The European Union introduced the General Data Protection Regulation (GDPR) in 2016, and all organizations are required to be compliant as of May 25, 2018. It was primarily based on the United Kingdom’s Data Protection Act (DPA) 1998, a piece of legislation criticised by many as widely talked about and rarely enforced. While this applies to data of EU citizens, it applies to companies holding or processing the data of those EU citizens, regardless of where they are. This is an important point and uses the terms Data Controller (the person accountable to demonstrate compliance with the Regulation) and Data Processor (any third party who processes data on behalf of the Data Controller) to highlight those responsible.
Article 5.1-2 of GDPR details the seven fundamental principles of Data Protection. These are described below:
The implications of violating GDPR are severe, with two tiers of penalties maxing out at the higher of €20 million or 4% of global revenue. As you can imagine, the consequences of non-compliance can also be reputational. Compliance is, therefore, high on the list of priorities for organizations doing business with EU citizens.
Like other regulatory standards such as ISO27001, GDPR covers three core areas: people, processes and technologies. As a compliance automation tool, Runecast Analyzer focuses on the latter. Using our automated checks, you can gain visibility into risks in your AWS infrastructure that you may well have missed. Things like ensuring that you have both data-at-rest and end-to-end encryption in place, ensuring that Role-Based Access Control (RBAC) is in use, and enforcing least privilege access. All of these small checks can help to reduce the attack surface of your AWS infrastructure.
While many organizations have traditionally thought of an audit as a manual thing that happens annually, the main reason for regulatory compliance is to enforce better security and make it harder for bad actors to ply their trade. These bad actors don’t wait for you to say that you’re ready before they attack, and so continuous monitoring of the environment is vital. GDPR states that Data Controllers must be able to demonstrate compliance with the regulations. If you believe yourself to be compliant but cannot prove it, then you are not compliant!
Runecast Analyzer can help you constantly monitor and prove continuous compliance. As soon as any configuration drifts away from your desired state, you see this in the Runecast Analyzer dashboard. With our ServiceNow integration, any new findings can trigger the creation of a support ticket in ServiceNow.
The process of checking for compliance within your AWS and VMware environments can be arduous and costly, and any kind of manual checks are subject to human error, so it is crucial to automate as much as possible.
Runecast Analyzer automates the process of checking native AWS public cloud resources for compliance against GDPR standards – over 75 cross-referenced checks covering the domains of Compute, Management, Network and Storage. Each finding maps to a specific GDPR control or set of controls. As with all other standards covered within Runecast Analyzer, we show the details of all of the impacted objects and the wording from the standard and a technical translation and details of how to audit the finding and remediate any non-compliances manually.
With Runecast Analyzer, you get year-round, 24/7 visibility into your audit compliance posture. It allows you to get immediate visibility into risks and non-compliances inherent in your environment, allowing you to identify gaps between where you are and a fully compliant state and show as soon as any objects move out of compliance.
The solution runs entirely on-premises, with no data leaving your control. All analysis takes place on the Runecast Analyzer appliance. Move to a more proactive way of handling your compliance requirements!