GDPR for Cloud Service Providers

by Mike Ricotta - February 18, 2019

Learn about GDPR for cloud service providers and the challenges it can pose…

The fundamentals of server management usually come down to matters of the server or the network. Domains, public and private network IP’s, firewall management, subnets, transfer protocols, and the like, typically fall into network engineering. On the other hand, server administration includes your web server’s underlying kernel, virtual memory, httpd service and virtual hosts.  He or she will also address server-side coding services, databases, mail services, website files, logs, and so forth.  Much like any other server or computer, your virtual instance is typically packaged as a virtual CPU, RAM, GPU, and dedicated volumes (think disk space).

All of the above items that your server administrator manages reside on a volume.  This means that volume management is not only an important job but accessing the volume is a critical and regularly performed action. Depending upon your kernel (ie. Ubuntu vs Windows), you may access this through a variety of methods (ie. SSH, SFTP, FTP, RDP/RCP).  Imagine our surprise when we found out that cloud support services like the AWS Business Support model does not permit its staff to access volumes, at all!

The Situation: GDPR for Cloud Service Providers

On 2/17/19, we encountered a problem with a corrupted EBS volume attached to a client’s instance.  This instance has 4 volumes and one of these hit maximum capacity, despite our freeing up 10% of space, just 1 day prior.  After scaling the volume up 2x through the AWS Console, the file-system continued to report the old volume capacity.  When we restarted the server, we ended up with 3 healthy volumes but 1 volume was truncated down to 4%, a near-total data loss.  This wasn’t the first time we experienced this, either.  Back in June, we experienced a near-total data loss on another volume operating around 10% prior to the reboot.  These things happen… After all, that is why we offer support, so we took immediate action.

While we make a regular practice of taking nightly full snapshots of client instances, restoring differential data since the last backup is always important.  We also make sure to understand the cause of failures.  As such, we chose to submit a support request to AWS using our customer’s paid business plan, which we are authorized to use.  Imagine our surprise when they replied with the following:

I am very sorry, especially given the circumstances, but due to security and privacy AWS Engineers have no way to access the data stored on the volumes, or to access your environment.
https://aws.amazon.com/compliance/shared-responsibility-model/

Without access to the environment, there is very little that AWS can really do for you outside of providing general knowledge.  Given Amazon’s tryst with data privacy violations, it’s a curious response to say the least but it makes perfect sense for their model.  Nonetheless, it begs the question as to who AWS’s $100/mo service aims to target.

How Privacy Impacts Economy Hosting

Having reviewed their shared responsibility model, AWS’s non-enterprise services are intended to support you in the most hands-off way imaginable.  To their credit, it’s priced that way.  After-all, in order to charge a price that low, AWS and its larger competitors often employ low-cost overseas resources.  Those resources perform their jobs on unregulated environments, personally managed computers, and over unsecured networks.  In many cases, these are controlled by foreign government information regulations that all post a risk to your system.  That’s not to say that some of their engineers aren’t wholly qualified and properly secured US-based employees.  Surely those resources are better suited for AWS’s $15k enterprise SLA, though.  For some people, this $100/mo SLA is a worth-while expense.  For your average business, however, this is definitely not what is expected. In the age of GDPR, cloud support is a touchy subject for hands-on resources, though.

As a developer, I’ve found comfort in the idea of having an inexpensive backup option in Amazon’s support staff.  Unfortunately, the limited knowledge and effectiveness of their staff means their usability is rare and isolated to cases where our resources are limited.  As a value comparison of $3600 for 3 years of services, I can point to 1 instance over 3 years where their services were helpful in walking-through resolution of a 30-minute production impairment.  Even in that case, AWS’s support staff required us to access the server and follow steps on their behalf.  Depending upon your sales volume, this might be worth it but only as a supplemental cost to a contractor.

How To Service Your Web-Server

With data privacy finally coming to the forefront of public discourse (i.e. GDPR for cloud service providers), regulations make it harder for service providers to provide hands-on assistance.  This impacts businesses looking to supplement the cost of salaries to support their online presence.  Fortunately, independent contractor services can offer a lower-cost, as-needed, option for business owners and managers to engage in support, oftentimes covered within your boilerplate TOC and privacy statements.  Unlike larger corporations like Microsoft, Amazon, and IBM, contractors’ internal systems are typically structured to adhere to regulatory compliance rules and their hiring practices ensure that their resources are properly vetted and accessing your servers over secure networks.

For more information on exactly what you’re getting with AWS’s support packages, see their website at https://aws.amazon.com/premiumsupport/plans/

We also recommend perusing our site for service offerings of our own.  We would love to answer your questions about our services or any competitor services we may need to adapt to.

Learn more about Arcane cloud support services now.

« How to Create a Digital Marketing Strategy (Pt. 2)

CRO (Conversion Rate Optimization) Strategy »