The clock is ticking to get your Windows systems ready for the General Data Protection Regulation. To assist with...
these compliance efforts, Microsoft offers several resources to help systems administrators.
A European Union privacy law, GDPR goes into effect in May 2018 and signifies more wide-reaching ramifications for IT than other regulations. For example, while the Health Insurance Portability and Accountability Act is relevant only to healthcare providers, most organizations must adhere to GDPR requirements. The regulation applies to any organization -- including those based outside Europe -- that processes, collects or stores data of EU citizens.
This sweeping data privacy regulation presents a compliance challenge for even the smallest companies. For example, if a U.S. company sells items from its website to an EU citizen, GDPR applies to that business. Even something minor, such as storing an EU citizen's phone number on digital media, forces a company to either observe the rules or delete the data.
What is GDPR?
GDPR imposes stringent requirements on how businesses handle the personal data of EU citizens. GDPR will replace the EU's Data Protection Directive, which only affected organizations with a physical presence in Europe.
The GDPR requirements state that "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address."
Organizations subject to GDPR compliance rules will need to retain data processing records that show a strong effort has been made to observe the more than 100 GDPR requirements. Penalties for noncompliance go up to 20 million euros -- about $24 million -- or up to 4% of a company's annual revenue, whichever is more.
How does Windows Server help with GDPR?
Although Windows Server 2016 does not have specific features related to GDPR, the OS has other functionality to protect organizations from a data breach.
For example, the Just Enough Admin and the Just in Time Admin features protect against overprivileged administrative accounts. If a business has one administrator whose main responsibility is Active Directory management, then this person usually gets full administrative privileges, even though they just need to perform one specific type of administrative task. The Just in Time Admin and Just Enough Admin features grant the permissions required for a specific task for a limited period of time. The IT department can add an additional layer of security by configuring Windows to validate the administrator's identity through multifactor authentication before the request is granted.
Another security feature that can help with GDPR compliance initiatives is Windows Defender Credential Guard. New to Windows Server 2016, this feature uses a hypervisor to isolate authentication credentials to restrict access to privileged system software. A similar tool called Windows Defender Remote Credential Guard protects the credentials used for remote desktop sessions.
Windows Defender Device Guard is an application whitelisting tool in Windows Server 2016 that an admin uses to specify which binaries can run on the system to prevent malware attacks. If there is an attempt to execute unauthorized code, Windows Server will block it and log the activity.
Microsoft updated Windows Server's security auditing capabilities, which is useful for GDPR compliance. The company designed Windows Server 2016 to integrate with security information and event management systems and extended the server OS to support two new types of auditing. For the first time, Windows Server can natively audit group memberships and Plug and Play (PnP) activity. PnP auditing helps admins detect the use of external storage devices.
What else does Microsoft offer?
Microsoft promotes its cloud service as a method to accelerate GDPR compliance. For companies that do not have that option, there are other Microsoft services and tools that can help.
The GDPR Benchmark is a questionnaire that asks about two dozen questions and offers a series of recommendations based on the answers. Figure 1 shows an excerpt from the site.
The site asks for the company's location, size and whether it is a Microsoft partner and then proceeds with a number of GDPR-specific questions. The GDPR Benchmark tool is essentially a Microsoft sales utility, but it has merit to highlight the areas the admin needs to address to meet GDPR requirements.
A Microsoft site dedicated to GDPR offers guidance through a series of documents and videos that can assist organizations though the compliance process.
Figure 2 shows an Excel spreadsheet that is part of the GDPR Detailed Assessment package on the site. The spreadsheet contains more than 100 questions related to how the organization stores, maintains, secures and processes data. Complete the spreadsheet to assess the overall compliance readiness of the organization and which areas require improvement.