GDPR Countdown: Automating Security Compliance on Norwegian Infrastructure
The calendar reads March 2018. We are exactly two months away from May 25th—the day the General Data Protection Regulation (GDPR) enforcement begins. If you are a CTO or Lead Sysadmin operating in Europe, you aren't sleeping much. The days of relying on an Excel spreadsheet to track server hardening are over. If a Datatilsynet (Norwegian Data Protection Authority) audit hits, "I thought I closed that port" won't save you from fines scaling up to 20 million Euro.
I recently audited a client's infrastructure—a generic setup on a major US cloud provider. They claimed compliance. A simple Nmap scan revealed Port 27017 (MongoDB) open to the world on a staging server containing production user data. The developer had spun it up for "quick testing" and forgot about it. Manual processes fail because humans are terrible at repetition. The only way to survive the regulatory shift in 2018 is to treat compliance as code.
This guide details how to automate your server hardening using Ansible and OpenSCAP, specifically tailored for environments where data sovereignty is critical, such as deploying on CoolVDS infrastructure within Norway.
The Foundation: Why KVM Matters for Compliance
Before writing a single line of automation code, look at the metal. In the current VPS market, OpenVZ (container-based virtualization) is still common because it's cheap for providers. It is a security nightmare for compliance.
In a containerized VPS environment, you share the kernel with every other customer on the node. A kernel panic triggered by a neighbor brings you down. Worse, a kernel exploit (like the recent Dirty COW vulnerability) could theoretically allow a container escape.
Pro Tip: For GDPR compliance, always insist on KVM (Kernel-based Virtual Machine) virtualization. It provides true hardware virtualization. CoolVDS uses KVM exclusively, ensuring your memory and kernel space are strictly isolated from other tenants. You cannot automate security if your isolation layer is porous.
Step 1: Automating the Baseline with Ansible
We don't configure servers manually anymore. We define a state. Below is a practical Ansible playbook snippet that enforces a hardened SSH configuration. This goes beyond the basics; we are explicitly disabling weak authentication methods that are common vectors for brute-force attacks.
---
- hosts: norway_production
become: yes
tasks:
- name: Ensure SSH Protocol 2 only
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
notify: restart sshd
- name: Limit SSH Users
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AllowUsers'
line: 'AllowUsers deploy_master sysadmin'
state: present
handlers:
- name: restart sshd
service:
name: sshd
state: restartedRunning this against a fresh CoolVDS CentOS 7 instance ensures that 55 seconds after deployment, the server is already more secure than 90% of the internet. There is no window of opportunity for attackers.
Step 2: Continuous Auditing with OpenSCAP
Hardening is not a one-time event; it is a continuous state. Configuration drift occurs when a developer temporarily changes a setting to debug an issue and forgets to revert it. To catch this, we use the Open Security Content Automation Protocol (OpenSCAP).
OpenSCAP allows us to scan our servers against standard profiles, such as PCI-DSS or the Common Industry Benchmark (CIS). In 2018, this is the gold standard for proving due diligence to auditors.
Installing and Running a Scan on CentOS 7
# Install the scanner and the security guides
yum install -y openscap-scanner scap-security-guide
# Run a scan against the Standard System Security Profile
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results /var/www/html/secure-report.html \
--report /var/www/html/secure-report.html \
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xmlIf you run this on a standard, unoptimized VPS, you will likely fail 40-50% of the checks. On a properly configured CoolVDS instance managed by the Ansible playbook above, you should see green across the board. The generated HTML report can be handed directly to a compliance officer.
Step 3: Data Sovereignty and Network Latency
Technical configuration is only half the battle. The physical location of your data is the other half. Under GDPR, transferring data outside the EU/EEA requires strict legal frameworks (Privacy Shield is currently active, but legal experts are already questioning its longevity).
Hosting in Norway offers a distinct advantage:
- Jurisdiction: Norway is EEA-aligned but maintains strong independent privacy laws.
- Latency: For businesses targeting Northern Europe, the speed of light matters. A packet round-trip from Oslo to London is roughly 12-15ms. Compare that to 90ms+ for US East Coast hosting.
Optimizing Nginx for Low-Latency SSL
Since we are prioritizing local traffic, we must optimize the termination of SSL/TLS connections. Handshakes are expensive. Below is an `nginx.conf` snippet optimized for performance and security, strictly using TLS 1.2 (as TLS 1.3 is not yet fully standardized/supported in stable branches as of March 2018).
http {
# Optimize SSL Session Caching
ssl_session_cache shared:SSL:50m; # Holds approx 200,000 sessions
ssl_session_timeout 1d;
ssl_session_tickets off;
# Modern Cipher Suite (2018 Recommendation)
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}Combining NVMe storage (standard on CoolVDS) with these caching rules results in Time-To-First-Byte (TTFB) measurements often below 50ms for local users. Speed is not just a UX metric; it is a ranking factor.
The Economic Argument for Managed Infrastructure
You can build a private cloud in your basement. You can also build your own power generator. Neither is a good use of your time. The Total Cost of Ownership (TCO) for maintaining physical hardware in 2018—patching firmware, replacing failed drives, managing cooling—is prohibitive for most development teams.
| Feature | On-Premise | Generic Cloud | CoolVDS (Norway) |
|---|---|---|---|
| GDPR Compliance | High Effort | Variable | Native (EEA) |
| Hardware I/O | Depreciating HDDs | Throttled IOPS | Dedicated NVMe |
| Network Defense | Firewall Appliance | Paid Add-on | Included DDoS Protection |
Conclusion: Don't Wait for May 25th
The transition to a compliant infrastructure is not a checkbox exercise; it is a fundamental shift in how we view systems architecture. By leveraging KVM isolation, automating configuration with Ansible, and verifying with OpenSCAP, you transform compliance from a headache into a competitive advantage.
Your infrastructure needs to be as robust as your code. Stop gambling with shared kernels and uncertain data jurisdictions.
Deploy a GDPR-ready, NVMe-powered KVM instance on CoolVDS today.