In a previous blog, I shared an analysis of Europe’s public cloud growth trends, challenges and the overall impact on the data analytics market. One other key element to cloud adoption and growth is compliance. The European Union (EU) has been ahead of the compliance curve for a while now, and on May 25, 2018, officially passed the General Data Protection Regulation (GDPR) into law.
The GDPR is one set of comprehensive data protection rules for all companies operating in the EU, wherever they are based. The intention of the new law is to give people more control over their personal data, and to create a level-playing field for all companies operating in the EU.
The GDPR is stamping its mark on the regulatory landscape, and is creating unease across organizations globally. Chief information security officers and their teams are pressured to create balanced security in and between countries and need to strike a balance between new data protection and privacy rules, different national access laws, internal staff access requirements and geo-political pressures. High cloud adoption complicates matters when considering the jurisdictional impacts on the origin, storage location and access and retention requirements for personal data.
In the run-up to the GDPR deadline and after it, my colleagues George Gerchow and Jen Brown have shared a great article on how we’ve been preparing the Sumo Logic platform to comply with GDPR law, and what we are doing to help our ecosystem (customers and partners) ensure they are on a path to GDPR compliance.
In this blog series, I’ll discuss how we are helping some of our European customers, particularly in the media and entertainment, gaming and finance sectors to use their machine data with confidence, and in compliance with GDPR.
GDPR and Machine Data
Sumo Logic’s value-proposition for GDPR relates to machine data. As a by-product of processing information for people, machine data (e.g. logs, metrics and events) often contains personal information, and therefore challenges GDPR compliance in many ways. Compared to other regulations, the GDPR imposes more stringent rules on companies handling machine data, meaning companies need to adapt to comply. Companies also need to come to terms with the fact that the amount of machine data is growing at an exponential rate.
Thanks to our cloud-native architecture, the Sumo Logic platform offers customers a flexible, scalable, cost-effective and secure options for ingesting, storing, searching and deleting machine data. Once customers have identified the existence and location of all personal data, and have implemented specific data protection measures, they can ingest any and all data into Sumo Logic to help fulfill their GDPR related duties incrementally and on demand.
Because of our Cloud Flex pricing model and ease of consumption, this can be done with virtually no associated commercial or technical process — customers simply send the data to Sumo Logic, and we take care of the rest.
Competing cloud-deployed solutions often are unable to auto-scale on demand, and any increased ingestion volume requires either pre-provisioning or lead-time with the support of service personnel to allow it to scale.
One of the core principles underlying the GDPR is to ensure that companies can demonstrate compliance. This means companies must be able to prove that they act in accordance with the GDPR and fulfill all applicable obligations — particularly upon request or inspection from a data protection authority or a data subject.
One way we do this is by developing policies and keeping documentation on all aspects related to the processing of personal data, including the legitimate interest for processing the data, the storage period of the data and the security measures used. Let’s break these down.
Legitimate interest. It must be clear on what legal grounds the personal data is processed. Companies normally have a legitimate interest in processing machine data as it fulfills numerous purposes including troubleshooting, comparison of before and after events, event analysis, security and auditing.
Storage period of data. Although the GDPR does not have retention requirements, companies should only store what they need, and only store it for as long as they need it. If it is not needed, don’t store it, or delete it if it’s already stored. Operational data has much shorter retention periods than security and audit data. Because not all data is the same, Sumo Logic supports variable data retention schemes.
Security measures. The GDPR stipulates companies must take all necessary technical and organizational steps to implement security measures that protect the rights of individuals.
Initiatives our customers are taking to govern their data securely include:
- Identifying and prioritizing which datasets are impacted by data residency and regulatory compliance requirements.
- Conducting data discovery exercises to reveal data protection use cases, and match use cases to access controls. These use cases include deleting, encrypting, redacting, masking or anonymizing the data.
- Determining an appropriate set of security controls and policies and associated procedures and security architecture for each business risk.
- Defining which functions must be applied to security controls and policies, such as role-based, identity and access management, classification, discovery, monitoring, analytics, alerting, audit, protection, revoke and remove.
- Using defined functionality to set requirements for products that need to be deployed across the IT infrastructure.
- Creating consistent access and usage policies for each dataset that as data flows across all available digital business environments, applications and IoT/endpoints.
In our next blog, we will take a deeper look at importance of central, unified log management capabilities supporting multiple use cases of our customers that align to modern approach and architecture for privacy and protection, threat detection and response capabilities and adoption of log and metrics management solutions for a cloud-first stack.
Want to Know More?
- Download the Sumo Logic GDPR Checklist
- Read about our latest research, and security and compliance platform updates
- Learn more about our GDPR and Privacy Dashboards and stay up-to-date on when we expect these resources to be GA.
- Check out the release announcing Sumo Logic’s GDPR Readiness score, awarded by Netskope.
- Read why GumGum selected Sumo Logic to support its massive AWS-hosted Deep-learning environment.
And don’t forget to register for Illuminate, Sumo Logic’s annual user conference, for hands-on training, certifications, technical sessions and real-world case studies from peers and partners and to learn how to get the most out of the Sumo Logic platform.