As you probably know by now, the GDPR is coming into full effect on May 25, 2018, and constitutes the most significant change to European Union (EU) privacy law in two decades. It is designed to replace the Data Protection Directive (DPD) that came into force in 1995 when web technology was nowhere near as advanced as it is today.
The GDPR applies to all organisations handling the data of EU citizens and will be unaffected by Brexit, due to the fact that the UK will still be a member of the EU by the time the regulations come into effect.
So, how will GDPR affect your auditing strategy? There are numerous things you are going to need to audit in a more stringent fashion to comply with GDPR and they cannot all be listed below. However, here 5 things you need to be able to produce reports on when it comes to Active Directory specifically:
1. Object Modifications
You need to be able to produce reports on when Active Directory objects are modified in any way; including copying, removed and renamed. This is to ensure the security of personal information by protecting it against unauthorised changes.
In order to determine whether Active Directory is being accessed unlawfully, administrators need to be able to produce detailed logon and logoff reports. Such reports should show successful logins, failed logins, users logged into multiple computers and more. This reporting will help you determine whether someone is trying to gain unauthorised access to your Active Directory.
Users and computers both need to be audited in more depth; including creation, deletion, modifications, user password resets and more. The purpose of this is to ensure that you know of any changes taking place to users and computers that could affect data access – particularly when it comes to sensitive data.
It is vital that you are able to produce reports on current permissions to an object, permission modifications and compare permissions between two dates in time. Real time alerts and reports on these changes will enable you to determine whether you are maintaining a least privilege policy or are at risk of privilege abuse. You need to make sure that your users only have the levels of permission they need as per their job requirements, nothing more.
5. Group Policy
The GDPR will require you to be able to report on all aspects of Group Policy change activity, including creation, deletion, renames and modifications. This is to ensure that there are no unauthorised changes taking place that go unnoticed affecting the Group Policies attached to sensitive data.
There are so many more facets that you will have to audit in Active Directory that are not included in this article, and many servers other than Active Directory will need to be audited also – including Filer Server, Exchange Server and SQL Server. In order to meet these stringent requirements, it’s likely you will need to deploy a third-party change auditing solution, such as LepideAuditor. Such solutions come with pre-defined reports that will help you meet aspects of GDPR requirements, as well as helping you to improve the overall security of your systems and data.