General Data Protection Regulation in Review
Unless you have been living under a rock then it is pretty likely you will have heard about something called General Data Protection Regulation or GDPR!
As a Director of a company I am responsible for ensuring we are GDPR compliant and this article shares my view and findings as well as information I have found useful. As a Microsoft partner and user of Microsoft technology I have looked at how we can leverage the toolings available in our licensing agreement to meet the criteria set.
If you are like me, you are probably getting told no end how GDPR marks the end of the world on the May 25th 2018 if you haven’t purchased “Placeholder for a Vendors Software.”
Technology can help enable your GDPR journey, however, it is critical to point out that user awareness and business processes will be the key to achieving compliance.
There are a few blogs from the ICO on Myth Busting, with some interesting comments and sources to help get a feel for the viewpoint from the Regulatory Body looking to enforce this.
One Myth that the ICO is taking a pretty unrealistic outlook, my view, is that GDPR is only an ‘Evolution’ not a ‘Revolution’ to regulation for protection of citizens data. Though technically this view is accurate from a level of comparison to the previous Data Protection Act (DPA), the practical reality is that the DPA has been so badly enforced that most organisations don’t truly understand the rules as they are. As a result many organisations haven’t got the kind of processes and systems in place to effectively manage.
Therefore, for many organisations GDPR does represent a revolution in their Data Management, time, money and resource will need to be aligned to effectively address GDPR. The challenges are further compounded due to every man and their dog claiming to be an expert and introducing potentially wide-reaching requirements. But get 5 in a room and you will likely get 5 different views.
To this end and erring on the side of caution I will work to align some core established good practices as a starting point, and provide you with a foundation that you can build on quickly to be ready for GDPR when it becomes main stream.
Here are some regulations that we at PowerON are starting with first:
- https://www.cyberaware.gov.uk/cyberessentials/ – good starting point and applies to most organisations and costs for accreditation are not high
- https://www.iso.org/isoiec-27001-information-security.html – a more comprehensive International Standard that more closely represents the foundation that will support developing your systems and processes to meet GDPR
The below is a nice visualisation from the ICO that although light in detail does provide a top-level project workstream checklist for you to use to plan your approach.
From the above there are a few items that are potentially challenging tasks, though all represent reasonable amount work to be undertaken. For this article, we are going to focus on:
- 2 – Information you Hold
- 9 – Data Breaches
- 10 – Data Protection by Design
The classification of data is a particularly challenging requirement, as working through the data you hold, as well as maintain, has a significant set of requirements.
When talking to customers and promoting to internal teams, I like to play a video that reminds us that we can have the best systems in the world, but user error will also have to be expected and planned for.
We look at this in terms of focusing on areas that achieve the following from our processes and enabling technologies:
- Intuitive to User – When layering in extra security then naturally restrictions follow. The more we can introduce these controls in a way that feels natural to a user, the greater the engagement and likelihood of users working with, rather than against the systems.
- Protection at Source – If we work on a basis that users will make mistakes and factor these scenario’s in, then following a breach the likelihood of it having a material impact will be mitigated and thus the likelihood of fines and sanctions reduced.
Though many of the requirements are process orientated, PowerON are adopting several of the technologies from the Microsoft 365 E3 suite currently in our licence agreement, and stepping up selective components of the advanced E5 suite, to achieve the above.
By adopting a practical view of focusing on areas that are initially quick to enable, but provide a good core security, we decided to start with the below. These systems can be up and running in relatively speaking, quick order, and are broadly applicable to most organisations. They provide a solid and broad level of protection to offer you a good baseline to build your Data Protection on.
- Azure AD Premium P1 – This provides a solid group of capabilities with a natural user experience for setting up:
- Conditional Access – Address how users can access your environment and when to allow, prevent or require additional security to access
- Multi-Factor Authentication – Add strong authentication to a wide range of access scenario’s and leverage user experiences like, text message or Smart Phone App
- Azure Security Centre – Get visibility on potentially compromised User Credentials and impossible access scenarios such as accessing from London, and then within 5 mins trying to access from China
- Intune MAM – If we keep focus on the primary principle of data security then leveraging Microsoft Intune for Mobile Application Management without the need to enrol the users device, means we can implement data security whilst not interfering with the users device. This means we do not need to significantly change our IT guidelines for using personal devices.
- Azure Information Protection (AIP) E3 – What I commonly refer to as Protection at Source, is where we leverage digital tagging and encryption of documents so we have confidence that our protection is persistent across all our documentation. If we are in a position of not having defined data security policies for documents, then we can take a stance of putting a base level of encryption on all documents and only authorised individuals can access these. Microsoft is further easing the sharing of these documents externally by allowing personal credentials to be used to streamline the user experience for access.
- AIP E5 – Whereas the E3 version of AIP is very powerful and comes with the full document protection capabilities it is open to misuse by employees not following our internal policies and procedures. For me the major driving factor to push coverage to the E5 advanced version of AIP is that it adds the capability for Smart Tagging where the system will look at documents as they leave the environment and identify if any content matches identifiable markers for Personal Identifiable Information (PII), other restricted content types or custom markers and apply your security controls automatically. Makes the usage far more practical and helps reduce the potential of user’s mistakes
- Windows Information Protection – A feature of Windows 10 Enterprise allows ourselves to extend the Information Protection policy management to the device level. This way our users leveraging OneDrive for example as their MyDocs folder try to move a doc to the local device, or removeable media and out of the corporate controlled areas then Document Protection is automatically applied.
- Credential Guard – Another Security Feature introduced to Windows 10 for modern device with hardware support TPM 2.0 provides deeper security for user credentials by separating at a hardware level the users credentials meaning that if a user does have their login comprised, the attacker cant gain access to all their other stored passwords on the device.
Whereas the above is not meant to be a comprehensive protection for GDPR, these enabling technologies are relatively quick to setup and offer pretty robust data protection. This will help significantly reduce the likelihood of a breach and if you do suffer a breach, it would not represent a risk to people’s rights and freedoms where you would then be subject to fines and sanctions.
As mentioned at the beginning of the blog these technology solutions are enablers to your GDPR journey but the crux of achieving GDPR compliance will be:
- Introducing and evolving your Data Management and Security Policies and Procedures around PII data
- User awareness and training is critical as your users represent the most likely initiator of a breach as even the best users make mistakes
As a follow up to this article PowerON will be running a series of blogs and webinars over the coming months. They will further expand on the practical information above and address certain scenarios you will likely face. Furthermore, we will provide more advanced scenarios for organisations with teams that have more dedicated resource to perform threat analysis and diagnostics.
Thank you for reading and do just drop any questions through if you would like more info or clarity on any points made.
Phil Mercer – Technical, but not the Techy 😊