Compliance as Code: Automating GDPR & Security Audits in the Norwegian Cloud
It is December 2019. If you are a CTO operating in the EEA, the last 18 months have been a relentless march of compliance checklists. Since the GDPR (Personopplysningsloven) came into full effect, the fear isn't just about a breach; it's about the paperwork that follows.
I recently audited a setup for a FinTech client in Oslo. They were running a patchwork of manual scripts on scattered cloud instances. When I asked for their access logs for the past 90 days to verify data sovereignty, they handed me a CSV file exported from a third-party US-based SaaS. That is a ticking time bomb.
Reliance on manual hardening and external "black box" logging is no longer sufficient. With the looming uncertainty surrounding the EU-US Privacy Shield (and Max Schrems' ongoing legal challenges), the only safe harbor for Norwegian businesses is total control over their data and infrastructure. You need to own the stack, from the kernel up.
This is where Compliance as Code shifts from a buzzword to a survival strategy. We don't configure servers by hand anymore. We define policy in code, apply it via automation, and let the infrastructure prove its own innocence.
The Foundation: CIS Benchmarks & Ansible
The Center for Internet Security (CIS) provides the gold standard for server hardening. In 2019, trying to manually apply the 200+ checks in the CIS benchmark for CentOS 7 or Ubuntu 18.04 is madness. You will miss something. A junior admin will enable password authentication for 'just a quick test' and forget to turn it off.
Instead, we use Ansible. By defining the state of our CoolVDS instances in YAML, we ensure that every new node spun up is compliant by default. Here is how we enforce SSH hardening across our fleet to meet strict access control requirements:
# roles/security/tasks/sshd.yml
- name: Ensure SSH Protocol is set to 2
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
notify: restart sshd
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
notify: restart sshd
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
notify: restart sshd
This isn't just configuration; it's documentation. When an auditor asks, "How do you prevent unauthorized root access?", you don't show them a screenshot. You show them the Git commit history of this playbook.
Automated Auditing with auditd
Prevention is half the battle. Detection is the other half. Under GDPR Article 33, you have 72 hours to report a breach. If you don't have granular logs, you won't even know you've been breached until it's too late.
On our CoolVDS NVMe instances, we recommend configuring the Linux Audit Daemon (`auditd`) to watch critical files. This generates an immutable trail of who touched what. Writing these rules manually is tedious, so we template them.
Here is a robust configuration snippet to monitor unauthorized changes to the `/etc/passwd` file, a common target for privilege escalation attacks:
# /etc/audit/rules.d/audit.rules
# Delete all existing rules
-D
# Buffer Size
-b 8192
# Failure Mode (2=panic, 1=printk, 0=silent)
-f 1
# Monitor /etc/passwd for write/attribute changes
-w /etc/passwd -p wa -k identity_changes
-w /etc/group -p wa -k identity_changes
-w /etc/shadow -p wa -k identity_changes
-w /etc/sudoers -p wa -k sudo_actions
# Lock the configuration
-e 2
Pro Tip: High-performance I/O is critical here. Turning on aggressive auditing can generate gigabytes of logs per day. On standard spinning rust (HDD) VPS, this can cause I/O wait times to spike, slowing down your application. This is why we standardize on NVMe storage at CoolVDS. The high IOPS capability handles the write intensity of detailed audit logs without impacting your database performance.
Data Sovereignty: The "Oslo" Factor
Technical compliance is useless if the legal foundation is shaky. Many developers assume that using a "Region: EU-West" on a US hyperscaler is enough. It often isn't. The US CLOUD Act (enacted 2018) allows US law enforcement to demand data from US companies regardless of where that data is physically stored.
For Norwegian entities handling sensitive data (health, finance, insurance), the safest path is utilizing a provider rooted in local jurisdiction. Hosting on a VPS in Norway ensures that your data falls primarily under Norwegian law and GDPR, reducing the exposure to foreign subpoenas.
Example: Enforcing Geofencing at the Web Server
If your service is strictly for the Nordic market, why accept traffic from non-relevant geo-locations? While not a hard requirement, reducing the attack surface is a key part of "Data Protection by Design and by Default" (GDPR Art. 25). Here is a snippet for Nginx (using the GeoIP2 module, which became the standard after the legacy GeoIP database was discontinued earlier this year):
# /etc/nginx/nginx.conf
http {
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_iso_code country iso_code;
}
map $geoip2_data_country_iso_code $allowed_country {
default no;
NO yes; # Norway
SE yes; # Sweden
DK yes; # Denmark
}
server {
listen 443 ssl http2;
server_name internal.coolvds.com;
if ($allowed_country = no) {
return 444; # Connection closed without response
}
# ... SSL certificates and config ...
}
}
Testing Compliance: OpenSCAP
You have hardened the server and locked down the network. How do you prove it? In 2019, OpenSCAP is the tool of choice for automated vulnerability scanning against XCCDF standards.
You can run a scan directly on your CoolVDS instance to verify it meets the "Standard System Security Profile":
yum install -y openscap-scanner scap-security-guide
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
--results scan-results.xml \
--report scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The resulting HTML report will show you exactly where you pass and fail. We often see clients fail on "Partitioning". They deploy everything on a single root partition (`/`). For strict compliance, directories like `/tmp`, `/var`, and `/home` should be on separate partitions with nodev, nosuid, and noexec flags where appropriate.
The Total Cost of Ownership (TCO) Reality
Automating compliance reduces TCO. The initial investment in writing Ansible playbooks and configuring `auditd` pays off the moment an auditor steps through the door. But your infrastructure provider plays a massive role here.
If you are using a cheap, oversold VPS, your automated scans will take hours, and your encrypted backups will crawl. Compliance requires CPU cycles (for encryption) and disk I/O (for logging).
At CoolVDS, we don't play the "noisy neighbor" game. Our KVM-based virtualization ensures true resource isolation. When you run an OpenSCAP scan, it finishes fast because you aren't fighting 50 other users for the same CPU core.
Security isn't a product; it's a process. But that process runs faster on better hardware. If you need to lock down your data before the 2020 fiscal year begins, start with a solid foundation.
Ready to build a compliant fortress? Deploy a high-performance, Norway-based instance on CoolVDS today and get your root access in under 60 seconds.