General Data Protection Regulation (GDPR)
You have just over 6 months to ensure that you are ready for the GDPR. The regulation is already enacted into European Law and will come into effect from 25th May 2018. It affects everyone who offers good or services to people in the European Union (EU) so even you Brexiteers cannot escape from this one!
GDPR is all about protecting privacy rights of individuals. The GDPR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.
Microsoft and GDPR
Microsoft has a number of resources for ensuring you are GDPR compliant including the excellent GDPR Section of the Microsoft Trust Center and the GDPR Benchmark website. These resources will help you understand the impact across your on-premises and cloud infrastructure and applications.
This post is aimed firmly at the on-premises infrastructure and quite simply why you should be upgrading to Windows Server 2016 or if you are already at that level, then why you should be deploying the new security features and precisely which feature will help with GDPR.
What is GDPR and what does it mean for my business?
GDPR is complex as regulations go (not surprising for a pan-European regulation with global implications), GDPR may need you to alter the way you gather, use and manage personal data.
If you offer any goods or services to anyone in the EU. GDPR offer enhanced privacy in many ways but includes the following:
Increased duty for protecting personal data
Reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
Enhanced personal privacy rights
Strengthened data protection for residents of EU by ensuring they have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it.
Mandatory personal data breach reporting
Organizations that control personal data are required to report personal data breaches that pose a risk to the rights and freedoms of individuals to their supervisory authorities without undue delay, and, where feasible, no later than 72 hours once they become aware of the breach.
All of these will no doubt require new policies, procedures and internal data controls to ensure you do not breach the regulation and open yourself up to penalties.
Microsoft recommends a four step process
Head off to the GDPR Section of the Microsoft Trust Center for more advice on how to achieve these four steps.
Microsoft very recently released a preview of Compliance Manager a free service for cloud subscribers that allows you to chart your journey to compliance.
A future post will cover Compliance manager in detail as I think it is a superb and essential tool for ensuring you do reach that compliant state.
Windows Server security and Privacy - New in Windows Server 2016
GDRP includes ensuring that any device that collects, stores, processes or retrieves personal data is fully protected. This means ALL of your servers.
Are you happy you have beaten off all threats?
Here's some handy stats for you.
The average cost of the type of data breach the GDPR will expect you to report is $3.5M.
- 63% of these breaches involve weak or stolen passwords that the GDPR expects you to address.
- Over 300,000 new malware samples are created and spread every day making your task to address data protection even more challenging.
(Data from McKinsey, Ponemon Institute, Verizon, and Microsoft)
Windows Server 2016 has been designed with an assume breach posture in all areas and includes four security principals.
Protect, Detect, Respond and Isolate.
I have been travelling around the country talking about Windows Server 2016 for over 18 months now and in all that time I explain that we trust our administrators but not their credentials. This assume breach posture works in several ways.
Protect your credentials and limit the privileges in case of breach. Features such as Just Enough Administration (JEA) and Jus In Time (JIT) administration work well here as does Windows Defender Credential Guard.
Secure the operating system to run your apps and infrastructure. Windows Server 2016 provides tools such as Windows Defender Device Guard, Control Flow Guard, Enhanced Auditing and Windows Defender Antivirus to lock down the operating system against all manner of attacks.
Secure virtualization. The new Host Guardian Service and Shielded Virtual Machines turn your vulnerable workloads into bullet proof secure environments. This creates a trusted fabric and limits administrative actions. In addition, using a VM TPM allows Bitlocker drive encryption for all your VMs, this is a requirement for Shielded Virtual Machines.
Finally to ensure your server infrastructure is healthy and not under sustained attack you can take advantage of Windows Defender Advanced Threat Protection (ATP) and Microsoft Advanced Threat Analytics (ATA). Both these tools assist in detecting attempts at entering your network.
Microsoft ATA provides a graphical indication of any suspected attacks, such as a pass the ticket attack.
Whilst Microsoft Defender ATP is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. The dashboard provides an excellent view into current threats
There is no better time to invest in Windows Server 2016, if you haven't evaluated it yet - try it free here.
After 31/12/17 It will be the only Windows Server sold by Microsoft! Watch this space for a Windows Server 2012 End of Life post!