Preparing Container-Based Applications for GDPR: What You Need to Know
The General Data Protection Regulation (GDPR), set to replace the European Data Protection Directive 95/46/EC, comes into effect in May 2018. GDPR is intended to protect the privacy of EU citizens, and give regulatory bodies the power to act against non-compliant organizations. It affects member states in the EU, but also companies handling EU citizens’ data, so really, any organization with a global reach including many US companies.
A lot has already been said and written about GDPR but not nearly enough in the context of containers. As the usage of containerized applications increases in production environments, many organizations are looking to extend compliance best practices into container environments, whether deployed across cloud or on-premises environments.
How is the use of containers tied to GDPR compliance? Well, at the very basic level, containerized applications may handle data and processes that require protection under GDPR. For example, if a containerized application handling such data is breached, and data is exfiltrated, that could become a very tangible liability.
Here are some tips to accelerate your Container Environment GDPR readiness:
1. Data Protection Impact Assessment
Understand which vulnerabilities are embedded in images and run-time containers, prioritize and deploy effective remedies by applying policy-based security controls;
- Discover and maintain up-to-date inventory of containerized applications, image repositories, and hosts across the cloud environment
- Map your current network assets and identify all connections (inbound/outbound) between data stores and other containers/services across any platform
- Identify unregistered images running in production
- Evaluate image content against organization policies
- Detect hard-coded secrets embedded in images and containers running as root, ensure permissions comply with least privilege principle
2. Security of Processing
Ongoing vulnerability scans of images in registries are critical in measuring the risk to sensitive assets as well as in implementing effective remediation early in the process. By tightly integrating GDPR security controls right at the development stage via registry scans, for example, you can remove known vulnerabilities as well as personal sensitive data or secrets from images, and prevent configuration errors.
- Scan images and containers for known vulnerabilities, detect malware and enforce image/container integrity to ensure only authorized apps have access to sensitive data
- Remove unnecessary executables from images and containerized apps to minimize attack surface
- Control and monitor users/apps access to sensitive data/identifiers
- Remove hardcoded secrets in images, securely store, rotate and deliver secrets to runtime containers with no downtime
3. Protect Containers Runtime Environments
Tracking container activity in runtime is mandatory for real-time attack detection and disruption. Successfully blocking attacks or limiting their scope can greatly reduce the risk of GDPR-related liability.
- Apply policy-based controls to runtime containers:
- Baseline profiling once instantiated (note file access, resource usage, namespace settings, executable, and communication rules within and between services)
- Set up a policy to block any unauthorized container connection
- Set up alerts on containers’ unauthorized activity (e.g. vital component usage, resources, and network settings)
- Monitor container activity - any deviation should be automatically detected, blocked and/or alerted
- Send alert data on both authorized and unauthorized activity to SIEM/analytics for rapid response.
4. Demonstrate Compliance
Demonstrating compliance to controllers and supervisory authorities is a way of avoiding/minimizing fines in case of a breach. In the container environment, demonstrating compliance means, for example, blocking vulnerable images from being used, while holding them as compliance evidence, proof that remediation was in fact implemented. Other logged events can also be used as compliance evidence, such as replaced high-risk containers, blocked image executables, blocked user access, etc.
- Log container activity for audit and compliance purposes
- Provide proof of compliance;
- KPI trends
- Remediation actions
- Security configuration changes
- Secrets rotation history
To learn more about the recommended steps to help you achieve GDPR compliance for containers, download our GDPR Compliance Guide.