Data protection is approaching new spheres as the EU looks to improve how companies handle customer data. It is achieving that by setting new standards in The General Data Protection Regulation, which as per our previous GDPR blogs, takes effect on 25 May 2018.
Any entity that offers services or goods will have to adhere to the regulation, which has already passed into European law. The regulation aims to protect consumers and their data as they interact with various companies.
Companies will have to reconfigure their information technology systems to ensure they are up to par with the latest regulations, and that means using servers that are compliant.
Server 2016 is one operating system that provides resources that ensure compliance with the data protection regulations. For a company that is considering getting Server 2016 as part of their infrastructure, there is a need to learn what the operating system offers and how to capitalise on the resources!
Recap – What is the General Data Protection Regulation?
The GDPR was developed to protect the personal data that companies collect when conducting business. Before the regulation came to be, businesses were using a directive created in 1995.
Over the years, the gathering, storage and usage of data have changed a great deal, which necessitates new protection measures. The threats to privacy keep increasing and evolving with cybercriminals finding creative ways to compromise sensitive data. With the General Data Protection Regulation, the European Union intends to minimise cases of data breaches.
This regulation applies to companies that transact with customers in EU countries. This means that a company that is not in an EU nation but does business with clients must adhere to the standards. For this reason, the regulation will have global implications and, therefore, organisations must strive to comply.
Anyone who deals with personally identifying information must implement the standards, which are complex at best. The upside is that the regulation remains constant across all EU countries, which makes things easy for corporations with business in various EU territories.
Some companies see the regulation as an impediment that will make them lag behind their competitors because they will have to strategise their business models significantly. The companies that have to comply with the regulation are;
- Those with a presence in the EU
- Process personally Identifiable data of European residents, even if they don’t conduct business in EU nations
- With fewer than 250 workers but still handles sensitive personal data or the data processes affects the rights of data subjects
These criteria cover almost all companies. With the increased use of online services, over 90% of businesses sell to European customers, which means they handle sensitive personal information. Some of the data that will fall under the protection of the regulation includes names, location details, ID numbers, genetic data like biological samples, online identifiers such as screen names, device IDs, email addresses and biometric data.
Every business that is impacted by the General Data Protection Regulation should understand the key elements. What does being compliant mean? Firstly, companies have a higher duty of protecting personal data. Organisations that deal with personal data of any kind have higher standards of accountability to answer to than before.
The regulation brings clarity regarding which roles companies play in regards to compliance with data protection procedures. The second implication is mandatory reporting of data breaches. If a data breach occurs and the rights/freedoms of the data subjects are infringed upon, then an organisation is required to report this to the relevant supervisory body.
When possible, the alert should take place within 72 hours of the company realising the breach. Thirdly, individuals enjoy more comprehensive personal privacy rights. The regulation allows persons to access their data for corrections and erasures. People will also have the right to move that data or refuse a company to process the details.
Windows Server 2016 – The OS with compliance in mind!
Microsoft’s latest operating software is one of the tools that can help your company comply with the General Data Protection Regulation. Getting acquainted in advance with the compliance process will save an organisation from the last-minute rush that could cost business in the long run. The tech company recommends four steps for proper implementation of the standards.
The first one is to discover where a company has to analyse data to see what kind is collected and where the details have been stored.
The next step is to manage is the monitoring of personal information, specifically usage and access.
Then comes protection, which involves processes of identifying vulnerabilities then coming up with solutions to prevent and respond to them.
The last step is reporting, which means alerting supervisory bodies to data breaches and documenting all processes involving information security processes.
Windows Server 2016 takes over from Window Server 2012 R2 and is designed for superior performance for the benefit of modern businesses. This latest iteration packs several new features key of which is the improved data security to boost access and identity management.
Windows Server 2016 is built with capabilities that make things less complicated for organisations to implement suitable security measures to guarantee the protection of personal information. The operating system provides this in four principles;
- Protect- the system architecture focuses on preventing intrusions from malware and other known attacks
- Detect- has a set of tools that track data activities for any inconsistencies, which allow the system to identify threats faster
- Respond- users get modern technologies that make recovery efforts easier. Companies also receive expert consultations
- Isolate- the system separates different architectural components and system privileges then evaluates the state of the host
These elements increase the abilities of an organisation to fend off and respond to different types of attacks. The GDPR is all about reducing the risks of data breaches in a company’s system and using Windows Server 2016 makes this possible. An organisation that is able to detect vulnerabilities in the system well in advance gets an opportunity to put in place strong protection measures.
Windows Servers 2016 Features
The General Data Protection Regulation requires businesses to protect personally identifying information through all the stages of a life cycle. Windows Server 2016 is not a fool proof way to ensure compliance with the requirements, but provides several components that ease the process.
Protecting Administration Privileges
Windows Server 2016 is a suitable partner when implementing the GDPR because this helps with the monitoring of server administration privileges. The permissions granted for any system are potential targets that hackers and other criminals can use to gain access to sensitive information.
Businesses can take advantage of the credentials protection features of Windows Server 2016 to institute some changes regarding who has permissions to what. Access control is one of the top issues that the General Data Protection Regulation addresses in its mandate. A business must be capable of tracking the people that have different types of access to the system.
The regulation demands protection for privileged identities, which refer to the accounts with elevated permissions. Local, domain and enterprise administrators are some of the users that fall into this category. Privileged identities are rich targets for malicious activities like hacking and malware attacks. Just In Time Admin, Just Enough Admin and Windows Defender Guards are some of the tools in Server 2016 that companies can use to minimise the risks posed to privileged accounts.
Just In Time and Just Enough Admin are essential in reducing the number of privileges awarded to some information technology managers. Unnecessary permissions provide more opportunities for attackers to compromise the system.
Running Apps and Infrastructure Securely
The operating system ensures that you can run applications and infrastructure without worrying about malicious attacks. Hackers and other attackers exploit vulnerabilities that are present in basic practices. Server 2016 has more than one layer of protection protocols, which makes things hard when exposing vulnerabilities in a company’s system. Attackers would have to go through significant trouble to penetrate the system, and the OS is built to trigger alerts when the system detects intrusions.
The Windows Defender Guard is one of the applications that filters software that runs in the system. Depending on the security policy of an organisation, the defender guard will only allow binaries that have been cleared.
PowerShell, found within the Windows Defender Guard, gives administrators the power to decide which scripts can run. Memory corruptions are other attacks that companies have to safeguard against. Server 2016 has the Control Flow Guard to keep attackers from taking advantage of vulnerabilities like buffer overflow to manipulate the system.
The OS puts in place restrictions to monitor the type of application code allowed, meaning that the organisation would find executing code that is not be predetermined impossible. Windows Server 2016 also has comprehensive security auditing that enables administrators to conduct extensive analyses of the system to detect instances of data breaches.
The convenience of virtual machines has made them useful additions to any business. They make the virtualising of a company’s infrastructure from deployment to automation possible. However, the machines open up the system for attacks through weak virtualisation fabrics.
Protection of virtualisation machines is one of the areas that fall under the provisions of the general protection regulation. Windows Server 2016 is equipped with Shielded Virtual Machines and Guarded Fabric that facilitate secure virtualisation, making the use of trusted fabrics possible. VMs are easily modified and copied because they are files with no protections, which make them possible points of attacks.
The fact that all administrators have access to virtual machines makes them more vulnerable. An attacker only has to compromise the credentials of one administrator to gain access.
With Shielded Virtual Machines, an organisation can easily put BitLocker Encryption such that the machines can only operate on trusted host servers. The Host Guardian Service is another component of Server 2016 that contributes towards secure virtualisation. What happens is that checks on the security conditions of hosts are carried out before allowing the booting or migration of the Shielded VMs. This is achieved by verifying that the hardware of the host is compatible.
The other option is to place hosts in a designated security group, and the Host Guardian Service will only let VMs run on platforms in that specific class. Server 2016’s support for Trusted Platform Module is another way that ensures the safety of virtual machines.
The Need for Compliance
The GDPR was adopted in 2016, but some companies are not even sure if they are required to implement the policy, meaning that by May 25, various organisations will still be lagging behind. The standards explain who is responsible for ensuring compliance in a company, and that is the data processor, data controller and data protection officer. Each of these individuals carries out crucial roles relating to personal data from processing to storing. Par the EU regulation, these people have to make certain that not only is data protection carried out within the organisation but by third parties as well. Companies have to work with different partners such as suppliers, contractors and vendors. These third parties can also have access to sensitive information, which falls under the same purview of data regulation.
A legitimate concern is the broad interpretation provided by the standards. The regulation obliges companies to offer a ‘reasonable’ degree of protection for the data they handle. ‘Reasonable’ leaves a lot of room when the governing body is evaluating the compliance of a company.
Besides the monetary loss, noncompliance can be disastrous for a company’s reputation. In this age of big data, businesses thrive on collecting and storing personal information and consumers have come to accept that on some level.
In exchange, they expect organisations to take care of their information, particularly the personally identifying kind. Some companies handle data for millions of customers. If such an entity fell short in meeting the EU’s regulation requirements, the organisation can suffer in terms of perception. If clients don’t feel safe giving out their information to your company, that can be detrimental to most of the operations.
Microsoft’s Server 2016 is one product that offers companies useful resources to help with the implementation of the General Data Protection Regulation. If you would like to know more about the GDPR or Server 2016, please don’t hesitate to phone and speak to a me or a member of my team on 01843 572600 or you can find out more about our GDPR events and workshops here.