The implementation of the EU General Data Protection Regulation (GDPR) is currently an issue in almost every company. Software Asset Management (SAM) supports companies in meeting the GDPR data protection, earmarking, data minimization and documentation requirements.
The legislature granted two years of grace in order to transfer the GDPR data protection requirements into company processes. This will expire on 25 May 2018. It is due time to implement appropriate measures for the processing and protection of personal data. This task goes far beyond HR or CRM applications. Companies – and ultimately the IT department – are required to keep all systems under control. Since data protection and data security can only be guaranteed if every IT asset is well-known and the software lifecycle of discovery, software distribution, and patch management are automated as much as possible.
GDPR data protection: Patching is a Prerequisite
Article 32 of the GDPR describes the fundamental principle of data processing security. Companies, as well as their processors, are obliged to take appropriate technical and organisational measures. Protection mechanisms with firewall, antivirus software, and data encryption are not sufficient for this because outdated and unapproved software is a widespread vulnerability. It is only with automated patch and update management, such as a holistic SAM solution, that companies keep all applications up-to-date and effectively prevent potential data loss due to cyberattacks.
The amount of work required for patching can be further reduced if the SAM solution provides fully packaged software updates for direct distribution. As a result, vulnerabilities caused by outdated patch and release statuses are not possible in the first place. In addition, Article 32 recommends the pseudonymization of user data to protect it. A suitable software and asset management tool also offers this capability for personal data in licensing and IT service management.
Know What to Protect
Continuous patch and update management requires an overview of all hardware and software used in the company. Here too, a solution for software and asset management helps. It inventories all devices within a network, including their configuration and all installed programs. For mobile devices, reading out the configuration is especially important, for example, to determine whether the hard drive is encrypted – a must for security.
For complete and regular recording, it is necessary to combine several inventory methods: agentless or agent-based, via either manufacturer API, services, remote access, scripts or SNMP. In addition, the tool must identify which devices are accessing terminal and Citrix servers and which receive an IP address from the DHCP server infrastructure. After taking inventory, an automated comparison takes place with the inventory of authorized devices. Unknown devices are thus uncovered at the touch of a button and can be added – as permitted – to the list of released devices.
A sophisticated solution must also be able to tailor the existing software with a security database on a daily basis, as well as list any of the potential risks. Ideally, the employee responsible can carry out the software distribution or uninstall non-authorized applications directly from the overview. Automated software distribution is therefore another compelling part of an effective security strategy. This is the only way to protect all applications – licensed and license-free – so that they are always updated, DSGVO-compliant, and protected in the best way possible.
Limit Data Access for GDPR data protection
Another key principle is Article 5 of the GDPR. It describes data thrifting and earmarking; this means that companies are only allowed to collect and process as much data as is actually needed. In addition, the data may only be used for the purpose for which it was collected. This affects IT’s eligibility management, among other things. Only the employees who need the data should have access to it. The verification of rights, is a suitable solution that provides evaluations for all users with a representation of the folder shares on all file servers. On this basis, access to sensitive data about employees, customers or suppliers can be presented transparently, regularly checked and, if necessary, restricted promptly and preventively. This in turn, strengthens cybersecurity.
Documentation is Mandatory
In Article 30, the GDPR requires proof of the legality of the processing of personal data, the so-called list of processing activities. This must, among other things, provide information on which applications store and process personal data and which company processes use this data. It is also necessary to classify whose data is processed, such as that of employees, customers or suppliers.
The basic requirement for the creation of the processing directory is therefore the complete identification of all applications used. Ideally, a modern SAM solution also offers the opportunity to fully classify the entire software portfolio. From this, a large part of the processing directory prescribed in the GDPR can then be generated at the touch of a button anytime if required. In order to comply with documentation requirements, additional, automated documentation of the data retention of user information and permission roles are also helpful.
The four core SAM elements, discovery, automation, cybersecurity and compliance not only relieve the day-to-day business of IT, they also make it easier for companies to fulfil their ongoing obligations under the GDPR. This makes SAM the foundation of efficient GDPR implementation.
Author: Benedikt Gasch, CTO, DeskCenter Solutions AG