As cloud services become central in an increasing number of applications, they process and store more personal and business-critical data. At the same time, privacy and compliance regulations such as GDPR, the EU ePrivacy regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure processing and traceability of critical data. Especially the demand to provide information about existing data records of an individual and the ability to delete them on demand is central in privacy regulations. Common to these requirements is that cloud providers must be able to track data as it flows across the different services to ensure that it never moves outside of the legitimate realm, and it is known at all times where a specific copy of a record that belongs to a specific individual or business process is located. However, current cloud architectures do neither provide the means to holistically track data flows across different services nor to enforce policies on data flows. In this paper, we point out the deficits in the data flow tracking functionalities of major cloud providers by means of a set of practical experiments. We then generalize from these experiments introducing a generic architecture that aims at solving the problem of cloud-wide data flow tracking and show how it can be built in a Kubernetes-based prototype implementation.

中文翻译：

---

跟踪云架构中的数据流

随着云服务成为越来越多应用程序的核心，它们处理和存储更多的个人和业务关键数据。与此同时，隐私和合规性法规（例如 GDPR、欧盟电子隐私法规、PCI 和即将出台的欧盟网络安全法案）提高了关键数据的安全处理和可追溯性。特别是提供有关个人现有数据记录的信息以及按需删除它们的能力是隐私法规的核心。这些要求的共同点是，云提供商必须能够在数据在不同服务之间流动时对其进行跟踪，以确保它永远不会移出合法领域，并且始终知道属于位于特定的个人或业务流程。然而，当前的云架构既不提供全面跟踪跨不同服务的数据流的方法，也不提供对数据流实施策略的方法。在本文中，我们通过一组实际实验指出了主要云提供商在数据流跟踪功能方面的不足。然后，我们从这些实验中进行概括，引入旨在解决云范围数据流跟踪问题的通用架构，并展示如何在基于 Kubernetes 的原型实现中构建它。