Tokern Bastion and GDPR / CCPA

GDPR or General Data Protection Regulation is a EU law on data protection and privacy. More recently, California passed its own privacy law, CCPA or the California Consumer Privacy Act. The CCPA law gives rights to consumers regarding how their personal information is collected, sold or shared by organizations. The rest of the article points to provisions in GDPR only for brevity.

by “GDPR & ePrivacy Regulations”dennis_convert is licensed under CC BY 2.0

Many of the requirements describe policies and procedures. However these policies have a serious effect on engineering and architecture of IT systems. This article describes how Tokern Bastion helps with the following provisions:

Security of Processing

Article 32 states:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,…”

The following features of Bastion ensure security of processing:

• Secure communication using TSL
• Login using any popular Single Sign On provider
• Support IAM login on AWS and GCP
• Support login using certificates

Data Protection by Default

Article 25 states:

“In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

By default teams do not have access production databases directly or through Bastion. Teams are given access after a requisition workflow that is logged. Moreover users can be assigned roles that provide access to a subset of the tables and columns (if supported by the underlying database).

The following features of Bastion ensure security of processing:

• Temporary access to data
• Roles and groups to limit access to specific tables and columns.

Logging, Intrusion Detection and Notification

Articles 33 and 34 state:

“The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.”

Bastion logs actions taken by all components such as login, authorization events and queries. Bastion integrates with all popular SIEM applications. By using Bastion and a SIEM system, intrusion detection and notifications can be added easily.

If these capabilities required at your company check out the project on Tokern Bastion GitHub

and connect with us through the chat widget in the bottom right corner.

Originally published at https://tokern.io.