What do Linux system administrators need to know about the GDPR?
The General Data Protection Regulation (GDPR) is a European Union law that applies not only to EU companies, but also to all companies collecting and processing the personal data of EU residents. The sanctions for breaching the GDPR are enormous (up to $24 million or 4% of the annual global turnover, whichever is greater). It is not a coincidence that the U.S. top 500 companies are expected to spend $7.8 billion to comply with the GDPR.
In this article, we will provide a brief overview of the GDPR in the context of Linux system administration and discuss six steps Linux system administrators may take to comply with the GDPR.
A brief overview of the GDPR
The GDPR imposes strict obligations on organizations processing personal data. Those obligations include, but are not limited to:
- Proving a legitimate basis for processing personal data
- Sending timely notifications to data protection authorities in case of security breaches
- Providing individuals with the right to access, manage and delete their data
- Designing systems with proper security protocols (privacy by design)
- Appointing data protection officers
The GDPR is technology-neutral. This means that it applies equally to users of Linux systems and users of systems using proprietary software. It contains broad terms which require system administrators not only to apply the law, but also to interpret it. For example, Article 1(f) of the GDPR states that personal data must be processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Terms such as “appropriate security of the personal data” and “appropriate technical and organisational measures” may be appropriate in the culinary arts (e.g., season to your taste with salt), but the field of law requires a specificity which is lacking in this case. To decrease the legal risks, system administrators need to adopt the strictest possible security, technical and organizational measures, thus ensuring that such measures will be considered “appropriate.”
Six steps Linux system administrators may take to comply with the GDPR
Below, we discuss six steps which Linux system administrators may take to comply with the GDPR, namely, extensive security scanning, putting in place reliable logging mechanisms, using network filters and firewalls, deploying solutions for managing software patches, adopting appropriate data deletion mechanisms and using strong passwords.
1. Extensive security scanning
It is certainly better to prevent a data breach than to fix it. The transparency and flexibility of Linux systems allows security administrators to easily detect and fix security vulnerabilities. Furthermore, many applications for Linux enable easy and high-quality security scanning.
Lynis is one example of such an application. It was created in 2007 by Michael Boelen. Although the application was created a long time ago, it is still effective. Lynis is able to measure the security defenses of a Linux system on a daily basis and propose recommendations for improvement of those defenses.
This provides organizations willing to comply with the GDPR with two benefits. First, by assisting system administrators to identify and address security vulnerabilities, Lynis decreases the chance of a data breach. Second, it provides administrators with a record indicating that they take daily measures to identify security vulnerabilities. Such a record may be used to prove to data protection authorities the existence of “appropriate technical measures” within the meaning of the GDPR.
2. Putting reliable logging mechanisms in place
The “appropriate technical measures” to which the GDPR refers are likely to include reliable logging mechanisms. Such mechanisms will allow system administrators to detect security breaches and understand the security vulnerabilities leading to those breaches. Although most Linux systems have enabled logging by default, it may be necessary to customize the logging settings in accordance with the needs of each particular organization. System administrators need to pay particular attention to logs indicating failed login attempts.
3. Using network filters and firewalls
Although most organizations use strong firewalls to protect against external attacks, they rarely filter traffic between systems in their internal networks. As a result, if a single system is compromised, attackers may be able to easily extend the attack to other systems within the same network group. A simple solution to reduce data streams to the minimum possible extent is the inclusion of iptables on Linux systems.
In addition to reducing data streams, it is important to log sensitive data streams with the aim of allowing the detection of security vulnerabilities and data breaches. In relation to firewalls, system administrators are advised to keep their firewalls updated and regularly audit them.
4. Deploying solutions for managing software patches
Most Linux distributions include solutions for downloading and installing software patches. However, it is up to the security administrators to identify and deploy effective and reliable solutions. Only such solutions will likely be regarded as “appropriate” within the meaning of the GDPR. Red Hat Satellite is a good example of a high-quality patch management solution for Red Hat Enterprise Linux.
5. Adopting appropriate data deletion mechanisms
The GDPR requires organizations collecting and processing personal data to retain it only so long as there is a legitimate basis for doing so. Legitimate reasons may include, without limitation, (i) the processing is required by law, (ii) the processing is necessary for the legitimate interests pursued by the organizations processing personal data or (iii) the processing is based on the consent of the data subject. Hence, to comply with the GDPR, system administrators need not only to protect the personal data stored on their systems, but also make sure that the personal data is securely deleted once there is no legitimate basis for retaining it.
6. Using strong passwords
The importance of strong passwords is widely known, so we will not reiterate it here. However, many systems still allow their users to choose weak passwords. To avoid this, system administrators can use modules such as pam_cracklib and pam_pwquality to require the use of strong passwords. Such modules are helpful because they enforce security rules by using technology, thus eliminating the human decision as to whether or not to use strong passwords.
In addition to strong passwords, it is advisable to use two-factor authentication (i.e., the use of two different forms of authentication). The first form of authentication can be a username and a password, while the second form can be a token generated on a mobile phone. For instance: Google Authenticator PAM, an authentication module that use the Google Authenticator app, can be used with SSH and other forms of authentication.
Regarding GDPR compliance, Linux systems have a major advantage compared with their proprietary counterparts. This advantage relates to the transparency and flexibility of Linux which, in turn, provides for an easy detection and remediation of data breaches and security vulnerabilities that may lead to such breaches. But despite their advantages, Linux systems are not ready-made solutions to comply with the GDPR. They require customization to ensure GDPR compliance.
As discussed in this article, system administrators can enhance their GDPR compliance by following the six steps mentioned in the article. First, they can install security scanning applications that will check the security status of their systems on a daily basis. Second, the use of reliable logging mechanisms will ensure that all security events are well recorded and available for inspection. Third, the use of firewalls and network filters will provide protection against external and internal threats. Fourth, automated solutions for managing software patches will ensure that security vulnerabilities will be fixed soon after being discovered by the security community. Fifth, the GDPR is not only about protection, but also about deletion. Therefore, data deletion mechanisms are strictly necessary to ensure compliance with the GDPR. Sixth, although there is hardly a system administrator who does not know the importance of strong passwords, there are still those who allow the users of their systems to choose weak passwords. The installation of proper modules will quickly eliminate the possibility of entering weak passwords.
GDPR Compliance: Technical Requirements for Linux Systems, Linux Audit
14 top tools to assess, implement, and maintain GDPR compliance, CSO
The GDPR Takes Open Source to the Next Level, Linux Journal
The Linux Foundation and the GDPR, Linux Foundation
Lambiase, M., “How to avoid a GDPR compliance audit: Best practices,” The Enterprisers Project, September 2017