Searching the web, I did not find any useful information or best practice concerning GDPR compliance of a XAMP or more specifically a Yii web application.
GDPR is the biggest shake-up in European data protection legislation for 30 years. Organizations have less than two years to ensure that their data protection processes are compliant. Most organizations will struggle to meet the May 25, 2018 deadline.
Although the General Data Protection Regulation (GDPR) is not prescriptive, it suggests the use of encryption and pseudonymization as approaches to protect sensitive data, but that leaves many questions.
My first impression is that a lot of procedures have to be put in place but on the IT side, they recommend encryption for:
-
data at rest (data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way)
-
data in transit or data in motion (data actively moving from one location to another such as across the internet or through a private network)
Encryption plays a major role in data protection and is a popular tool for securing data both in transit and at rest:
-
For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit.
-
For protecting data at rest, enterprises can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself.
My questions:
-
is https with a selfsigned letsencrypt certificate enough to secure data in transit ?
-
has anyone a best practice or a howto for encrypting data stored in MySql/MariaDB to secure data at rest ?
-
data access and changes have to be logged, is there any Yii or Mysql extension which can take care of this ?
-
what about apache logs?