Today is May 25, 2017 – we are exactly one year away from the implementation of the most stringent privacy regulation ever enacted – the European Union’s General Data Protection Requirements (GDPR)! Are you ready? If you collect data from EU residents or just process this data, you will be required to protect that data at all times, and to demonstrate that data protection measures are designed into the development of your applications and databases. Fines are imposed irrespective of the damage it causes, a first in privacy regulation.
One of the key elements of GDPR is the requirement that data protection for applications and databases is to be implemented ‘by design and by default’ (Article 25). As customers move to a DevOps model to deliver applications that interact with their customers, there are two critical areas that need to be addressed to ensure GDPR readiness. First, every enterprise needs a data encryption solution that works during the determination of the means of processing and at the time of processing itself. This implies that data has to be protected ‘in use’ at the application layer – another first for any type of privacy or security regulations. Second, enterprises must minimize or eliminate access to sensitive data and encryption keys by DBAs, and network and storage administrators by allowing all database queries to be executed on encrypted data without increased complexity or significant impacts to performance.
Baffle makes it easy to implement and monitor encryption policies across all databases and applications while ensuring that data is encrypted both at rest and in process in the database.
Baffle’s encryption solution will centrally and systematically implement application level encryption for any application that is subscribed to it. This encryption service requires no development work required by the DevOps team. Once implemented, data is always encrypted in the database and all queries are executed in the database on encrypted data. Since only the application owner has access to encryption keys and clear-text data, any breach of admin credentials will not result in a data breach that would trigger GDPR reporting, investigation or fines.