GDPR Windows File Server Best Practices

Ab dem 25. Mai^th, 2018 all business that handle EU personal data must be GDPR Compliant. From the perspective of a GDPR Windows File Server, personal data is of the greatest concern for DSGVO-Konformität. Unternehmen außerhalb der EU gehen davon aus, dass die DSGVO für sie nicht gilt, aber jede Interaktion mit einem EU-Bürger erfordert die Einhaltung – einfach ein Unternehmen zu führen, das sich außerhalb der EU befindet, gibt Ihnen keine „Gefängnis-freie Karte“. !

With the GDPR, companies must notify authorities and customers of data breaches within 72 hours of becoming aware of the incident, maintain records to provide customers confirmation if their data is being used and how, provide them a copy of their data if requested, and allow them to have their data erased. As part of the GDPR data discovery audit companies must classify all personal data and once classified protect that data.

This checklist covers best practice recommendations for the protection of personal data stored on a Windows File Server infrastructure. However, Personal Data also includes things like email stored in Office Online or on-premise in Exchange. The details that follow are best practices that should be followed for protecting personal data in compliance not only with GDPR but other standards as well (HIPAA, FINRA, etc).

Personal Data Covered Under GDPR

Artikel 4 Absatz 1 definiert „personenbezogene Daten“ wie folgt (alle Hervorhebungen hinzugefügt, sofern nicht anders angegeben):

„personenbezogene Daten“ sind alle Informationen, die sich auf eine identifizierte oder identifizierbare natürliche Person („betroffene Person“) beziehen; als identifizierbar wird eine natürliche Person angesehen, die direkt oder indirekt, insbesondere mittels Zuordnung zu einer Kennung wie einem Namen, zu einer Kennnummer, zu Standortdaten, zu einer Online-Kennung oder zu einem oder mehreren besonderen Merkmalen der physischen, physiologischen, genetische, geistige, wirtschaftliche, kulturelle oder soziale Identität dieser natürlichen Person;

With such a broad definition, any organization must identify and protect Personal Data. What tools are available to Windows System Administrators to identify and protect data? In the following sections, we identify tools and resources available to Network Administrators to protect GDPR Windows File Servers and Shares.

Identifizierung personenbezogener Daten

As part of the discovery process, organizations need to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of all data processing activities. Under GDPR, organizations must keep full internal documentation of their data processing activities.

The first step in protecting remote access to data with MyWorkDrive is to identify and locate personal data and business processes. Once personal data is identified, it can be protected from access. In addition to developing and documenting data processing workflows tools exist within MyWorkDrive to search for files on Windows-Dateifreigaben einschließlich Windows Search Service und für größere Organisationen dTSuche. Die Kombination von Datenverarbeitungsforschung, Dokumentation und Entdeckung ist der erste Schritt zum Schutz von Windows-Dateiservern in jeder Organisation, die der DSGVO unterliegt.

Protecting Personal Data on Windows File Servers

Once the data has been classified, you should have a comprehensive understanding of the type of data that you process and how the data needs to be protected. Consider how you are securing personal data currently (if at all) and make any necessary changes or put the necessary procedures in place. Protecting the privacy of personal data should be prioritized. It may be necessary to complete a Privacy Impact Assessment (PIA) of policies to evaluate the data life cycles and the potential impact on the privacy of the individual.

Emphasis should be placed on GDPR-specific requirements such as ensuring data portability, the right to be informed, the right to be forgotten, and the correct manner in which to destroy data. The necessary procedures and controls should be in place to support the rights personal data stored. Practices to secure data are needed for personal data in all forms and locations, including on premises and in the cloud, backed up data, archived data, and data being created. The security of entire data lifecycles must be addressed.

To protect personal data companies can used various methods including encryption, anonymization, and pseudonymization. The method you use depends on the user’s permissions and access. Developing a file archive retention policy is essential so that files can be removed over time and therefore are no longer subject to compliance.

Microsoft hat comprehensive resources for locking down GDPR Windows ServerS to comply with GDPR including credential and administrator privilege protections and securing the operating system to run your apps and infrastructure. In addition to the Microsoft resources to lock down Windows File Server operating systems, it is critical to secure systems to trusted networks and enable additional security measures such as Two Factor authentication when data is accessed remotely and prevent downloads to unmanaged devices.

Much of this means basic stuff like turning up the system logs and perhaps various tools to collate and report on them, but equally where possible companies should consider implementing stuff like Data Leakage Prevention to monitor all the personal data being accessed whether on-premise or remotely.

From a MyWorkDrive perspective protecting personal data on files shares can be as simple as excluding it from remote access entirely or limiting access for specific shares to read and edit only in our Web File Manage client while restricting downloads utilizing our data loss prevention features.

Encryption During Transit

Protokolle wie z FTP servers built in Windows IIS do not comply with GDPR standards. Nor do older Windows VPN clients. MyWorkDrive adds additional protection during transmission to secure company data with high encryption, extensive logging, Two-factor authentication, and Data Loss Prevention features.

MyWorkDrive Server and clients fully support the TLS 1.2 standard to secure files and companies can safely disable TLS 1.0 access. Our MyWorkDrive-Supportartikel details how to disable insecure and weak ciphers to protect data during transit.

An additional step to protecting data in transit is to protect the operating system itself with firewall rules. MyWorkDrive itself can be run in a separate firewall zone that limits inbound and outbound ports to only those required for SMB shares, Active Directory and DNS traffic internally and HTTPS (SSL) traffic externally. Additional details on ports needs for proper MyWorkDrive server firewall communication in a locked down environment are available Hier zum Artikel.

Encryption at Rest

Eine Möglichkeit, dieses Risiko von DSGVO-Verstößen zu begrenzen, besteht darin, ruhende Daten zu verschlüsseln – selbst wenn ein Verstoß auftreten würde, wenn der Verschlüsselungsschlüssel nicht verletzt wird, können Unternehmen möglicherweise den Benachrichtigungsschritt vermeiden.

Der DSGVO-Bericht has a great article here which notes “In the event of data compromise or loss, if the organization is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organization. In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organization’s data is safe – and notifications and fines ensue.” This includes files stored on GDPR Windows File Servers and Backups stored on-premise or in the cloud.

MyWorkDrive never stores any customer data whether on-premise on the MyWorkDrive file web access server or when opened in office 365 online. Companies can safely encrypt their data on Windows-Dateifreigaben ohne den Fernzugriff auf MyWorkDrive-Dateien durch die Verwendung zu beeinträchtigen integrierte Windows-Server-Tools or utilizing third party vendors such as Sophos or Symantec.

From the MyWorkDrive server and client perspectives, users are accessing file shares in their user context just like they would with traditional mapped drives. The MyWorkDrive Cloud-Dateiserver converts local SMB file server traffic to HTTPS for the user to access files remotely, and adds additional logging capabilities and optional Two Factor authentication. In addition, since files can be accessed and edited directly without downloading, the minimizes storing of files locally on end-user devices.

Enterprises can also enable MyWorkDrive data loss prevention features to prevent downloading and external sharing while still allowing viewing and editing of documents in a secure browser.

Überwachung und Berichterstattung

Obviously, you can’t begin to move forward to meet the stringent GDPR notification requirements within 72 hours if you cannot detect the breach in the first place.

Data Access Requests: The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed personal data.

MyWorkDrive includes extensive logging and search capabilities to report on access, modification or download that can be combined with centralized log management tools, GDPR Windows File Server reporting tools or third-party alerting tools such as File Audit Plus by Manage Engine, Netwrix Auditor or Quest’s Change Auditor for NetApp.

All MyWorkDrive access logs are in standardized XML format for ease of integration and reporting. Ipswitch additionally outlines best practices for event log management for security and compliance Hier zum Artikel.

Haftungsausschluss

Dieses Whitepaper ist ein Kommentar zur DSGVO, wie sie MyWorkDrive zum Zeitpunkt der Veröffentlichung interpretiert. Die Anwendung der DSGVO ist sehr faktenspezifisch, und nicht alle Aspekte und Interpretationen der DSGVO sind gut geklärt. Daher wird dieses Whitepaper nur zu Informationszwecken bereitgestellt und sollte nicht als Rechtsberatung oder zur Bestimmung der Anwendung der DSGVO auf Sie und Ihr Unternehmen herangezogen werden. Wir empfehlen Ihnen, mit einem juristisch qualifizierten Fachmann zusammenzuarbeiten, um die DSGVO zu besprechen, wie sie speziell auf Ihr Unternehmen zutrifft und wie Sie die Einhaltung am besten sicherstellen können. MYWORKDRIVE ÜBERNIMMT KEINE AUSDRÜCKLICHEN, STILLSCHWEIGENDEN ODER GESETZLICHEN GEWÄHRLEISTUNGEN HINSICHTLICH DER INFORMATIONEN IN DIESEM WHITEPAPER. Dieses Whitepaper wird „wie besehen“ bereitgestellt. Informationen und Ansichten, die in diesem Whitepaper zum Ausdruck gebracht werden, einschließlich URLs und anderer Verweise auf Internet-Websites, können ohne Vorankündigung geändert werden. Dieses Dokument verleiht Ihnen keinerlei Rechte an geistigem Eigentum an einem MyWorkDrive-Produkt. Sie dürfen dieses Whitepaper nur für Ihre internen Referenzzwecke kopieren und verwenden.