The General Data Protection Regulation (GDPR) is one of the most widespread compliance protocols in the world. Adopted in April 2016 by the EU (European Union) Parliament, it affects any company that interacts with EU citizens or organizations. Due to this, achieving GDPR compliance is a big part of many IT admins’ to-do lists. In particular, GDPR Article 32 compliance is a critical facet of today’s IT organizations.
What is GDPR Article 32?
Article 32 of the EU GDPR is designed to cover the security of processing user information, the first part of which reads as follows:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Coalfire Systems’ Take on GDPR Article 32 Compliance
Coalfire Systems is a leading auditor who are experts in GDPR compliance. In their whitepaper (linked below), Coalfire explored GDPR Article 32 Compliance, specifically in regards to JumpCloud® Directory-as-a-Service®. JumpCloud Directory-as-a-Service is a cloud-based directory service that provides hyper-secure IAM to an organization, regardless of platform, protocol, provider, or location. Coalfire put JumpCloud Directory-as-a-Service through the rigors of how an organization could leverage it for GDPR compliance, with a focus on creating—and subsequently maintaining—secure and confidential systems.
Coalfire created two scenarios to demonstrate the value of the JumpCloud platform with respect to GDPR. The first scenario involved using JumpCloud password enforcement and MFA features to create a strong, virtually unhackable identity. The second scenario presupposed an identity compromise via phishing. Coalfire tested JumpCloud Directory-as-a-Service’s capabilities with least privilege access, SSH key management, and MFA to “thwart” the compromise.
Coalfire found that, in both cases, the JumpCloud platform supported compliance per GDPR Article 32 “…when implemented following industry best practices and guidance provided by JumpCloud…”. They noted that JumpCloud does not store sensitive user data locally, and only transmits passwords via the secure TLS v1.2 protocol. Coalfire also determined that the JumpCloud Agent can integrate into all three major operating systems (Windows®, macOS®, Linux®) in a secure fashion, and is unable to be deleted by end users.
To learn more about Coalfire, JumpCloud, and GDPR Article 32 compliance, be sure to read Coalfire’s whitepaper. You can also contact our support team. If you need help achieving GDPR Article 32 compliance, try JumpCloud today. Your first ten users are free forever.