How does Windows Server 2016 help with GDPR Compliance?

The European Union’s Regulation, GDPR will come into force on 25th May 2018 imposing new data rules for data privacy and protection. To comply with GDPR, IT companies and organizations should adhere to GDPR requirements.

According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”

GDPR requires businesses and IT Companies to protect the personal data and spell out how they manage and share personal data. Non-compliance with GDPR regulations would cost huge financial penalties to the IT Companies, about 4% of an organization’s annual earnings.

Let’s look at the important security features in Windows Server 2016 that can help with GDPR compliance and protect organizations from a data breach.

Just Enough Administration and Just in Time Administration

While protecting and isolating credentials as much as possible, administrator credentials can be stolen by attacks, social engineering, brute force cracking and disgruntled employees. Therefore, there should be a way to limit the reach of administrator-level privileges in case they are compromised.

Windows Server 2016 introduces Just Enough Admin and Just-In-Time Admin options that allow organizations to only give administration credentials for a limited time with limited permissions.

Just Enough Administration in Windows Server 2016 allows you to give limited privileges and access to only those tools that are needed to perform specific administrative tasks.

Just-In-Time Administration allows you to assign users to privileged groups for a limited time frame and users are removed from privileged groups after a limited duration. This technology is known as Privileged Access Management.

The IT division can upload an extra layer of safety by way of configuring Windows to validate the administrator’s identification via multifactor authentication ahead of the request is granted.

Windows Defender Credential Guard and Windows Defender Remote Credential Guard

There are other important security features in Windows Server 2016 that can help with GDPR Compliance, Windows Defender Credential Guard and Windows Defender Remote Credential Guard.

Windows Defender Credential Guard uses a hypervisor to isolate authentication credentials to restrict access to privileged system software and to prevent Pass-the-Hash or Pass-the-Ticket attacks by making them completely ineffective.

Windows Defender Credential Guard uses:

  1. Virtualization-based security
  • 64-bit CPU
  • CPU virtualization extensions, plus extended page tables
  • Windows hypervisor
  1. Secure boot (required)
  2. TPM 2.0 either discrete or firmware (preferred – provides binding to hardware)

Windows Defender Remote Credential Guard protects the credentials used for remote desktop sessions. Previously, Users with remote desktop connections would have to log on twice in which the second login exposes credentials to Pass-the-Hash or Pass-the-ticket attacks. Windows Defender Remote Credential Guard in Windows Server 2016 implements single sign-on for Remote Desktop sessions and eliminate the requirement to re-enter the logon credentials.

Protecting infrastructure and applications

Windows Defender Device Guard

While protecting credentials is important, it also requires blocking malware and external attackers running malicious software. Windows Defender Device Guard is an application whitelisting tool in Windows Server 2016 to ensure that only trusted software run on the server. With windows defender device guard, admin can specify and limit which binaries can run on the system to prevent cyber threats by blocking malware attacks, malicious software or exploiting vulnerabilities.

Enhanced security auditing

Windows Server’s Enhanced Security Auditing capabilities is useful for GDPR Compliance. Microsoft updated security auditing that provides more detailed information for faster attack detection and alerts administrators to potential breach attempts.

The detailed security information provided by the enhanced auditing enables two new types of auditing, Audit Group Membership and Audit PnP Activity. Group Membership Auditing helps to audit the group membership information in a user’s login session and PnP auditing helps admins detects an external device which could contain malware.


Getting Ready for GDPR Compliance in 2018

GDPR (General Data Protection Regulation) is a regulation that requires businesses to protect the personal data and privacy of customer data.  As of 25th May 2018, GDPR is expected to set a new standard for data privacy and protection rights and non-compliance could cost companies stiff financial penalties.

Under GDPR, you will need to prove that you can restore missing data, list backed up data, locate data and manage your data. Thus, any audited organization without a genuine data backup solution will be at risk of being penalized.

Here is a list of some action solar best practices to comply with GDPR in 2018:

Data Backup – Manage and safeguard your backups using professional tools tailored to company needs. It is also essential to recycle datasets automatically after backup retention periods complete.

Data Storage – To ensure data protection, it is important to manage data storage media. Manage backup sets with short-term retention on disk and long-term on tape or public clouds.

Data Accessibility – Under GDPR rules, data needs to be accessible, deletable and easy to locate. Inbuilt cataloguing tools can help organizations to isolate backed up data, locate, delete and transfer personal data.

Data Security – Data should be encrypted and accessible to those with specifically defined access rights. This means user access needs to be tightly controlled for both backup and restoration operations.

Are you prepared for GDPR regulations? Atempo solutions can play a vital role in getting you safely through a GDPR audit. Atempo’s Data Backup Solution (ALN and ATN) and Archiving solution (ADA) fully comply with GDPR and respect industry norms related to data backup storage, recovery, and accessibility.

For more information about Atempo’s Data Protection Suites, please contact us at +91-120-4155477.