Most likely, by now you have signed data processing agreements with your suppliers of managed IT services. But, are you prepared if your suppliers’ subcontractors move outside Europe and you are in breach with the GDPR?
May 25, 2018 was the deadline for GDPR compliance in most parts of Europa. A few countries including Norway and Luxembourg will catch up soon.
Hard GDPR work has been performed, which most of us have witnessed in our email inboxes. Almost everyone has explained how they process personal data and asked for permission to keep sending you information about products and services.
Maybe you are among those who have been working late hours to get everything ready in time within your own organization? And you feel pretty happy about taking care of other concerns for a while?
If so, pardon us for addressing GDPR issues again and spoiling the fun of being through. But we have some questions to ask. They might not lead to short term pleasure but rather to long time joy.
The questions concern subcontractor responsibilities.
Most companies controlling and owning data have signed data processing agreements with their managed IT service suppliers which have turned to public cloud service providers like Google Cloud, AWS and Microsoft Azure for back-to-back agreements.
Basefarm compliance advisor Patrick Tahiri has guided several organizations into the GDPR regime. He explains:
“When managed IT service providers such as Basefarm applies public cloud subcontractors as part of their hybrid cloud services, they need back-to-back agreements to secure your responsibilities as data controller through the entire value chain.”
What is paid less attention to is that public cloud subcontractors provide services from their own subcontractor. If so, Tahiri advises subcontractor agreements to be secured also on this level.
“Be aware that such subcontractors of subcontractors might move their service production out of Europe. Then, you might be in breach with the GDPR. Through recent work, we in Basefarm have witnessed many customers overlooking this potential security problem,” says Tahiri.
A likely scenario? Not what you would expect regularly, but still something to prepare for through contracts and access to skills for moving your services from one cloud to another.
1. Expect most subcontractors to handle GDPR professionally. Still, in the end you are responsible as data controller. Assess risks proactively when evaluating subcontractors. Check if they understand their responsibilities and have GDPR compliance capabilities.
2. See to it that agreements include early warning regulations if a subcontractor moves its services out of the European GDPR zone.
3. Routinely control if the subcontractors actually follow up your agreements. You might perform such controls yourself through questionnaires or team up with others to share GDPR audit work and costs. Basefarm will perform audits on behalf of several customers.
4. Be prepared to move your entire cloud installation to another cloud services provider. Connect appropriate skills. And, as with any backup/restore routine, test that you are able to perform a movement procedure.
Published: 2021-06-11CVE-2021-3560 “A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” The error is not handled correctly and the request is granted […]
…or what happens if a link in a phishing e-mail is clicked? It is a hard question to answer because attackers usually implement filtering methods. For example: If you have an apple device you get directed to one place If two hours go by before you click the link, its sent to a different place […]
The year 2021 has seen several high profiled vulnerabilities being actively exploited in bigand popular software, including Microsoft Exchange and Solar Winds Orion. Experience shows that in some cases it is too late to patch even after a few days.Many organizations work with the guideline of patching within 30 days, if the vendor states theupdate […]
Published: 2021-03-02CVE-2021-26855CVE-2021-26857CVE-2021-26858 CVE-2021-27065 “Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to […]
Basefarm has become aware of published news telling of Russian-accredited advanced persistent threat actors, given the name of Sandworm, having exploited Centreon IT monitoring software. Basefarm is aware that some news report mention Orange as on the customer-list of Centreon and while Basefarm is owned by Orange Business Services we would like to make it […]
Published: 2021-02-09MITRE CVE-2021-24074MITRE CVE-2021-24094MITRE CVE-2021-24086 “Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the […]
Ransoms is sadly the trend these days. We want to share a cheap and effective way to enable prevention that most probably fail to consider. Using the ransomware simulator from KnowBe4, RanSim, we could see that our endpoints did no prevention previously. An easy way to minimize the attack surface for ransomware is to use […]
Published: 2021-01-26MITRE CVE-2021-3156 “The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.” This is especially bad for multi-user environments where some users have login access, but […]
There is an ongoing news-story concerning SolarWinds and a supply chain attack used by an advanced threat actor to compromise victims with a rather advanced backdoor. Basefarm does not use this affected product, but are aware of at least one of our customer who do. We are working with the customer in question to mitigate […]
Published: 2020-12-08MITRE CVE-2020-17095 “A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to […]
BF-SIRT Newsletter 2018-26 
Photo by Rido Alwarno from Pexels
Image by Glenn Carstens-Peters from Unspalsh
Image by David Mark from Pixabay
Image by Peter H from Pixabay
Mikael Karlsson
Image by Hermann Schmider from Pixabay
Image by Ervin Gjata from Pixabay
Image by adege from Pixabay