The General Data Protection Regulation (GDPR) is a regulatory framework put into effect by the European Union on May 25, 2018 to govern data protection and privacy for European Union/European Economic Area residents (EU/EEA). Although the European Union enacted GDPR, it applies to businesses worldwide because GDPR applies to anyone that processes data about EU/EEA residents.
"The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU." – GDPR.eu
GDPR raises the expectations and requirements for data protection beyond what regulators in the United States and non-EU/EEA countries have specified. For example:
- Data subjects have the right to a copy of their data and to have it erased in most cases.
- Personal data can only be processed with the consent of data subjects – who may revoke their consent at any time.
- Organizations must report data breaches within 72 hours.
To further add weight to GDPR, violations carry severe penalties. Monetary fines are levied, maxing out at €20 million or 4% of global revenue – whichever is higher. Data subjects also have the right to seek compensation for damages.
Given the broad reach of GDPR and the severity of the consequences for violations, many global organizations are proactively adding extra measures to ensure they are compliant. In alignment with this approach, Kion is built to shift cloud security and compliance to the left, enabling you to be proactive and provide confidence and assurance that compliance requirements are in place and actively enforced.
Kion is uniquely equipped to support GDPR compliance as well as other compliance frameworks in the cloud in several ways:
- Kion is a single platform for control across AWS, Azure, and Google Cloud.
- Kion provides visibility into an organization’s current compliance posture.
- Kion maintains data security and data sovereignty via a self-hosted architecture.
- Kion includes preventative guardrails and enforcements to prevent drift.
Specifically, the above features allow Kion to assist in satisfying the following GDPR requirements:
- Article 25 – Data protection by design and by default
- Article 30 – Records processing activities
- Article 32 – Security of processing
- Article 39 – Tasks of the data protection officer
A Single Platform for Control Across AWS, Azure, and Google Cloud
Kion unifies your AWS, Azure, and Google Cloud environments by creating a single place to visualize and manage your cloud estate. This gives you visibility into which projects cloud accounts belong to, assisting you in determining which environments need to comply with GDPR and which do not.
Kion’s organizational chart is also a powerful instrument of automation. It drives hierarchical inheritance to allow you to propagate policy and compliance guardrails quickly and easily to cloud accounts, projects, and entire organizational units (OUs).
For example, if you need to restrict all services to non-EU regions to ensure all customer data is hosted in AWS, Azure, and Google Cloud data centers in the EU, apply a policy at an OU level that disallows non-EU regions. Kion will propagate this policy to all subordinate OUs, projects, and cloud accounts. Not only will you govern your existing workloads, you’ll also be making provisioning. protecting, and preventing new workloads an automated process.
Visibility Into Current Compliance Posture
Our compliance dashboard, spanning AWS, Azure, and Google Cloud, shows how many of your compliance checks were found non-compliant, gives insights into compliance violations, and helps you easily remediate them.
Feeding the compliance dashboard is Kion’s compliance engine. The compliance engine within Kion provides a straightforward rule language and cloud-platform-agnostic remediations that don’t require deploying Lambda functions or similar services. Kion has over 8,000 checks across many popular compliance regimes, including CIS, PCI DSS, NIST, ISO 27001, SOC 2, FedRAMP, HIPAA, and more.
Many of our checks include automatic remediation steps that leverage your configuration files. You don’t need to write code; instead, you can leverage simple YAML configuration files and comment in a line or two to remediate findings across accounts.
These checks directly support Articles 39 and 32 by identifying services or data that is not encrypted, ensuring threat protection is enabled, and detecting and remediating public-facing data stores. Kion also will continually monitor cloud resources to ensure there’s no drift from your compliance requirements.
Maintaining Data Security via Self-Hosted Architecture
To ensure data security and support Article 25 – Data protection by design and default, Kion is not a software-as-a-service; instead, it is self-hosted inside your cloud environment. This keeps your data in your environment and means you have complete control over Kion. You can choose which region that Kion is deployed within. Add customizable security checks to ensure users accessing your cloud environments meet specific criteria from the location they are accessing Kion to entitlements that map to completing specific trainings pertaining to GDPR. By managing and installing your own Kion environment in your desired region(s), you can satisfy GDPR requirements in ways that many other solutions cannot.
Preventing Drift Through Predefined Guardrails and Automated Enforcement
The easiest problem to fix is the one that never happens. To prevent drift, Kion uses a construct known as “Cloud Rules” that can be configured to effect security policy and cost and spending constraints across cloud providers. Cloud Rules conform to cloud provider constructs like CloudFormation, IAM, YAML, ARM Templates, IAM Role and Policy Definitions, and Terraform (through webhooks). As a result, users spend less time writing policy and retain the assurance that their environment is configured correctly.
To support Article 30, Kion Managed Resources provide templates to configure CloudTrail to monitor access to data. Kion will also deploy roles that can be used to lock down access to services, regions, instance types, or actions and ensure the confidentiality and integrity of your data.
Kion helps you get to and maintain compliance with GDPR and other compliance frameworks faster by providing the visibility of your current posture and preventing drift with proactive guardrails and automatic remediations. This gives you the confidence to experiment within, scale, and expand your cloud with the certainty that you will be able to achieve and maintain compliance with the requirements specific to your organization.
If you’d like to see a live demo from a cloud engineer of Kion’s compliance features and how they can assist you in implementing GDPR in your cloud environment, please register here.