Loading ...

GDPR compliance | IOA Knowledge Base Community

Posted in: All Community Discussions (Currently in BETA) » ASK THE IOA EXPERTS (BETA)

GDPR compliance

Subscribe to RSS
  • cwhite

    Hello, 

    How are other customers preparing for GDPR compliance.  I have gone through the GDPR text and am constantly confused by its applicability to Non-EU organizations.  not looking for legal advice but given the ambiguity and inevitable need to adapt to whatever GDPR brings, I'm interested in the architecture approach. 

    Any insights on this topic will be incredibly helpful.

     

  • marekmoszynski

    Hi,

    Yes, the May 2018 deadline looms along with the impacts. Depending on your particular industry and circumstances, the game plan may vary.  At a high level, the ‘General Data Protection Regulation’ is about protecting personal data location, how it’s stored and controlled (see the EU's GDPR website). 

     Controls and accountability regulations are fairly granular to the country level. Because of this, you need to know where any personal data is stored, which may or may not exclude storing it in public cloud, depending on the location guarantees you can get from Public Cloud providers.  You may need a private storage that is collocated to make it easier for programs running in cloud to compute (not keep the data).  The colocation allows to lock the data down. Example -  if someone from the outside the country (cloud or internet) wants to access the data, they can’t because the policy controls are locally enforced.

    I hope this helps as a first pass, let me know if you want to dive deeper on a topic.

     
  • cwhite

    thanks for the reply.  What are the most common areas of risk and ways to address? can you point to specific docs or resources that explains/illustrates what you wrote? 

    thanks again

     
  • marekmoszynski
      Answered

    Sure!

    Considering the content we have on IOAKB, I suggest taking a look at the Security and Data blueprints:

    Security Blueprint - the entire security blueprint is focused on creating a zero trust boundary and inspection zone at the digital edge, which is the interconnection control point for clouds, partners and user.

    • It shows incremental phases of layered enforcement and predictive analysis applied to all traffic flows to and from clouds, partners as well as corporate backbones and the internet
    • It uses securely stored policies to drive traffic segmentation by groups, roles or message types.
    • It uses on the wire deep packet inspection to analyze traffic according to policies and can store encrypted keys securely in the edge
    • It ensures that the edge is an extension of your data center; therefore you can store sensitive data in the edge where all required cloud applications can access that data without actually housing it.  The data access is fast and you have your choices of storage mechanisms at the edge

    Data Blueprint -the data blueprint assumes and therefore leverages the design patterns delineated in the security blueprint

    • Design Pattern 1 & 2 - emphasize localizing storage at the edge where requests to access that data are subject to an inspection zone,  but is accessible to any cloud based application with the proper credentials
    • Design Pattern 3- shows the same for streaming flows (e.g. IoT or customer PII data from Mobile applications). The advantage of this approach for GDPR is that data can be scrubbed or made anonymous before being sent to cloud based applications for deeper analysis
    • Design Pattern 4 & 5- follow the same principles of isolation and inspection when applied to selling data or transporting it to different regions

    Please let me know if you need more guidance on this content.  And best of luck with GDPR!

  • Page 1 of 1 (4 items)