Facebook’s stock took a hit recently after it was revealed that the personal information they had collected from millions of people had been compromised by Cambridge Analytica (which has filed for bankruptcy). These incidents serve to emphasize to companies the importance of maintaining consumers’ trust with their data.  And for those of us concerned with data security, the timing of these revelations feels uncanny, since it coincides with the upcoming effective date of the European Union’s General Data Protection Regulation (GDPR) on May 25.

GDPR attempts to force companies to only collect the data they need and to ensure that this data is secure. It is very broad in scope and includes all systems that process a European resident’s personal data, whether on cloud or on-premise.

Ok, so on-premise should be easy right? After all, organizations own most everything from the building to the servers their applications are running on. Ok, perhaps not easy, but at least doable.

GDPR Implications and Complications for Cloud

But, cloud is a big black box. Besides the cloud provider itself, few really know anything about how their data and applications are managed, maintained, and secured on public cloud. Cloud providers have unique services that they are using to manage all of this, which is mostly unknown to the outside world. To understand these operations, one must dive deep and learn a new language. Ever heard of “storage buckets?” These aren’t things you buy at Target….

These are the fundamental data structures used to store data. Cloud providers are starting, stopping, moving, replicating, backing up, and maintaining these containers as part of their procedures.

You could care less, unless you have to comply with privacy by design, geographical restrictions, special handling, right to be forgotten, and so on. Sounds familiar? These are all required under the GDPR legislation.

To demystify this black box—the public cloud—in the wake of heightened need for data protection and security and changing global data protection regulations, SAP has developed the SAP Data Custodian. SAP Data Custodian will give you the visibility and control over your data in the public cloud, where it did not exist before. This solution will help bridge the trust concerns between you and the public cloud providers and also aid with compliance with regulations such as GDPR.

Despite the long buildup to the GDPR, there is still ample uncertainty related to how GDPR will actually be enforced. However, the potential risk of non-compliance with GDPR is very clear: the penalty for non-compliance can be €20 million or 4% of your annual global revenue, whichever is higher. Ouch! We would prefer that you not be penalized, and we don’t want your company to dominate the news cycle for anything but good news.

So, let’s look to some GDPR components that are especially relevant to you if you want to move to the public cloud.

Privacy by Design for the Public Cloud

GDPR explicitly requires that security and privacy no longer be an afterthought or an “add on” in a company’s business operations. GDPR requires “Privacy by Design” along with “Privacy by Default,” which is a risk-based approach. In essence, you must develop controls according to the degree of risk associated with processing such data. You have to design protections for data from the inception of your product development lifecycle, rather than inserting such protections as an afterthought.

With public clouds, the risks are high and the challenge is that the data in the public cloud may be accessed by anyone, including by the cloud provider itself without any oversight. Such access can be construed as a breach of the GDPR requirement of keeping data private “by design.”

Among other things, encryption is extremely important for data protection. When in the public cloud, the encryption keys are often stored in the cloud landscape, however. This means that the cloud providers control data access. This can be a fairly sticky point when governments seek to get access to such data for search warrants and subpoenas and get this data directly from the cloud providers without any visibility to the customer.

From a logical standpoint, a “privacy by design” approach may make scenarios where customers have ownership of these encryption keys, and thereby control of their data in the public cloud, very relevant. As part of the SAP Data Custodian, we will offer a key management system, so you can control your own encryption keys, and therefore, your data, even when in the public cloud.

Cross-Border Data Flow in the Public Cloud

For performance reasons, public clouds are distributed by nature and move the data globally, wherever they have free resources for processing. GDPR, however, requires companies to know where the personal data of their European residents is located for storage and processing. This restricts your ability to transfer personal data to third countries or international organizations outside the European Economic Area, unless such countries are considered “adequate,” as defined in GDPR.

Such requirements further necessitate that you have visibility and control of where your data is placed, accessed, moved, and processed in the public cloud, which may conflict with the distributed nature of the public cloud. SAP Data Custodian introduces a configurable policy engine, so you can specify where you want your storage buckets, virtual machines and so forth to be located in the public cloud, and receive visualization and reporting around it, among other things.

72-Hour Breach Notification—So Much to Do, So Little Time

GDPR also requires that in instances of a data breach, the controller (company that determines the purpose and means of data processing) is responsible for notifying the European Union supervisory authority of the breach within 72 hours after becoming aware of the breach. Breaches often go undetected, however, for a very long time. Then, it is almost too late and the only option is to manage the reputational damage.

This problem can be further exacerbated in the public cloud scenario, because you (the “controller” of the data) are an extra step removed from your data and may have to rely on public cloud providers (generally considered “processors” according to GDPR) to find out about such breaches.

Enterprises need the ability to watch the data all the time and also adapt their employee, cloud provider, and customer accesses based on real-time risk. This is important, so that the malicious activity can be detected and mitigated in real time. SAP Data Custodian can provide a view of violations to your policies around customer and cloud provider storage, movement, access and processing in near real time, which should certainly give you some peace of mind.

Trust but Verify

Governance, risk and compliance concerns, while very real, should not impede progress and overall adoption of the public cloud. You can outsource your operations to the cloud, but you can’t completely outsource your security obligations to the cloud providers. The element of trust becomes very important here.

You have to find ways to not only trust your cloud provider, but also independently verify and control what the cloud provider is doing with your data. This is where SAP Data Custodian comes in!

Demystifying the Black Box: SAP Data Custodian

With SAP Data Custodian, you will have transparency and control over how your data is accessed, moved, and processed as well as where your data is stored in the black box. Yes, we mean your data—SAP and non-SAP—in the public cloud. Shortly, you will be able to use this solution on the Google Cloud Platform.

This SaaS application, with a compelling visualization dashboard, will help you establish trust with your public cloud provider, and help comply with GDPR’s risk-based approach around cross-border data flow, 72-hour breach notification, and other relevant GDPR components. In a recent webinar we hosted, we discussed all these issues and SAP Data Custodian in more detail.

Join Us at SAPPHIRE NOW

We’ll be talking more about SAP Data Custodian at SAPPHIRE NOW + ASUG Annual Conference this June 5-7. We hope to see you there!

Learn More

 

NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.
It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.