Posted on

GDPR – Your User Database

European parliament buildings

Many companies have a website and a customer database. It is now essential that those of us who rely on consent to hold this data have the express permission of the individual concerned.

Personally Identifiable Information (PII)  includes business email addresses as they identify specific individuals.

To meet our obligations we need to have a clear opt in policy on our website and a database that we can use to audit access. Can you do these things today? If not, please contact Insperitas so that we can help.

Article 32 of GDPR clearly indicates a need to prove security of processing.

 

Please see the excerpt below taken at Feb 23rd 2018 12.25 UTC from:

 

 

Article 32

Security of processing

1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a)

the pseudonymisation and encryption of personal data;

(b)

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d)

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3.   Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4.   The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

 

Posted on

welcome to insperitas

welcome to the insperitas unhackable website. 🙂

It isn’t the first unhackable site by any means and to get here I followed the advice of many who have been before me. I’ll get around to some credits another time.

This site is hosted on Amazon S3 but written in WordPress.

I wanted to host a static website  on S3 because S3 is quick and cheap. Quick is important if you don’t want to irritate your customers. Cheap is important always. One of the real benefits of embracing Cloud is that you should only pay for what you need. Static pages on S3 are also pretty secure and much more secure than native WordPress.

I chose to use WordPress because I am NOT a web designer. (I can point you in the direction of some excellent web designers if that’s what you are looking for.) As WordPress is ubiquitous and was used to build about 1/4 of all websites across the world I thought I might find plenty of good themes and lots of support. In the end I chose to use only the latest theme but published support has been very helpful.

So this is how my website works.

  1. Its hosted on S3
  2. I use Terraform to build an EC2 instance using a bitnami base build
  3. I auto – run scripts to download a backup of my site.
  4. At this point I have a running WordPress  instance that I can edit, add blogs etc. I usually compose offline in advance so that blog uploading is more of a copy and paste.
  5. Then , when I am done for the day,  I use httrack to take a copy of the updated site.
  6. I gzip the site
  7. I use S3cmd to upload the files to S3.
  8. I take a backup of the site and use S3cmd to copy that to S3 too.
  9. Then (and this is the important part) I destroy the virtual machine.

To many out there this will seem crazy and I agree, it’s not a way that many will want to emulate. But my goal is not to host a website, but to be able to illustrate:

  1. Good Cloud practice
  2. That static sites are ideal in many circumstances
  3. An entirely cattle based approach to CMS
  4. … and some other things I haven’t quite got round to yet.

So whats next? Well I will be adding some more blogs about Cloud Strategy and implementation over the next few weeks. That will keep me pretty busy.

The site is a little ugly and bare so it will need some improvements.

I will also be writing a Cloud 101 so if there are references in here that don’t make sense or you are a Cloud beginner, I will have something useful here in the near future.

In the future I hope to use to Lambda collect and display comments (you will notice that at this time you can’t comment. If you want to contact me you can now leave a message on our contact page.

Contact Page