you believe yourself to be compliant but cannot prove it, then you are not compliant!
Runecast Analyzer can help you constantly monitor and prove continuous compliance. As soon as any configuration drifts away from your desired state, you see this in the Runecast Analyzer dashboard. With our ServiceNow integration, any new findings can trigger the creation of a support ticket in ServiceNow.
The process of checking for compliance within your AWS and VMware environments can be arduous and costly, and any kind of manual checks are subject to human error, so it is crucial to automate as much as possible.
Runecast is a patented enterprise IT platform that provides IT ops and security teams one platform for configuration monitoring, vulnerability management, security compliance, remediation, upgrade planning and reporting.
- Disruptive, patented solution that automates proactive analysis of logs, configuration drift, and security posture within your environment.
- Simple, lightweight platform that is super-easy to deploy and operates securely on-premises (no data needs to leave your control) to provide you with remediation steps before any issues can lead to a PSOD or downtime.
- Operational transparency and best practices alignment
- Real-time configuration management, vulnerability scanning and security compliance audits
- Freed up team resources (to work proactively on growth drivers)
How Runecast helps you to be audit-ready
Runecast Analyzer automates the process of checking VMware products and native AWS public cloud resources and for compliance against GDPR standards – over 75 cross-referenced checks covering the domains of Compute, Management, Network and Storage. Each finding maps to a specific GDPR control or set of controls. As with all other standards covered within Runecast Analyzer, we show the details of all of the impacted objects and the wording from the standard, along with a technical translation and details of how to audit the finding and remediate any non-compliances manually.
With Runecast Analyzer, you get year-round, 24/7 visibility into your audit compliance posture. It allows you to get immediate visibility into risks and non-compliances inherent in your environment, allowing you to identify gaps between where you are and a fully compliant state. Runecast also shows as soon as any objects move out of compliance.
The solution runs entirely on-premises, with no data leaving your control. All analysis takes place in the Runecast Analyzer appliance. Move to a more proactive way of handling your compliance requirements!