Serverless: Privacy regulation

Serverless - Beyond the buzzword is a book about Serverless aiming to give you all the information you need to make informed business decisions. This is part of a series of articles summarising some of the topics from the book.
More information about Serverless - Beyond the buzzword can be found here:

You can also watch the video version of this here:

The topic of privacy has received a lot of attention over the last couple of years and rightfully so. There has been a lot of abuse of personal data and a lot of data breaches. Governments around the world have tightened restrictions and regulation around all kinds of sensitive data such as personal, financial and medical information. One of the most talked-about and stringent regulations is the GDPR; this is the privacy regulation in the European Union. If you aim to make your solution comply with GDPR, then it is probably going to satisfy regulations in every country. This makes GDPR a good target to strive for in terms of privacy.

Privacy regulation generally sets out rules around what data you collect, why you are collecting it, how you are storing it, and what you are doing with it. You need to make best efforts to protect the data with strong encryption, authentication and logging capabilities in place. Users need to be given access to their data, and you need to delete their data within a reasonable amount of time if they request it. Data breaches also need to be reported and acted upon within a reasonable amount of time. These are all things that need to be considered when developing an application to meet privacy regulations.

The cloud and Serverless have some benefits when it comes to meeting privacy regulations. The ability of microservices and managed services to very tightly meet the Principle of Least privilege means much more fine-grained controls and far fewer access points to sensitive data within your application. Being able to only have a single microservice that can access a sensitive database instead of the entire application makes it easier to monitor and audit any access to the data.

Some of the managed services that cloud providers offer have some amazing security features to protect sensitive data, and many of them have achieved the highest possible cybersecurity certification to prove it. One of my favourite services for managing user accounts is Amazon Cognito, where you can store user logins as well as some personal data keeping all the GDPR-data in one place. As this is a fully managed service and highly abstracted - it could be considered Software-as-a-Service, the provider takes on a lot of the responsibility and makes some guarantees about the security. This does come with limitations so that they can make those guarantees such as it is impossible to export the passwords of users. Cognito is billed based on the number of active users in a given month, so it is considered truly Serverless - you are not paying for inactive/idle users.

Encryption is pretty much ubiquitous in the cloud, every service has encryption capability, and for many of them, it is enabled by default. Encryption used to be costly and cause a lot of processing delays, but that is no longer the case. For most usecases, encryption in the cloud is free, and typically there is no noticeable delay caused by enabling it.

With Serverless, you will be using many of the fully managed services, so it is important to understand for each of them how they are treating data. For example, some of the managed AI services may collect data to improve the service. Depending on the data you are sending to these services, this could be an issue with local privacy regulations. Cloud providers will provide a means to opt-out of such data sharing for services, so make sure to be aware of this for the services you are using to avoid any privacy conflict.

To go deeper on this topic and to read many more related topics about Serverless Architecture please buy the book Serverless - Beyond the buzzword here:

Serverless - Beyond the buzzword. The book about the strategic impact of Serverless architecture