Will the Amazon Web Services (AWS) Shared Responsibility Model Change Under GDPR?

From the past year and a half, there is so much going around GDPR – General Data Protection Regulation, the most comprehensive data privacy law ever enforced. The European Union’s GDPR, a data protection law that passed in the EU Parliament in 2016 and which came in to force on May 25, 2018, aims to facilitate the rights of individuals to own their own data and any business handling that data must keep it secure. The regulation describes data processor and data controller roles and this led customers and AWS Partner Network (APN) looking for the answers of how this will affect the long-established (Amazon Web Services) AWS Shared Responsibility Model.



Vikas Katoch
VP – IT Services

So is it true that the AWS Shared Responsibility Model change under GDPR? Well, the answer is ‘No’. Nothing will cause the change. To understand in a simpler way, Amazon Web Services (AWS) secures the core infrastructure that supports the cloud and the services provided. On the other hand, customers and APN partners, acting either as data controllers or as data processors, are responsible for any personal data they put in the cloud. Thus, the Shared Responsibility Model distinguishes the responsibilities of AWS and customers and APN partners, and the same breakup of responsibility applies under the GDPR.

Accountability of AWS as a Data Processor

When GDPR was introduced, it specified separate responsibilities for data controllers and data processors. Which means, when any customer of AWS uses the services to process personal data, the controller is usually the AWS customer. In such situations, AWS is always the data processor, since the customer is directing the processing of data through its interface with the AWS service controls, and AWS is only implementing customer’scommands. Accountability of AWS as a data processor lies in protecting the global infrastructure that runs all the services. For them, securing the infrastructure is the top priority and they invest significantly by bringing in third-party auditors to test security controls and make any issues they find available to the customer base through AWS Artifact. The ISO 27018 report of AWS says all about testing security controls that focus on protection of personal data in particular.

When it comes to managed services, AWS is responsible for everything. Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon Elastic MapReduce, and Amazon WorkSpaces are few examples of managed services that provides the scalability and flexibility of cloud-based resources with less operational overhead. It handles all the security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.

Responsibilities of Customer and APN Partner as data controllers.

Within the AWS environment, customers can act as data controllers or data processors and the services they use might help in determining the ways those services are configured to meet GDPR compliance needs. One of the AWS services known as ‘Infrastructure as a Service’ (IaaS) that includes Amazon EC2, Amazon VPC, and Amazon S3, are required to control and perform all the routine security configuration and management that would be necessary no matter where the servers were located.

How AWS Services can help

To help you adhere to the GDPR compliance, AWS recommends protecting account credentialsand setting up individual user accounts with Amazon Identity and Access Management (IAM), so that each user is only given the permissions necessary to perform their jobs. It is also recommended to utilize multi-factor authentication (MFA) system forevery account,use of SSL/TLS to communicate with AWS resources, setting up API/user activity logging with AWS CloudTrail, and using AWS encryption solutions, along with all default security controls within AWS Services. One can also make use of advanced managed security services, such as Amazon Macie, which assists in discovering and securing personal data stored in Amazon S3.

To learn more about the AWS Shared Responsibility Model and GDPR, you can visit the website by clicking the link given below. Moreover, if you want to develop a solution that truly adheres to GDPR compliance for your benefit, talk to our cloud specialists.

(Source: aws.amazon.com)