Life Sciences

Navigating GDPR Compliance on AWS

Issue link:

Contents of this Issue


Page 23 of 31

Amazon Web Services Navigating GDPR Compliance on AWS 19 Protecting your Data on AWS Article 32 of the GDPR requires that organizations must "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including …the pseudonymisation and encryption of personal data…". In addition, organizations must safeguard against the unauthorized disclosure of or access to personal data. Encryption reduces the risks associated with the storage of personal data because data is unreadable without the correct key. A thorough encryption strategy can help mitigate the impact of various security events, including some security breaches. Encrypt Data at Rest Encrypting data at rest is vital for regulatory compliance and data protection. It helps to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. AWS provides multiple options for encryption at rest and encryption key management. For example, you can use the AWS Encryption SDK with a customer master key (CMK) created and managed in AWS Key Management Service (AWS KMS) to encrypt arbitrary data. Encrypted data can be securely stored at rest and can be decrypted only by a party with authorized access to the CMK. As a result, you get confidential envelope-encrypted data, policy mechanisms for authorization and authenticated encryption, and audit logging through AWS CloudTrail. Some of the AWS foundation services have built-in encryption at rest features, providing the option to encrypt data before it is written to non-volatile storage. For example, you can encrypt Amazon Elastic Block Store (Amazon EBS) volumes and configure Amazon Simple Storage Service (Amazon S3) buckets for server-side encryption (SSE) using AES-256 encryption. Amazon Relational Database Service (Amazon RDS) also supports Transparent Data Encryption (TDE). Another method for encrypting data on Linux EC2 instance stores is using built-in Linux libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption. You can use two methods to encrypt files on instance stores. The first method is disk encryption, in which the entire disk, or block within the disk, is encrypted using one or more encryption keys. Disk encryption operates below the file-system level, is operating-system agnostic, and hides directory and file information, such as name and

Articles in this issue

Links on this page

view archives of Life Sciences - Navigating GDPR Compliance on AWS