Most likely, by now you have signed data processing agreements with your suppliers of managed IT services. But, are you prepared if your suppliers’ subcontractors move outside Europe and you are in breach with the GDPR?
May 25, 2018 was the deadline for GDPR compliance in most parts of Europa. A few countries including Norway and Luxembourg will catch up soon.
Hard GDPR work has been performed, which most of us have witnessed in our email inboxes. Almost everyone has explained how they process personal data and asked for permission to keep sending you information about products and services.
Maybe you are among those who have been working late hours to get everything ready in time within your own organization? And you feel pretty happy about taking care of other concerns for a while?
If so, pardon us for addressing GDPR issues again and spoiling the fun of being through. But we have some questions to ask. They might not lead to short term pleasure but rather to long time joy.
The questions concern subcontractor responsibilities.
Most companies controlling and owning data have signed data processing agreements with their managed IT service suppliers which have turned to public cloud service providers like Google Cloud, AWS and Microsoft Azure for back-to-back agreements.
Basefarm compliance advisor Patrick Tahiri has guided several organizations into the GDPR regime. He explains:
“When managed IT service providers such as Basefarm applies public cloud subcontractors as part of their hybrid cloud services, they need back-to-back agreements to secure your responsibilities as data controller through the entire value chain.”
What is paid less attention to is that public cloud subcontractors provide services from their own subcontractor. If so, Tahiri advises subcontractor agreements to be secured also on this level.
“Be aware that such subcontractors of subcontractors might move their service production out of Europe. Then, you might be in breach with the GDPR. Through recent work, we in Basefarm have witnessed many customers overlooking this potential security problem,” says Tahiri.
A likely scenario? Not what you would expect regularly, but still something to prepare for through contracts and access to skills for moving your services from one cloud to another.
1. Expect most subcontractors to handle GDPR professionally. Still, in the end you are responsible as data controller. Assess risks proactively when evaluating subcontractors. Check if they understand their responsibilities and have GDPR compliance capabilities.
2. See to it that agreements include early warning regulations if a subcontractor moves its services out of the European GDPR zone.
3. Routinely control if the subcontractors actually follow up your agreements. You might perform such controls yourself through questionnaires or team up with others to share GDPR audit work and costs. Basefarm will perform audits on behalf of several customers.
4. Be prepared to move your entire cloud installation to another cloud services provider. Connect appropriate skills. And, as with any backup/restore routine, test that you are able to perform a movement procedure.
The National security Agency in the United States recently released an advisory warning of the threat of Chinese state sponsored attacks and detailed 25 vulnerabilities used. The advisory gives detailed information about the vulnerabilities, what it affects and how to remediate them. Most of them are remotely exploited and can be used to gain initial […]
Published: 2020-10-13MITRE CVE-2020-16891 “A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.” This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad […]
Published: 2020-10-13MITRE CVE-2020-16898 “A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.” This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets. Basefarm and […]
In this post there is specific focus on an infamous threat that resurfaced during the summer. Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six […]
Published: 2020-07-29MITRE CVE-2020-10713 GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with […]
BF-SIRT Newsletter 2018-26 
Photo by Caleb George on Unsplash
Photo by Ricardo Esquivel from Pexels
Photo by John-Mark Smith from Pexels
Water Droplets on Spider Web - CC0 by Pixabay
Image by Martin Pecar from Pixabay
Photo by Noelle Otto from Pexels
Photo by Tim Mossholder on Unsplash