“As the world continues to change and business requirements evolve, some things are consistent: a customer’s demand for security and privacy.”
Satya Nadella, Microsoft’s CEO
An important topic in European IT world these days is GDPR ( General Data Protection Regulation ).
A new European data and privacy protection law will be activated on May 25, 2018, referred to all citizens of EU with a purpose of protecting and enabling the privacy rights of individuals.
The GDPR regulates protection and enabling private data of any individual, no matter where data is sent, processed or stored.
The GDPR forms complex set of rules regarding any organization that offers goods or services to citizens of EU or collects and analyzes data regarding EU citizens in any form, no matter of the location of business included.
The Key Elements of the GDPR can be settled on three key points
- Enhanced personal privacy rights
- An increased duty of protecting personal data
- Mandatory personal data breach reporting
Those points, in short lines, define protection of EU residents by granting access to their personal data, and rights to manage it in any way ( correct, erase or move ), awareness and responsibility of organisations that process personal data, and mandatory reporting of detected breaches to supervisory authorities, no later then 72 hours after detection.
How does the GDPR define personal and sensitive data, and how those definitions relate to data held by organizations?
Personal data, considered by GDPR, is any information related to an identified or identifiable natural person, direct identification (legal name etc.) indirect identification ( specific information that can identify you in data references), and online identifiers ( IP, mobile ID’s and location data).
The GDPR sets specific definitions for generic data ( an individual’s gene sequence) and biometric data. This type of data, along with other subcategories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data concerning health; or data concerning a person’s sex life or sexual orientation) are treated as personal data, and require individual’s acceptance where these data are to be processed.
In case of processing any sensitive or personal data on a physical or virtual server, the GDPR require implementation of technical and organizational security measures to protect personal data and processing systems from today’s security risks, like Ransomware attacks, or any type of cyberterrorism.
An additional type of problem occurs with Ransomware attacks regarding the GDPR estimated penalties, which make any company’s system that contains personal and sensitive data, potential-rich targets. Depending on the kind of infringement, there might be monetary penalties from 2% up to 4% of the total worldwide annual turnover, not less than 10 to 20 million Euro.
What does GDPR mean for Windows Server security and protection, and how does Windows Server supports GDPR compliance?
At Microsoft server 2016, security is placed on architectural principle, and it can be seen as four major points:
- Protect – Focus and innovation on preventive measures
- Detect – Monitoring tools with the purpose to spot abnormalities and respond to attacks faster
- Respond – Usage of response and recovery technologies and experts
- Isolate – Isolation of operating system components and data secrets, limited administrator privileges, and rigorously measured host health.
Those points implemented in Windows Server, greatly improve the defense of possible data breaches.
Key features within Windows Server are pointed to help user efficiently and effectively implement the security and privacy mechanisms the GDPR requires for compliance.
Windows Server 2016 helps block the common attack vectors used to gain illegal access to user systems: stolen credentials, malware, and a compromised virtualization fabric.
In addition to reducing business risk, the security components built into Windows Server 2016 help address compliance requirements for key government and industry security regulations.
These identities, operating system, and virtualization protections enable better protection of datacenter running Windows Server as a VM in any cloud, and limit the ability of attackers to compromise credentials, launch malware, and remain undetected. Likewise, when deployed as a Hyper-V host, Windows Server 2016 offers security assurance for virtualization environments through Shielded Virtual Machines and distributed firewall capabilities. With Windows Server 2016, the server operating system becomes an active participant in data center security.
The GDPR specifically regulates control over access to personal data, and system that process it, including administrator/privileged accounts. It defines privileged identities as any accounts that have elevated privileges, such as user accounts that are members of the Domain Administrators, Enterprise Administrators, local Administrators, or even Power Users groups.
Those kinds of accounts are protected from compromising with protecting guidelines, all organizations should implement:
- Reasonable allocation of privileges – User should not have more privileges than needed for successful job completion.
- Limit sign in time for privileged accounts to “strictly work-related operations”.
- Social engineering research – In goal to prevent email phishing, and a possibility for the security breach, even though “harmless”, lower level accounts
- Every account with unnecessary domain admin-level privileges increases exposure to attackers seeking to compromise credentials. To minimize the surface area for attack, it is recommended to provide only the specific set of rights that an admin needs to do the job – and only for the window of time needed to complete it. That way of administration is called Just Enough Administration and Just-in-Time Administration, and it is highly recommended,
Windows Server 2016 offers various types of prevention and protection tools and features, for various types of user accounts, such as
- Microsoft Identity Manager 2016
- Local Administration password solution
- Windows Defender Credential Guard
- Windows Defender Device Guard
- Control Flow Guard
which cover the areas of protecting the user/admin credentials, trusted software-only installation, breach notification, and jump-oriented programming (JOP) defense.
It actively alerts administrators to potential breach attempts with enhanced security auditing that provides more detailed information, which can be used for faster attack detection and forensic analysis. It logs events from Control Flow Guard, Windows Defender Device Guard, and other security features in one location, making it easier for administrators to determine what systems may be at risk.
A newly introduced feature is Shielded VMs. They include a virtual TPM (Trusted Platform Module) device, which enables organizations to apply BitLocker Encryption to the virtual machines and ensure they run only on trusted hosts to help protect against compromised storage, network, and host administrators. Shielded VMs are created using Generation 2 VMs, which support Unified Extensible Firmware Interface (UEFI) firmware and have virtual TPM.
The GDPR can have a significant impact on any business that uses any type of personal data. it should be taken seriously, and implemented as soon as possible, no matter time, funds, or planning required.