If there is one thing IT pros know about compliance it is that the rules get tougher and the enforcement tighter every single year. With GDPR, a new sweeping set of rules for companies that do business in Europe, and major changes to PCI DSS in the United States, 2018 will be no exception
While these rules may seem a major burden for technologists, the benefits of being in compliance are a far more secure environment for your data, and fewer data breaches and criminal exploits. In fact, even companies that do not need to comply with regulations would be wise to move in the same spirit and tighten security in many of the ways these regulations demand.
PCI DSS and Two-Factor Authentication
PCI DSS, which regulates the use of credit cards and electronic payments, will undergo a major change by June of 2018 – the increasing need to apply two-factor authentication (2FA).
Under PCI DSS Requirement 8.3.1, multi-factor authentication (MFA) for all non-console access into the Cardholder Data Environment (CDE) is needed for all persons with administrative access. The end result is MFA must be used by all administrators of CDE systems and devices.
Even without this new requirement, however, using MFA and 2FA in all security-sensitive areas is a worthy goal.
Another rule, Requirement 8.3.2, demands that MFA be applied to remote access to the CDE. This means workers must use MFA to connect to the internal network and under 8.3.1 use MFA to connect to the CDE system. Moreover, this authentication must be separate for each step of the connection and not reused.
The Need for Documentation
IT infrastructure must change often to keep up with and stay in compliance with regulations. To prove these changes do not push the organization out of compliance, shops must document what has been done, and these changes must be applied in a fully compliant manner.
IT and service providers must document what constitutes a “significant change” and identity and document these changes using a change management system. Once a change is made, it must be proven safe and compliant through vulnerability scanning, penetration testing, and performing risk assessments.
Preparing for GDPR
The General Data Protection Regulation (GDPR) is set of rules that mandates tougher data protection for citizens and companies in the European Union. While these stringent rules do not go into effect until May 25, 2018, MSPs and IT should already be preparing, and if not, get started quickly.
While GDPR seems to impact only companies operating in the European Union, it has broader implications, says one service provider. “Though GDPR is a European regulation, it impacts our business because we’re responsible for the data of our European customers,” said Mark Shaw, president, Stored Technology Solutions, Inc.
GDPR represents a sea change in how security is approached. The good news is that complying with GDPR makes your overall security much stronger – a huge added benefit. “Companies need to understand that this is a major reform in data protection law; it rethinks everything about data security,” said Joanne Bone, a partner at law firm Irwin Mitchell LLP, who advises businesses across all sectors on IT issues, with a specialization in data protection and GDPR.
“Any organizations that think GDPR is a simple tweaking of data protection requirements is missing the scope of how this law will impact so many areas,” Bone said. “Given the breadth of the legislation, if you don’t start the process of looking at how you can be compliant early on, it will be much more painful and expensive later on.”
GDPR demands that companies notify customers of data breaches quickly and in a detailed manner. This requires deep visibility into systems, endpoints and the network. And that means leveraging a layered model to ensure the right technology solutions are being deployed.
Remote monitoring and management (RMM) enables IT Pros to monitor and remediate applications, servers, workstations, and remote computers. Admins need to know quickly when problems arise or there is a change in system status.
Preventing breaches and cyber-attacks can be done with patch management; in particular with a solution that automatically updates servers, workstations, and remote computers with patches and software updates.
The Kaseya GDPR Resource Center and Compliance Pack
The Kaseya GDPR Resource Center is a multi-faceted approach that helps MSPs and IT organizations understand, plan and build their compliance strategies. The center features a community portal where MSPs and IT pros share ideas, tips, and best practices – and can ask and answer each other’s questions. It also features compliance reports and technology to increase GDPR compliance.
The technology works as a free plugin to VSA, Kaseya’s RMM solution. IT teams, data compliance officers and data privacy officers can use it to:
- Discover all IT systems across their infrastructure to meet GDPR risk assessment requirements
- Audit the current state of their infrastructure and user accounts to identify vulnerabilities
- Update and patch operating systems and third-party software applications to mitigate and remediate IT issues
- Protect data against malware and viruses
- Continuously demonstrate compliance with GDPR requirements with the help of purpose-built reports
In the current environment, being able to show you are taking the necessary steps to keep your organization safe is critical. A solution that uses a layered model to capture the correct data makes it easy to prove you’re taking the right actions and offering proper protection. To learn more about how to select a layered solution that can be used in multi-faceted ways download “Compliance: How a Layered Approach Helps you Breeze through Audits.”