Monitoring Data Breaches for GDPR Compliance

[Sam Matthews]

Hi,

As part of the new GDPR Compliance regulations coming in next year, businesses are required to monitor for data breaches and report these within 48 hours.

I'd like to ask some clarification around a few things:

1) Where does out firebase's responsibility end and ours as customers begin? For example is this something that Firebase are monitoring against themselves, and would notify us as customers so we would then pass that on to our users, or are we expected to monitor this ourselves?

2) If we are expected to monitor this ourselves, could you please give a rough suggestion of how this would work in the context of the Firebase realtime database? For example we have no way of monitoring unusual traffic or extreme api calls etc, it is something of a black box. 

Any clarification would be much appreciated. 

Thanks,
Sam

[Ian Barber]

For a lot of the cases, this has to be something you handle - for example, if you fail to add any security rules to your RTDB or Firestore, then anyone would be able to read data, and we would have no way of knowing whether any access is approved or not. 

With regards to how you monitor, its really dependent on what kind of data you are storing, and how you're structuring it. Assuming your rules are well configured, then some of the types of breach you might want to consider would include an account with access to the console being leaked/phished, or an Admin SDK service account being inadvertently exposed. 

 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/96cb8328-adb9-4bf0-8f6d-0a736705ca4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.