Privacy professionals have to wrap their minds around all types of vendors and technologies for proper due diligence – which is no easy task. In the Privacy Setup series, we’ll take a closer look at technologies and vendors that are commonly found in most organisations, and what you can do to make sure they’re aligned with your risk appetite.
For our first piece, we’re focusing on Amazon Web Services (AWS), but many points apply to cloud infrastructure providers in general.
What are cloud infrastructure providers?
AWS and similar competitors offer a broad set of global cloud-based products including compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security and enterprise applications cloud infrastructure, consisting of servers that help with both raw storage and computing.
What’s the importance of cloud infrastructure providers?
In many modern companies, cloud infrastructure providers are core to delivering the company’s product. Switching costs are high and the competition scarce outside the big American players (AWS, Azure and Google Cloud) since they’ve all invested considerable resources to develop new features and managed services.
This is not to say you should outright exclude other alternatives – especially if you’re an EU business with low risk appetite and high privacy maturity, local providers are worth considering. For example, DPOrganizer’s own product infrastructure is based on a Swedish cloud provider, Elastx. Beyond the advantage of lower risk, a regional provider is likely more flexible in the exact terms of your agreement and the design of your infrastructure.
What are the legal factors to consider?
The big topics when using cloud infrastructure providers are third country transfers, both for themselves and subprocessors, security of processing, and breach management and data subject requests. You can find more details on how to do your legal processor due diligence here.
Factors that apply to all US-based cloud providers
If your company is processing personal data on AWS subject to EU data protection legislation, this means you will have to be extra careful.
When using AWS you can determine which region your data should be hosted at – something that both Azure and Google Cloud offer as well. However, the AWS DPA stipulates that the data may be shared also outside the selected region if AWS is required to do so to comply with the law or binding order of a government body.
US-based AWS Inc is the parent company of all subsidiaries across the world and the US has far-reaching surveillance laws (FISA 702, Cloud Act and EO12333) which have already led to the demise of the Privacy Shield Framework. These laws allow US authorities to request data of subsidiaries of US companies. Schrems II made clear that third country transfers require additional assessments and measures to ensure that the required data protection standard is upheld when personal data is transferred to third countries.
Adapting to Schrems II
The French decision in the case about Doctolib, a company that hosted a vaccination appointment management system on AWS servers in Luxembourg, gives us a better understanding of what supplementary measures can be taken to ensure that the Schrems II requirements are met. In this interim decision, the court held that Doctolib had implemented sufficient supplementary measures by:
- having short retention times (3 months at most),
- no special categories of personal data are being processed,
- the possibility for data subjects to delete their data directly online,
- the contract between Doctolib and AWS Sarl included a specific procedure for access requests by foreign authorities when such access requests do not comply with EU regulations, and
- Doctolib had set up an encryption device by a company in France that prevents third parties from reading the data hosted on the AWS servers.
Which data protection options does AWS offer?
AWS includes a wide variety of features that simplify the safekeeping of data hosted on their servers. Here are some of the most important ones you should make good use of.
Network isolation is a concept that separates your assets on your servers based on a scheme you can define (e.g. by the function of the asset). Separating your environments by virtual private cloud, or VPC, ensures that the different environments cannot talk to each-other. For the environments you can create different security groups with limited access and minimize the risk of exposing all your processing by being able to develop the environments separately. If you want to separate environments even further you can also use separate AWS accounts for environments that contain particularly sensitive data.
Ensure that encryption in transit and at rest is applied. Many managed services provided by AWS offer encryption by the click of a button, this will enable encryption using the default AWS master key. For enhanced security you could create custom encryption keys using KMS (Key Management Service) which also supports automatic key rotation. More sensitive assets might warrant more frequent rotation. AWS also makes it possible to Bring Your Own Key. This means that you can use an external service to manage and store the keys to your data, adding another layer of security by preventing AWS from accessing the data.
Cloud Trail – audit log
You should also make use of AWS’ Cloud Trail. This service logs all interactions with the AWS APIs and you should configure it to store the logs in a way that it cannot be tempered with (e.g. in a S3 bucket in a different AWS account). The existence of a comprehensive log helps you discover unauthorized changes and strengthens your control over the processing carried out.
You should ensure that your AWS servers are always updated. One common way to approach it in this day and age is to rely on immutable infrastructure at the core. This means that the running resources in your deployment are replaced instead of being changed. AWS contains a marketplace with official (Amazon Machine Images), trusted and community images that you can use and easily keep updated.
Manage secret keys
Use AWS’ Secrets Manager for applications to access the necessary keys. With Secrets Manager these keys are moved into memory instead of being stored on the server. This means that the keys are only stored for a short time period while they are needed.
Just the starting point in the cloud privacy rabbit hole
The options listed above are just some of the ways you can adjust your AWS setup, based on usage of the most common services offered. Due to the wide selection of services offered (and the data those services collect), you’ll want to keep track and thoroughly assess AWS services before using them. For example, AI services might lead to automated processing and decision making.