The "Schrems II" Hangover is Real
It has been nearly two years since the CJEU struck down the Privacy Shield, yet I still see CTOs in Oslo sweating whenever Datatilsynet (The Norwegian Data Protection Authority) is mentioned. The reality of 2022 is harsh: if you are moving personal data across borders without airtight Standard Contractual Clauses (SCCs) and supplementary measures, you are exposed. But the bigger problem isn't legal—it's operational.
Most teams I consult with treat security compliance as a quarterly panic. They freeze deployments, run manual scripts, fill out Excel sheets, and pray. Two days later, configuration drift sets in. A junior dev opens port 22 to the world for testing, and your compliance report becomes a lie.
Compliance must be code. If it isn't automated, it doesn't exist. In this guide, we are going to build a continuous compliance loop using tools available right now on a standard CoolVDS Ubuntu 20.04 LTS instance.
The Architecture of Continuous Compliance
Forget the PDF checklists. We need a system that enforces state and validates it automatically. We will use Ansible for enforcement (applying the rules) and OpenSCAP for validation (proving the rules are applied).
Pro Tip: Never rely on the hypervisor alone for security. While CoolVDS uses strict KVM isolation to prevent "noisy neighbor" side-channel attacks, the guest OS is your responsibility. A secured vault with the door left open is just a room.
Step 1: Enforcement with Ansible
First, we define our "desired state." We aren't just installing packages; we are hardening the kernel and network stack. Here is a battle-tested Ansible snippet that aligns with CIS Benchmarks for SSH configuration. This ensures no one—not even you—can log in with a weak password.
- name: Secure SSH Configuration
hosts: all
become: yes
tasks:
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication no'
validate: '/usr/sbin/sshd -t -f %s'
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin no'
validate: '/usr/sbin/sshd -t -f %s'
- name: Set Idle Timeout Interval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?ClientAliveInterval'
line: 'ClientAliveInterval 300'
validate: '/usr/sbin/sshd -t -f %s'
notify: Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restartedThis playbook does three critical things:
- Kills Password Auth: Keys only. Brute force attacks on CoolVDS instances drop to zero efficacy immediately.
- Bans Root Login: Forces accountability. Users must login as themselves and escalate privileges via
sudo. - Sets Timeouts: Prevents dead sessions from becoming hijack targets.
Step 2: Validation with OpenSCAP
Applying the config is half the battle. Proving it to an auditor is the other half. OpenSCAP (SCAP - Security Content Automation Protocol) allows us to scan the system against a standard profile (like CIS or PCI-DSS).
Install the necessary tools on your server:
sudo apt-get update && sudo apt-get install libopenscap8 scap-security-guide -y
Now, let's run a scan against the standard SSG (SCAP Security Guide) profile for Ubuntu 20.04. This generates an HTML report you can literally hand to your compliance officer.
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level2_server \
--results scan-results.xml \
--report scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xmlThe cis_level2_server profile is aggressive. It will flag things you didn't even know were risks, like /tmp partition mounting options or obscure kernel parameters.
Automating the Feedback Loop
Running this manually is still too slow. We need to integrate this into a CI/CD pipeline or a nightly cron job. If a check fails, the infrastructure is "tainted."
Here is a bash wrapper script that runs the scan and alerts via a webhook (e.g., to Slack or Microsoft Teams) if the score drops below 90%.
#!/bin/bash
PROFILE="xccdf_org.ssgproject.content_profile_cis_level2_server"
CONTENT="/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml"
REPORT="/var/www/html/compliance/$(date +%F).html"
THRESHOLD=90
# Run the scan
oscap xccdf eval --profile $PROFILE --report $REPORT $CONTENT
# Parse the score (dirty grep method for simplicity)
SCORE=$(grep -oP '(?<=score system=\"urn:xccdf:scoring:default\">)[^<]+' $REPORT | cut -d. -f1)
if [ "$SCORE" -lt "$THRESHOLD" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"CRITICAL: Compliance score dropped to ${SCORE}%. Check report at https://your-coolvds-ip/compliance/\"}" \
https://hooks.slack.com/services/T000/B000/XXXX
fiData Sovereignty and the Infrastructure Layer
Automation handles the software, but physical location handles the law. Under GDPR and the Norwegian Personal Data Act (Personopplysningsloven), knowing exactly where your bits live is non-negotiable.
This is where the choice of provider becomes a compliance artifact itself. When you deploy on CoolVDS:
- Jurisdiction: Your data sits in Oslo. It doesn't transit through Frankfurt or replicate to Virginia unless you tell it to.
- Latency: You aren't just compliant; you are fast. Pinging NIX (Norwegian Internet Exchange) from our data center takes roughly 1-2ms.
- Isolation: We use KVM (Kernel-based Virtual Machine). Unlike container-based VPS solutions where you share a kernel with 500 other strangers, KVM provides hardware-level virtualization. This is critical for preventing container breakout attacks.
Performance vs. Encryption
A common objection to full-disk encryption (required for strict compliance) is the I/O penalty. "It slows down my database."
In 2015, that was true. In 2022, with the AES-NI instruction set and high-performance NVMe drives standard on CoolVDS, the overhead is negligible. We are talking about less than 3% CPU overhead for AES-256-XTS encryption.
| Storage Type | Unencrypted Read (MB/s) | LUKS Encrypted Read (MB/s) | Impact |
|---|---|---|---|
| Standard SATA SSD | 540 | 510 | Noticeable |
| CoolVDS NVMe | 3200 | 3150 | Negligible |
Conclusion
Security compliance isn't a badge you buy; it's a state you maintain. By combining Ansible for enforcing configuration and OpenSCAP for verifying it, you turn a legal headache into a simple engineering problem. And by hosting on Norwegian soil with CoolVDS, you solve the data sovereignty puzzle by default.
Don't wait for the audit letter to start hardening your systems. Spin up a secure, NVMe-backed instance in Oslo today.