Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing

Bob Duncan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The forthcoming EU General Data Protection Regulation (GDPR) will come into effect across the EU on 25th May 2018. It will certainly be the case that a great many companies will be inadequately prepared for this significant event. While a great many companies who use traditional in-house distributed systems are likely to have a hard enough job trying to comply with this new regulation, but those businesses who use any form of cloud computing face a particularly difficult additional challenge, namely the Cloud Forensic Problem. It is not enough that cloud use presents a far more challenging environment, but that the cloud forensic problem presents a far more difficult barrier to compliance. This problem arises due to the fact that all computing systems are constantly under serious attack, but once an attacker gains a foothold in a cloud system and becomes an intruder, there is very little to prevent the intruder from helping themselves to any manner of data covered by the GDPR, either by viewing it, modifying it, deleting it or ex-filtrating it from the victim system. Worse, there is nothing to prevent the intruder from gaining sufficient privileges to then completely delete all trace of their incursion, possibly deleting far more records than they need to in the process. We address exactly what the requirements of EU GDPR compliance are, consider whether this can be done without resolving the Cloud Forensic Problem, and propose some approaches to mitigate this problem, and possibly the massive potential fines that could then be levied.
Original languageEnglish
Title of host publicationCLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization
EditorsBob Duncan, Yong Woo Lee, Aspen Olmsted
PublisherIARIA
Pages1-6
Number of pages6
Publication statusPublished - 20 Feb 2018
EventThe Ninth International Conference on Cloud Computing, GRIDs, and Virtualization - Barcelon, Spain
Duration: 18 Feb 201822 Feb 2018

Publication series

NameCloud Computing 2018
PublisherIARIA

Conference

ConferenceThe Ninth International Conference on Cloud Computing, GRIDs, and Virtualization
CountrySpain
CityBarcelon
Period18/02/1822/02/18

Fingerprint

Data privacy
Cloud computing
Industry
Compliance

Keywords

  • EU GDPR
  • Compliance
  • Cloud Computing
  • Cloud Forensic Problem

Cite this

Duncan, B. (2018). Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing. In B. Duncan, Y. W. Lee, & A. Olmsted (Eds.), CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization (pp. 1-6). [28010] (Cloud Computing 2018). IARIA.

Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing. / Duncan, Bob.

CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization. ed. / Bob Duncan; Yong Woo Lee; Aspen Olmsted. IARIA, 2018. p. 1-6 28010 (Cloud Computing 2018).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Duncan, B 2018, Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing. in B Duncan, YW Lee & A Olmsted (eds), CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization., 28010, Cloud Computing 2018, IARIA, pp. 1-6, The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization, Barcelon, Spain, 18/02/18.
Duncan B. Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing. In Duncan B, Lee YW, Olmsted A, editors, CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization. IARIA. 2018. p. 1-6. 28010. (Cloud Computing 2018).
Duncan, Bob. / Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing. CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization. editor / Bob Duncan ; Yong Woo Lee ; Aspen Olmsted. IARIA, 2018. pp. 1-6 (Cloud Computing 2018).
@inproceedings{bdd3fc3bf95c48ecbb6918163e36309d,
title = "Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing",
abstract = "The forthcoming EU General Data Protection Regulation (GDPR) will come into effect across the EU on 25th May 2018. It will certainly be the case that a great many companies will be inadequately prepared for this significant event. While a great many companies who use traditional in-house distributed systems are likely to have a hard enough job trying to comply with this new regulation, but those businesses who use any form of cloud computing face a particularly difficult additional challenge, namely the Cloud Forensic Problem. It is not enough that cloud use presents a far more challenging environment, but that the cloud forensic problem presents a far more difficult barrier to compliance. This problem arises due to the fact that all computing systems are constantly under serious attack, but once an attacker gains a foothold in a cloud system and becomes an intruder, there is very little to prevent the intruder from helping themselves to any manner of data covered by the GDPR, either by viewing it, modifying it, deleting it or ex-filtrating it from the victim system. Worse, there is nothing to prevent the intruder from gaining sufficient privileges to then completely delete all trace of their incursion, possibly deleting far more records than they need to in the process. We address exactly what the requirements of EU GDPR compliance are, consider whether this can be done without resolving the Cloud Forensic Problem, and propose some approaches to mitigate this problem, and possibly the massive potential fines that could then be levied.",
keywords = "EU GDPR, Compliance, Cloud Computing, Cloud Forensic Problem",
author = "Bob Duncan",
year = "2018",
month = "2",
day = "20",
language = "English",
series = "Cloud Computing 2018",
publisher = "IARIA",
pages = "1--6",
editor = "Bob Duncan and Lee, {Yong Woo} and Aspen Olmsted",
booktitle = "CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization",

}

TY - GEN

T1 - Can EU General Data Protection Regulation Compliance be Achieved When Using Cloud Computing

AU - Duncan, Bob

PY - 2018/2/20

Y1 - 2018/2/20

N2 - The forthcoming EU General Data Protection Regulation (GDPR) will come into effect across the EU on 25th May 2018. It will certainly be the case that a great many companies will be inadequately prepared for this significant event. While a great many companies who use traditional in-house distributed systems are likely to have a hard enough job trying to comply with this new regulation, but those businesses who use any form of cloud computing face a particularly difficult additional challenge, namely the Cloud Forensic Problem. It is not enough that cloud use presents a far more challenging environment, but that the cloud forensic problem presents a far more difficult barrier to compliance. This problem arises due to the fact that all computing systems are constantly under serious attack, but once an attacker gains a foothold in a cloud system and becomes an intruder, there is very little to prevent the intruder from helping themselves to any manner of data covered by the GDPR, either by viewing it, modifying it, deleting it or ex-filtrating it from the victim system. Worse, there is nothing to prevent the intruder from gaining sufficient privileges to then completely delete all trace of their incursion, possibly deleting far more records than they need to in the process. We address exactly what the requirements of EU GDPR compliance are, consider whether this can be done without resolving the Cloud Forensic Problem, and propose some approaches to mitigate this problem, and possibly the massive potential fines that could then be levied.

AB - The forthcoming EU General Data Protection Regulation (GDPR) will come into effect across the EU on 25th May 2018. It will certainly be the case that a great many companies will be inadequately prepared for this significant event. While a great many companies who use traditional in-house distributed systems are likely to have a hard enough job trying to comply with this new regulation, but those businesses who use any form of cloud computing face a particularly difficult additional challenge, namely the Cloud Forensic Problem. It is not enough that cloud use presents a far more challenging environment, but that the cloud forensic problem presents a far more difficult barrier to compliance. This problem arises due to the fact that all computing systems are constantly under serious attack, but once an attacker gains a foothold in a cloud system and becomes an intruder, there is very little to prevent the intruder from helping themselves to any manner of data covered by the GDPR, either by viewing it, modifying it, deleting it or ex-filtrating it from the victim system. Worse, there is nothing to prevent the intruder from gaining sufficient privileges to then completely delete all trace of their incursion, possibly deleting far more records than they need to in the process. We address exactly what the requirements of EU GDPR compliance are, consider whether this can be done without resolving the Cloud Forensic Problem, and propose some approaches to mitigate this problem, and possibly the massive potential fines that could then be levied.

KW - EU GDPR

KW - Compliance

KW - Cloud Computing

KW - Cloud Forensic Problem

M3 - Conference contribution

T3 - Cloud Computing 2018

SP - 1

EP - 6

BT - CLOUD COMPUTING 2018 : The Ninth International Conference on Cloud Computing, GRIDs, and Virtualization

A2 - Duncan, Bob

A2 - Lee, Yong Woo

A2 - Olmsted, Aspen

PB - IARIA

ER -