Automating GDPR Compliance: A DevOps Approach to Security Standards

It has been roughly three months since May 25th, 2018. The GDPR panic has theoretically subsided. Yet, in boardrooms across Oslo and Bergen, the reality is setting in: compliance wasn't a one-time deadline. It is a permanent operational state.

As a Systems Architect, I see a dangerous pattern. Companies spent millions on legal consultants to draft privacy policies, but their server infrastructure remains manually managed. If you are logging into servers via SSH to manually edit /etc/ssh/sshd_config, you are already non-compliant. Human error is the enemy of security.

Today, we are moving beyond the legal theory and into the terminal. We will build a compliance pipeline using Ansible for enforcement and OpenSCAP for auditing, ensuring your Linux infrastructure meets the rigorous standards demanded by Datatilsynet (The Norwegian Data Protection Authority).

The Problem: Configuration Drift

You harden a server on Monday. It is secure. On Wednesday, a junior developer temporarily opens port 21 for "testing" and forgets to close it. By Friday, you are vulnerable. This is configuration drift.

In a recent audit for a FinTech client in Stavanger, we found 40% of their production nodes had drifted from their security baseline within six months of deployment. They relied on "Gold Images" but lacked a mechanism to enforce state after deployment.

To fix this, we stop treating servers like pets. We treat them like cattle, and we use code to enforce their behavior.

Step 1: Enforcement via Ansible

We use Ansible because it is agentless. You don't need to install extra software on your CoolVDS instances that could introduce new attack vectors. Here is a practical playbook snippet that enforces SSH hardening standards compatible with CIS Benchmarks (Center for Internet Security).

This playbook does three things:

1. Disables Root Login (Critical for brute force protection).
2. Disables Password Authentication (Keys only).
3. Ensures the SSH protocol is strictly version 2.

---
- hosts: secure_nodes
  become: yes
  tasks:
    - name: Ensure SSH Protocol is set to 2
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^Protocol'
        line: 'Protocol 2'
        state: present
        validate: '/usr/sbin/sshd -t -f %s'

    - name: Disable Root Login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present
        validate: '/usr/sbin/sshd -t -f %s'

    - name: Disable Password Authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present
        validate: '/usr/sbin/sshd -t -f %s'
      notify:
        - Restart SSH

  handlers:
    - name: Restart SSH
      service:
        name: sshd
        state: restarted

Pro Tip: Always use the validate parameter in Ansible when editing configuration files. If you make a syntax error in sshd_config, Ansible will catch it before restarting the service, preventing you from locking yourself out of your server.

Step 2: Verification via OpenSCAP

Trusting your Ansible playbooks is good. Verifying them is compliant. OpenSCAP (Open Security Content Automation Protocol) is the industry standard for verifying system security configuration.

On a CentOS 7 or RHEL 7 system (common OS choices on CoolVDS), you can install the scanner and the security guides easily:

yum install openscap-scanner scap-security-guide -y

Once installed, you can run a scan against a specific profile. For high-security environments handling personal data, we often use the PCI-DSS profile as a baseline for GDPR technical measures.

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_pci-dss \
  --results /var/www/html/scan-results.xml \
  --report /var/www/html/scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

This command generates an HTML report showing exactly where you pass and where you fail. If you run this via a cron job every night, you satisfy the GDPR requirement for "regular testing, assessing and evaluating the effectiveness of technical measures" (Article 32).

The Infrastructure Factor: KVM vs. Containers

Automation solves the software layer, but we must discuss the kernel. In 2018, containerization (Docker) is exploding. However, for strict multi-tenant isolation, containers share the host kernel. If a kernel exploit is discovered, isolation can be broken.

This is why CoolVDS utilizes KVM (Kernel-based Virtual Machine) virtualization. Unlike OpenVZ or pure containers, KVM provides hardware-level virtualization. Your kernel is your kernel. This isolation is critical when demonstrating data segregation to auditors.

Data Sovereignty & Latency

Furthermore, location matters. Under current EU regulations and the uncertainty surrounding the US Privacy Shield, keeping data within the EEA (European Economic Area) is the safest legal strategy. Hosting in Norway offers distinct advantages:

• Legal: Outside of US Patriot Act jurisdiction.
• Latency: If your customer base is Norwegian, routing traffic through Frankfurt or Amsterdam adds unnecessary milliseconds. CoolVDS infrastructure in Oslo ensures 1-3ms latency to local ISPs.

Putting It All Together: The Audit Script

Here is a bash script you can deploy to your server's /etc/cron.weekly/ directory. It updates the system, runs an OpenSCAP scan, and alerts if the score drops below a threshold. This assumes you have a mail utility configured.

#!/bin/bash

# Date format for report
DATE=$(date +%F)
REPORT="/var/log/security-audit-$DATE.html"

# Run SCAP Scan
/usr/bin/oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_common \
  --report $REPORT \
  /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

# Check for failures in high severity rules
FAILURES=$(grep "rule result=\"fail\"" $REPORT | wc -l)

if [ "$FAILURES" -gt 0 ]; then
    echo "Security Audit Failed: $FAILURES issues found. Check $REPORT" | mail -s "Security Alert: $(hostname)" admin@yourcompany.no
else
    logger "Weekly Security Audit Passed"
fi

Conclusion

GDPR is not about perfect security; it is about due diligence. By combining Ansible for consistent configuration and OpenSCAP for verified auditing, you create a paper trail that proves you are taking data protection seriously.

However, your software stack is only as reliable as the metal it runs on. You need predictable I/O for database encryption and strict isolation for compliance.

Don't risk your compliance on shared kernels or overseas hosting. Deploy a compliant-ready, KVM-based instance in Oslo with CoolVDS today.