0

With the GDPR (General Data Protection Regulation of EU) comes the necessity for many companies to store certain personal data (CVs, certificates, passport copies, etc.) centrally and encrypted. The data is available e.g. as Word or PDF files, in our case altogether 2000-3000 files distributed on 10 -15 directories.

The filing must take place encrypted, to prevent also IT administrators from access, and centrally, so that the information or deletion request of affected persons can be followed.

That means that only a few people must be able to see/delete all data in the encrypted folder, whilst others only have access to their data stored in subfolders.

How can these requirements be fulfilled with a system, if possible with on-board means from Windows Server or a simple software?

According to my research EFS or Bitlocker are not usable, because either the rights can only be set to single files or no different rights within a container are provided.

I am very grateful for suggestions.

schroeder
  • 123,438
  • 55
  • 284
  • 319
gebrerv
  • 1
  • I would question the opinion that GDPR says that even IT admins cannot access the files. In order to maintain availability (a GDPR requirement), admins need access and to be able to monitor. Logging and monitoring access is important. – schroeder May 29 '19 at 10:55
  • @schroeder : The problem is that in our organization also Admins from countries with weak data protection laws have even Domain admin rights, so for instance somebody from china may access the data. The GDPR auditor judges this as not compliant – gebrerv May 29 '19 at 12:55
  • Understood. Then you don't want anything on the file system. You need another management layer. – schroeder May 29 '19 at 13:56

2 Answers2

1

Solution-1 Enterprise & The Right Way

Check the steps listed below.

  • Prepare you information classification (public, private, internal only, etc.)
  • Define which type of data will be at which classification level
  • Define the permission strategy, define how you will identify who can do what at which doc. (object/subject/action matrix)
  • Deploy a file sharing software, it can be both embedded sharing solutions which are comes with OS or 3rd party tools.
  • Prepare users/user groups directories and set the permissions
  • Be sure you have logs of file actions on server / application (for example Windows does not store file action logs at default, "Audit object access" feature can give you the log)
  • Deploy an disk / file encryption solution, most of them encrypts all the system and only gives decryption rights to authorized users.
  • Deploy a DLP solution and monitor activities at clients (of course servers, network traffic, etc...)
  • Deploy SIEM solution, collect all of the logs of them and then correlate with each other.

Solution-2 Tageted // Just Wanna Be Compliant

Check OwnCloud (it have opensource version) tool or something similar like that. It is easy and stable which is compliant with GDPR, you can check it at https://owncloud.com/gdpr/.

Community
  • 1
alnbhclyn
  • 254
  • 1
  • 7
0

The best answer is to use a proper file repository system and not the bare operating system's file system to do what you want. In short: you want a database.

A database will encrypt, offer granular access controls, and logging. It also permits as much metadata as you would like so that permissions, file retention periods, and granular processing permissions can be applied to the files, too.

schroeder
  • 123,438
  • 55
  • 284
  • 319