How Do I Enforce Data Residency Policies in the Cloud and, Specifically, Comply with GDPR?
CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 dedicates a significant portion of Domain 3 (Legal Issues, Contracts and Electronic Discovery) to outline your responsibilities for EU security concerns in general, and GDPR compliance specifically. This provides a good roadmap of what data you need to account for and what controls to implement.
Thales eSecurity recommends that the basic controls you use for any regulated Personally-Identifiable Information (PII) are a good place to start with GDPR, because the controls and types of data are similar. This is briefly discussed in Domain 11. We also recommend the use of Identity Management, encryption and key management for multiple mechanisms to enforce the Cross-Border Data Transfer Restrictions, so that, in the event data is moved, it can be rendered inaccessible. You will need to collect both cloud logs for access controls, as well as the logs from your own applications and services, to fulfill your requirement on Accountability.
The guidance has extensive comments on what logs to collect, and how to create secure logging architectures and monitoring behavior from logs in Domain 7 (infrastructure Security), Domain 9 (Incident Response), and Domain 10 (Application Security).
Note: This material is drawn from Thales eSecurity White Paper: “Best Practices for Secure Cloud Migration. Leveraging Cloud Security Alliance Security Guidelines.”