Cloud Based Internet Security Designed for GDPR
As applications move to the cloud and the traditional network perimeter erodes, the need for cloud-based Internet security increases. The iboss cloud delivers Internet security in the cloud while maintaining GDPR compliance.
GDPR and iboss cloud Overview
GDPR and other regional regulations make SaaS cloud migrations difficult. As applications continue to move to the cloud and mobility increases, using traditional approaches to Internet security become unsustainable due to increases in bandwidth and strategies that include less network infrastructure and management. The iboss cloud runs in the cloud and can secure user Internet access regardless of location, but has the unique ability to do so while adhering to regulations such as GDPR. The containerized architecture allows the iboss cloud to deliver the following benefits:
- Containerized cloud gateway capacity ensures data is scanned within regulated countries
- Containerized cloud reporting capacity ensures data is stored within regulated countries
- Admin defined and controlled zones allow clear visibility to how data will flow through cloud-based Internet security when users are within regulated regions
- Admin controlled reporting logging flow ensures reporting data remains within regulated regions
- Log and reporting anonymization encrypt sensitive user PII such as username, source IP and group membership
- Selective decryption allows data to remain untouched in regions that require it
- Private cloud can meet the needs that demand private capacity while still leveraging the global iboss cloud presence for users globally
Challenges Related to Cloud-Based Internet Security and GDPR
GDPR and other regional regulations make cloud application use challenging. This is especially true of cloud-based Internet security that is scanning user data as it is traversing to cloud applications and the public Internet. To make things even more challenging, Internet security platforms must store user Internet activity event logs that may contain information that falls under GDPR constraints. Typical challenges include:
- When users are accessing the Internet within regionally regulated countries, data must be scanned within country to ensure compliance
- When user Internet activity is stored, it must be stored within country to ensure compliance
- User Internet activity may need to be anonymized to remove PII from certain administrators, depending on regulations
- HTTPS data decryption may not be allowed for particular destinations in particular regions and must traverse to the Internet untouched
- The need to adapt what happens with data as it is scanned and secured may vary depending on user location to meet regulations for that particular country or region
Regulations may even conflict from region to region making things worse for organizations with a global footprint. However, if an organization is moving to cloud and SaaS applications and data center footprints are shrinking, installing and maintaining Internet security appliances is not sustainable and results in massive costs as bandwidth increases and decreased productivity as data from end-users is hairpinnned through on-prem equipment.
The iboss cloud easily solves the challenges involved with meeting regulatory compliance while delivering the value of a SaaS cloud delivered Internet security platform. The containerized architecture is the foundation for meeting these regulations which is not found in any other Internet security platform.
iboss cloud Solves GDPR Challenges
Containerized Cloud Gateway Capacity Within Regions Ensures Data is Scanned Within Regions
The concept of containerization allows for containerized work units, such as gateway, to exist in iboss cloud specifically within a defined region. Users are always connected to iboss cloud through the containerized gateway work units for Internet security including compliance, malware defense and data loss prevention. Since these cloud gateway units are what scan user data for security, the scanning of the data occurs within the regulated regions in which the gateways exist. Containerized gateway capacity can exist in tightly controlled regions to ensure user data is scanned by specific containerized gateways depending on user location. This ensures GDPR is being met for the processing of the data as it is scanned for Internet security.
Containerized Cloud Reporting Capacity Within Regions Ensures Data is Stored Within Regions
Like the containerized gateway work units that scan end user data for security, reporting databases are also containerized. These containerized reporting units can store event log and drill down reports within the specific regions in which they exist. Depending on where a user is located, the gateways can send reporting log events to the appropriate containerized reporting work unit that exists within the regulated region to ensure reporting data stays within that region. This ensures GDPR compliance is being met for reporting and log storage.
Admin Defined Zones Provide Explicit Visibility and Control
With some cloud security platforms, ensuring GDPR and other regional compliance is difficult to do and many times very vague. The iboss cloud allows administrators to define zones within the iboss cloud admin console to control how data flows from end users and where reporting events are stored. The iboss cloud uses the end user’s source IP to determine the user’s location and maps the user to a zone defined by the iboss cloud administrator. The administrator can create as many zones as necessary including country-based zones. As users are mapped to the zone, the zone instructs the endpoint on how and where to send data to the iboss cloud to ensure data is scanned and stored within a region. This also provides clear visibility to the administrator to ensure GDPR compliance is being met.
Reporting and Log Data Can Flow To Different Reporting Databases Depending on User Location
As users move from place to place, the iboss cloud allows administrators to configure where the Internet activity log data is stored. This includes sending data to reporting databases specifically within a region or country when a user is in that region and a completely different reporting database when the user moves to a different region.
Log and Reporting Anonymization and Encryption
Regulations may require that PII is encrypted and anonymized. The iboss cloud can be configured to encrypt sensitive information in logs and reports such as username, source IP and group membership. Administrators with the privilege can decrypt the data when necessary to reveal the true source of the data. Delegated administrators will only see anonymized identities in the Internet activity reports.
Selective Decryption to Prevent Decryption When Needed
The iboss cloud has extensive HTTPS decryption controls to gain visibility into encrypted traffic which is necessary to meet regulations, such as those in finance which require the inspection of web communications in certain regions. Making this more powerful is that it can be selectively applied using an extensive number of criteria including domain, category and user group membership. This allows traffic to remain untouched when needed due to regulations within a particular region, while decrypting when other regulations or the organization require it.
Extending Into Private Cloud
The containerized architecture of iboss cloud allows cloud gateway capacity to run anywhere, including within a private cloud datacenter. The private cloud capacity will run in parallel to the other iboss cloud capacity providing the global reach and infinite capacity needed by global organizations. The private cloud capacity is turnkey and completely provided by iboss.
How It Works
Taking advantage of iboss cloud for GDPR is easy. To get started:
- Get an active iboss cloud account
- Connect users to iboss cloud using the iboss cloud connectors or branch office tunnels
- Create zones within the iboss cloud admin console to define how data flows when users are within regions
Admin Controlled Zones
The Locations and Geomapping features within iboss cloud allow for the creation of admin defined zones. These zones are mapped to users by using the source IP of the user and geolocating the IP Address to an admin defined Geo-Zone. The Zone contains the routing data for the end user while the user is in that zone. Administrators can also create zones based on public IP subnets to map users when they are in specific offices to iboss cloud gateway capacity in a particular region.
Log and Reporting Anonymization
The log encryption and anonymization feature uses symmetric AES encryption to anonymize user PII information within logs and reports. The encryption key can be used to decrypt the data only by administrators with that privilege. Log anonymization can be enabled for cases that require PII to be anonymized with logging and reporting databases. The anonymized data is stored encrypted and anonymized within the reporting database as well as displayed encrypted and anonymized to administrators viewing reports.
|GDPR Zoning Features, Anonymization and In-Region Cloud Capacity||Contact Us|
GDPR capabilities are included with all iboss cloud subscriptions at no additional cost.
Learn More About GDPR and iboss cloud
To learn more about GDPR and iboss cloud, visit https://www.iboss.com/business/ensure-gdpr-compliance.