►
From YouTube: Compliance Beyond Security: a Cloud Native GDPR Implementation Experience - Johan Tordsson
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Compliance Beyond Security: a Cloud Native GDPR Implementation Experience - Johan Tordsson, Elastisys AB
Regulatory compliance has traditionally been focused on core system aspects such as availability, data integrity, and overall IT system security. Compliance has been achieved through various processes and (security) tooling. With recent evolution of the regulatory landscape (including the European GDPR, Californian CCPA, and Japanese APPI legislations), there is a stronger focus on end user rights to data, in particular the right to be forgotten. This session will discuss the technical challenges of this movement and give some recommendations for how to address these issues in a cloud native setting. This includes how to handle (and timely remove) data across the full stack, including logs, backups, and any other sort of stateful resources.
A
A
A
A
What
other
kind
of
data
do
we
keep
about
our
users?
Where
do
we
store
it?
How
do
we
process
it
and
for
what
purposes?
This
is
the
topic.
I
want
to
talk
to
you
today
about
with
a
focus
on
the
gdpr
regulations,
so
we
see
an
international
trend
of
data
privacy
most
prominent
in
europe
with
the
gdpr,
which
is
a
general
protection
of
user
data
that
regulates
protection
of
data
sort
of
classical
information
security,
privacy
of
data
and
also
limits
how
we
can
actually
transfer
this
data.
A
A
A
So
in
summary,
all
data
that
explicitly
or
implicitly
identifies
an
individual
is
personal
data,
and
the
regulation
here
is
future
proof
in
the
sense
that
data
that
is
today
not
really
considered
personal
can
be
considered
personal
in
the
future.
So
we
should
be
very
careful
there
about
collecting
when
collecting
data
about
personal
opinions,
diseases,
religions
and
the
similar.
A
So,
let's
talk
about
terminology
a
bit
in
gdpr.
We
talk
about
the
data
subject,
that
is
the
person
above
whom
you're
collecting
the
data,
the
data
controller,
if
you're
running
an
online
service
and
collect
this
data,
you
are
the
data
controller
and
then
they
also
have
data
processors,
and
this
is
basically
all
the
various
type
of
providers
you
use
for
processing
data
that
you
collect
about
these
persons
so
most
prominently.
This
would
be
your
cloud
provider.
A
So
gdpr
brings
out
quite
a
few
requirements
on
data
processors,
for
example.
You
need
a
legal
basis
as
one
of
the
six
reasons
to
collect
this
data
if
you
don't
have
a
legal
basis
and
consent,
you're
not
allowed
to
collect
data,
and
this
is
the
reason
that
we
see
cookie
consent
pop-ups
on
every
website.
We
visit
they're
asking
for
your
consent
to
store
the
data
in
accordance
to
gdpr.
A
So
this
would
be
your
friendly
parking
attendant
telling
you
that
your
car
is
incorrectly
parked
in
this
new
street.
So
please
don't
do
that
in
the
future
and
you
will
get
fined.
So,
interestingly
enough,
if
we
look
at
the
top
fines
handed
out
here,
we
see
that
these
are
both
handed
to
european
and
non-european
countries.
So
your
organizations
place
of
registration
doesn't
matter
here
and
we
can
see
two
broad
categories.
A
We
can
see
both
that
data
has
been
used
in
an
inappropriate
way,
and
we
can
also
see
that
some
others
are
fine
for
not
having
sufficient
protection
capabilities
around
the
data.
So
you
need
both
a
sort
of
top-notch
information
security
system
program
and
to
actually
use
data
in
a
proper
way.
If
you
want
to
comply
with
ddpr.
A
So,
let's
look
at
the
first
challenge
for
data
obsolescence.
Observability
we've
been
told
many
times
that
observability
is
a
great
way
to
find
out
what's
happening
with
your
running
system,
so
we
keep
metrics
to
see
how
how
things
are
running,
what
kind
of
utilization
we
have
and
so
on.
We
do
logs
to
be
able
to
do
detailed
debugging
later
and
we
may
even
use
distributed
tracing
to
pinpoint
performance
issues,
so
I
mean
we're
trying
to
ensure
that
our
users
are
happy
our
applications
run
as
they
should
and
that
our
servers
and
infrastructures
are
not
overloaded.
A
The
other
challenge
to
data
obsolescence
is
availability
and
then
in
particular,
high
availability
is
important
for
any
business.
So
I
mean
recent
news
highlight
the
need
for
high
availability
and,
in
fact,
in
the
ability
to
be
able
to
operate
as
normal.
Even
despite
major
failures
is
important,
and
I
mean
this
is
highlighted.
Then
in
many
regulations
such
as
iso,
27,
000
and
such
criteria
are
commonly
described
as
business
continuity.
Even
if
disaster
strikes
there
should
be
continuity
to
your
business
and
not
as
illustrated
by
this
recent
boating
incident,
so
to
achieve
higher
availability.
A
A
So
in
essence,
we
are
data
holders,
we're
collecting
data
about
our
users
all
out
all
throughout
our
systems,
and
we
keep
them
for
longer
than
we
perhaps
necessarily
need
and
in
more
places,
whereas
gdpr
is
very
strict
that
we
need
to
minimize
data,
so
we're
only
allowed
to
collect
data
for
the
purpose
of
the
actual
collection
and
store
it
as
long
as
needed.
So,
for
example,
if
you're
doing
detailed
logging
to
debug
some
login
session
in
one
of
your
market
services,
it
makes
a
lot
of
sense
to
store
some
logs
to
see.
A
What's
going
on,
but
frankly,
storing
these
logs
for
much
longer
than
needed
for
a
sort
of
immediate
debugging
is
likely
not
in
accordance
to
gdp
or
because
two
weeks
down
the
road.
You
probably
know
whether
that
user
managed
to
log
in
successfully
or
not,
and
you
don't
no
longer
have
a
valid
reason
to
store
that
data
from
a
gdpr
perspective.
A
So
the
solution
I
would
like
to
propose
here
is
really
retention,
so
do
collect
what
kind
of
data
you
have
but
keep
it
on
as
long
as
it's
reasonable
for
the
for
the
sake
you're
collecting
it
so
do
rotate
your
metrics,
your
logs
and
your
traces
accordingly
and
then
backups
very
interestingly,
according
to
a
recent
french
court
ruling
are
not
are
not
really
subject
to
data
minimization
and
the
right
to
be
forgotten
and
the
gdp
heart.
So
if
your
user
asks
to
be
forgotten,
you
don't
need
to
erase
any
backup
containing
data
about
the
user.
A
A
The
second
point
I
want
to
make
here
is
about
data
transfers,
so
why
should
we
really
care
about
that?
So
here
to
the
right,
we
see
a
map
of
the
world
with
a
few
readings
highlighted,
and
this
could
be
the
locations
of
past
and
upcoming
cube
cons
once
we
get
the
chance
to
meet
again
in
person,
but
for
this
particular
talk
talk
the
map
highlights
where
the
largest
cloud
providers
in
the
world
are
incorporated,
and
yet
the
pr
states
clearly
that
you,
the
data
controller,
is
responsible.
A
So
why
is
this
important?
Well
up
until
this
summer,
we
had
a
legal
framework
for
data
transfers
between
europe
and
the
united
states
under
framework,
which
was
called
the
privacy
shield,
which
allowed
european
countries
to
safely
transfer
data
to
the
u.s
and
ensure
that
they
comply
with
gdpr,
and
this
was
the
second
incarnation
of
such
a
framework.
Previously,
there
was
something
called
the
safe
harbor
that
turned
out
not
to
be
safe.
According
to
court
rulings
that
was
invalidated
and
later
on,
we
had
a
privacy
shield.
A
However
same
story,
cam
comes
over
once
again,
so
this
particular
summer,
one
european,
the
european
court
of
justice,
basically
said
that
the
privacy
shield
is
no
longer
valid.
So
without
going
into
too
much
details.
This
is
a
really
a
clash
of
cultures,
whereas
in
the
us
there's
a
strong
culture
of
the
state
having
the
right
to
citizens,
data
for
security
reasons,
whereas
in
europe,
but
there's
a
strong
culture
of
you
as
individual
having
the
right
to
your
own
data
and
similarly
not
at
the
state.
But
at
the
company
level.
A
A
So
what
will
happen
then
in
the
future?
Will
we
have
another
data
transfer
agreement
so,
while
searching
for
the
ocean,
I
found
this
very
neat
idea
of
the
iron
fence,
perhaps
inspired
by
the
iron
curtain.
That
will
be
valid
all
up
in
up
up
until
2038.
After
known
longer,
transfers
of
data
over
the
internet
is
possible.
It's
a
yoke
aside,
because
this
was
published
on
april
1st,
given
this
clash
of
culture
and
law,
there
is
very
like
unlikely
that
there
will
be
a
new
data
transfer
agreement
between
europe
and
the
united
states.
A
So
what
are
my
options?
Well,
the
european
court
of
justice
upheld
so-called
standard
contractual
clauses
or
binding
corporate
rules
as
one
valid
mechanism
for
data
transfer.
However,
this
places
a
lot
on
burden
on
the
data
processor.
That
is
you
to
determine
whether
there's
sufficient
protection
for
data
privacy
with
your
processors
and
honestly.
This
does
not
look
very
promising,
so
you
may
also
try
to
get
a
consent
from
your
user
for
your
type
of
processing,
but
this
is
very
tricky
because
you
need
to
gather
consent
for
each
individual
type
of
processing.
A
Well,
let's
try
to
anonymize
the
data
studentize,
the
data
or
even
encrypt
the
data
before
transferring
it
to
some
of
the
clouds
in
in
the
us.
Well
I
mean
this
is
doable
as
we
can
do
encryption
at
rest
and
encryption
transit,
but,
however,
as
we
cannot
do
encryption
in
use
as
a
good
in
a
good
manner,
this
very
much
limits
the
use
of
such
external
sub-processors.
A
A
So
how
do
they
do
that?
Well
cloud
native
technology
and
kubernetes
to
the
rescue
to
achieve
cloud
agnostic
compliance
because
with
cloud
native
technology,
we
can
build
our
application
stacks
in
such
a
way
that
we
can
run
them
in
large,
hyperscale
clouds
outside
of
europe
and
also
in
our
own
data
centers
or
on
smaller
european
clouds
or
without
when
they're
looking.
A
He
has
to
illustrate
this
concept.
So,
if
you're
running
some
services
on
amazon
and
you're
using
certain
type
of
technologies,
there
are
nowadays
good
alternatives
in
the
cloud
native
space,
such
as
using
kubernetes,
instead
of
some
compute
service
or
eks,
using
cube,
sorry
k
native
product
for
serverless
and
so
on,
I
won't
go
through
the
full
list,
but
in
essence
the
kind
of
most
fundamental
services
that
you
would
need
to
construct
your
application
and
that
you
can
get
from
a
big
hyperscaler
cloud.
You
can
create
yourself
using
cloud-native
technologies.
A
So
we
reviewed
ddp
and
found
that
there
is
quite
a
few,
let's
call
them
more
technical
articles
suggesting
at
various
types
of
information,
security
capabilities
and
some
of
these
may
reside
at
the
physical
level,
others
at
the
platform
or
kubernetes
level.
Yet
others
are
more
about
your
applications
or
even
your
processes
in
your
organization,
but
let's
focus
what
we
can
solve
at
the
kubernetes
level
here.
A
A
So
I
would
really
like
to
know
that
this
u1
the
person
logging
into
this
kubernetes
cluster,
not
just
some
anonymous
administrator
account
that
tries
to
do
changes
and
similarly,
we
would
like
to
use
something
like
rule
based
access
control
to
actually
limit
what
this
administrator
is
allowed
to
do
versus
some
other
things.
And
if
you
want
even
more
fine-grained
access
control,
you
can
look
at
something
like
oppa
and
its
gatekeeper
product.
A
So,
let's
look
at
article
43
and
44,
which
is
notification
of
data
breaches,
ddpr
mandates
that
open
the
data
breach.
You
really
need
to
notify
the
data,
the
data
subjects,
and
here
we
can
use
cloud
native
tools
such
as
falco
for
intrusion,
detection
that
captures
everything
that's
going
on
in
our
cluster
and
gives
us
warnings
about
very
suspicious
activity.
A
I
would
recommend
combining
that
with
the
detailed
logging
press
through
elastic
and
kibana
to
store
not
only
application
logs,
but
actually
what
it
looks
from
kubernetes
control
plane
to
understand
what
is
going
on.
So,
if
you
get
a
suspicious
fault
code
alert,
we
can
look
to
our
audit
logs
and
see.
Was
this
only
our
internal
development
team
that
deployed
a
new
function
or
a
new
version
of
or
some
application
that
did
something
that
palco
picked
up,
or
is
this
really
a
sign
of
an
ongoing
attack?
A
So
I
mean
by
these
examples
I
illustrate
how
we
can
use
cloud
native
technologies
to
create
an
information
security
management
system
and
thus
fulfill
some
of
the
aspects
for
compliance
and
to
illustrate
how
to
combine
these
kind
of
tools.
We
created
what
we
call
conclined
kubernetes,
where
we
basically
use
a
lot
of
well-known
cloud-native
technologies
to
implement
the
technical
capabilities
required
to
achieve
compliance
with
gdpr
or
similar
regulations,
and
this
is
just
one
possible
such
rendering.
You
may
replace
some
of
these
technologies
with
similar
scope
products
to
achieve
similar
goals.
A
To
sum
up,
compliance
regulations
such
as
gdpr
requires
strict
handling
of
personal
data,
and
failure
to
do
so
may
result
in
crippling
fines.
We
need
sufficient
information
security
for
data
protection,
but
we
also
need
to
minimize
the
data
we
collect,
so
no
more
data
hoarding
and
also
we
need
to
implement
the
right
to
forgotten,
for
example,
through
tight
data
retention.
A
Furthermore,
the
end
of
the
privacy
shield
raises
a
barrier
for
transferring
data
from
the
european
union
to
the
u.s.
Unfortunately,
through
the
cloud
native
technology,
we
get
the
building
blocks.
We
need
to
build
our
own
cloud,
agnostic
compliance
toolkit
and
a
final
shout
out.
Please
check
out
compliant
kubernetes,
our
own
rendering
of
cloud
native
technologies
for
compliance.
If
you
like
it,
please
give
us
a
star
or
even
contribute.