The day-to-day business penetration of cloud services has reached an all-time high and is expected to grow further in 2020. With the adoption of cloud services, the regular data controller and data processor setup is also becoming more obsolete and transforms into a data controller (regular data processor), one or more cloud service provider (sub-processor), or data controller (one or more CSP data processors set up in the EU). This implies the threat landscape and privacy risks data controllers must face change significantly, and under the EU General Data Protection Regulation’s accountability principle, data controllers that use cloud service resources must prepare themselves in advance to effectively manage “cross-entity” data-processing activities, the related risks and potential data breaches.

Major data protection risks in the cloud

The National Institute of Standards and Technology classifies cloud service models as software as a service, platform as a service, and infrastructure as a service. It classifies deployment models as public, hybrid, community and private clouds. Cloud tenants (e.g., data controllers) in each service and deployment model have different responsibilities. Data controllers have the most control over privately deployed cloud services, whereas full-scale public cloud IaaS deployments push data controllers forward to develop sound technical and organizational measures and procedures to effectively manage the related data protection risks and possible data breaches to comply with data breach notice requirements under the GDPR and to be able to notify the relevant supervisory authority at least within 72 hours of becoming aware of a personal data breach.

The root cause of data breaches in the cloud are usually not different than in on-premise data-processing activities: mostly human error, unauthorized access and accidental insider threats. According to the Open Web Application Security Project, major privacy risks include operator sided data leakage, insufficient data breach responses, insufficient deletion of personal data, sharing of data with third-parties and insecure data transfers. Data controllers must also take into consideration the constantly changing cloud service landscape and changing application programming interfaces.

Data breach management procedures and playbooks

While cloud data breach response steps may look like on-premise data breach management procedures, the cloud is different. It is good practice to prepare data breach management playbooks in advance to address the top data protection risks within the cloud. Playbooks may be as precise and easy-to-follow as possible and may include the roles and responsibilities of the data controller and the CSP, description of the identified and tested communication channels and personnel, data breach evaluation and escalation criteria that enables the data controller to remain in charge (despite many CSP provide evaluation criteria as part of their “built-in” incident management solutions), forensic investigation and measures to ensure electronic evidence’s chain of custody, content and format of data the CSP may provide to the data controller in case of the suspicion of a data breach, and the description of data sources required to manage data breaches.

It is critical to regularly test, improve and keep up to date the playbooks. If the CSP provides separate users or tools to perform forensic investigations, log analysis and data breach management support, then data controllers may set up these users or tools in advance. Playbook tests may be “table-top” tests or real simulations. In case of higher risk scenarios, the full-scale simulations are recommended, while table-top tests may be used as validity checks and to practice the whole process overall. Responsible staff may not be limited to IT or to the compliance function but the data controllers’ public relations, and the CSP’s personnel should also be involved in the identification, evaluation, assessment and communication of data breaches either to supervisory authorities or affected data subjects.

The era of 'clickwrap' data-processing agreements

Technological advancement has brought widely open and easy-to-access cloud services to organizations. However, what may make organizations perplexed is the upside-down regulatory requirements against data controllers and data processors. The Article 29 Working Party confirmed its prior opinion and stated in its guidelines on personal data breach notifications under the GDPR that data “controllers and processors are […] encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary.” In practice, this means data controllers and processors must not only have to implement a data breach management process, but also a sound, effective and well-tested data breach response plan. To achieve the goal of effective data breach management, controllers and processors must rely on the incident management responses provided by CSPs in cloud environments, dependent on the service and deployment model.

The imbalance of power between CSP tech giants and their customers resulted in the application of “clickwrap” data-processing agreements, in which the data controller — who is ultimately responsible for data breaches in the cloud — may only pick the “take-it-or-leave-it” option when choosing a CSP. Data controllers may also consider the cooperation options and support in data breach management when selecting a CSP to be able to demonstrate GDPR-related accountability. Therefore, data controllers may incorporate into their vendor (CSP) risk assessment processes to assess and evaluate before migrating into the cloud the aspects and factors as follows.

  • Service level agreements: What service levels the CSP may willing to undertake during normal operations and in case of suspicion of a data breach?
  • Service governance: How may the IT governance processes of the CSP and the data controller align? How does the CSP govern the provision of services and manage changes in the service landscape by introducing or sunsetting features or services?
  • Audit rights: Larger CSPs may not allow their customers to directly audit the CSP’s operations; however, CSPs may provide internationally recognized audit certifications or reports.
  • Information security and privacy solution support: What kind of data protection compliance support the CSP may provide to its customers (e.g., in terms of event monitoring, retention periods, deletions and encryption/pseudonymization).
  • Testing opportunities: Data controllers must implement a process for regularly testing, assessing and evaluating the effectiveness of their data protection related controls; thus, it is crucial what support a CSP may provide to the data controller to test data breach management plans and playbooks.
  • Data breach management support: It is critical how the CSP will provide support to manage security events, including forensic support and ensuring the chain of custody.

The use of cloud services is becoming mainstream. Before moving to the cloud, relevant business users acting as a data controller must consider compliance with personal data breach management and notice requirements under European data protection laws and evaluate whether the chosen provider ensures sufficient guarantees. In that regard, the technical and organizational measures implemented by the CSP and the CSP’s smooth cooperation in the data breach response playbook is paramount in producing evidence regarding data protection accountability.

Photo by Sam Schooler on Unsplash