Most companies struggled to meet the deadline for General Data Protection Regulations (GDPR) that went into effect in May 2018. In fact, according to the latest research, up to 58% of companies still don’t meet GDPR standards.
In April 2018, just before the GDPR deadline, a SaaS company approached Logicworks with the challenge of assessing and remediating their IT infrastructure on Amazon Web Services (AWS) for GDPR compliance. Logicworks conducted a Well-Architected Review and a full GDPR Compliance Assessment and then rebuilt their AWS environment to GDPR and general security best practice standards.
The WAR + Compliance Assessment
With major product launches on the horizon, the SaaS company had little knowledge of GDPR and could not afford to proceed with further development until GDPR compliance was achieved. The first step in assessing the SaaS company’s AWS environment was to conduct a Well-Architected Review (WAR). This consists of a three-hour interview with a Logicworks engineer and Solutions Architect to discuss how the environment is managed today, current security practices, and application requirements. The SaaS company created an AWS Identity and Access Management (IAM) user for Logicworks engineers to get limited access to the company’s architecture, allowing the engineers to conduct a hands-on review.
After the WAR was completed, the SaaS company asked Logicworks to conduct a more detailed GDPR Compliance Assessment. Logicworks used specialized tooling to scan the environment for open and critical security threats and tagged them for remediation. A compliance remediation plan was presented to the company with the necessary steps for GDPR compliance and general security, including defining a DR strategy, using encryption-in-transit, enabling AWS CloudTrail monitoring, and restricting usage of root credentials.
Remediation of their AWS Environment
The SaaS company immediately saw the value of Logicworks’ experience in compliance. Rather than implement the required remediation tasks themselves, they engaged Logicworks to remediate their AWS environment to meet GDPR standards and Well-Architected standards. The remediation needed to be completed quickly as GDPR would go into effect in a few weeks.
Logicworks provided a full-time engineer to work with the SaaS company over a two week period. During this time, the Logicworks engineer worked collaboratively with the company to identify the highest priority items for remediation. The Logicworks engineer then not only implemented fixes, but also put in place automation and other checks to ensure an alert would be generated for the company’s internal teams if the system ever went out of compliance. Logicworks implemented both native AWS security tools and third party IDS and log monitoring tools from Alert Logic. Logicworks also conducted extensive training with the company to ensure that operational best practices, such as incident response and DR planning, were also implemented.
Logicworks successfully completed all critical remediation items. As a result, the company met current baseline GDPR and Well-Architected standards. The direct impact and outcome for the company was significant. The company is now in position for extensive growth and higher revenue generation with enterprise accounts by meeting GDPR standards. They’ve also mitigated the risk of incurring penalties and fines by addressing the flagged security components. By utilizing the tools of AWS and working with a trusted partner, the company is now positioned for a successful 2020 and beyond.