Compliance Beyond Security: a Cloud Native GDPR Implementation Experience

Using cloud-native technologies to achieve GDPR compliance

• GDPR requires strict handling of personal data and sufficient information security for data protection
• Cloud-native technologies can be used to create an information security management system and fulfill aspects of compliance
• Combining cloud-native tools such as Falco for intrusion detection and detailed logging through Elastic and Kibana can help with notification of data breaches
• Kubernetes can be configured with additional technologies such as Dex and OpenID Connect for secure access control
• Running services containing sensitive data on private cloud providers can limit reliance on external cloud services

The speaker discussed how using cloud-native technologies such as Kubernetes and Falco can help with intrusion detection and notification of data breaches. They also emphasized the importance of limiting data collection and implementing the right to be forgotten. The speaker recommended using private cloud providers to run services containing sensitive data to limit reliance on external cloud services.

Regulatory compliance has traditionally been focused on core system aspects such as availability, data integrity, and overall IT system security. Compliance has been achieved through various processes and (security) tooling. With recent evolution of the regulatory landscape (including the European GDPR, Californian CCPA, and Japanese APPI legislations), there is a stronger focus on end user rights to data, in particular the right to be forgotten. This session will discuss the technical challenges of this movement and give some recommendations for how to address these issues in a cloud native setting. This includes how to handle (and timely remove) data across the full stack, including logs, backups, and any other sort of stateful resources.