AWS for Industries

Secure Your CPG Data in the Cloud with AWS and Baffle

Many consumer packaged goods (CPGs) companies have been eyeing a move into the direct-to-consumer (DTC) space as a way to boost sales, increase market share, and get closer to consumers. This shift to a DTC model means that most CPGs need to collect first-party data and, in many cases, overhaul or transform their website and processes to accommodate the very different demands of DTC sales.

Collecting, maintaining, and securing first-party customer information is vital to successfully launching a DTC sales model. In this blog post, I’ll cover data storage in the cloud, AWS data storage services, and an offer from Baffle, an AWS Technology Partner that provides advanced data protection for lift-and-shift application migrations to AWS.

Scalable Data Storage in the Cloud

As part of any digital transformation, whether for DTC sales or a broader strategic cloud transformation effort, moving data assets from on-premises storage to the cloud is a key consideration. Here are data storage services offered by AWS:

Amazon Simple Storage Service (Amazon S3)
This is an object storage service that allows CPGs to store and protect any amount of data for a variety of use cases, including websites, data lakes, mobile applications, backup and restore, archives, enterprise applications, IoT devices, and big data analytics. Amazon S3 offers industry-leading scalability, data availability, security, and performance. It provides easy-to-use management features so you can organize your data and configure finely tuned access controls to meet your specific business, organizational, and compliance requirements.

Amazon Relational Database Service (Amazon RDS)
With just a few clicks, your IT team can set up, manage, and scale a relational database in the cloud on a number of different database engines, including Amazon Aurora, Amazon RDS for SQL Server, and Amazon RDS for MariaDB. Amazon RDS allows you to automate administrative tasks like hardware provisioning, database setup, patching, and backups, so your IT team can focus on more valuable projects. With AWS Database Migration Service, you can easily and quickly migrate your existing database to Amazon RDS.

Amazon Redshift
This fully managed data warehouse service is ideal for the storage and analysis of petabyte-scale datasets. Many CPGs also use Amazon Redshift for large-scale database migrations. With SQL, you can combine and analyze structured and semi-structured data from an Amazon Redshift data warehouse with an operational database and data lake, and you can save the query results back to your Amazon S3 data lake for additional analysis.

AWS Data Encryption Capabilities

Many CPGs want or need to encrypt data (for example, highly sensitive point-of-sale transaction information from DTC sales or distribution partners). Depending on your needs and in-house capabilities, AWS provides these encryption options:

  • AWS Key Management Service (AWS KMS) allows you to create and manage data security keys across your AWS services and with your applications.
  • Bring your own keys (BYOK) tools help you store your own encryption keys for data protection at rest or in motion.
  • Third-party security solutions are available from vetted AWS partners.

Data-centric Security with Baffle Data Protection Services

On the other hand, your CPG company might require more stringent security measures where you tokenize, encrypt, or mask data at the file, column, or row level because your data is comingled with information from suppliers or third-party vendors on shared data stores. Or perhaps you need to secure data before it’s stored in a fully managed cloud database service like Amazon RDS or Amazon Redshift. Your company might also want to hold your own keys (HYOK) so that AWS is not involved in the encryption process at all.

With any of these data-centric security scenarios, a typical at-rest, container-based, or object-level encryption method isn’t sufficient. You need a more robust security solution, one that usually requires application code modifications or key management integration. However, these data-centric encryption solutions can be challenging to implement at scale, leaving gaps in your security posture.

That’s where Baffle Data Protection Services (Baffle DPS) comes in. With Baffle DPS, you can tokenize, encrypt, and mask data in Amazon S3, Amazon RDS, and Amazon Redshift at the file, column, or row level without modifying application code. Baffle DPS also works with the three different key encryption options: AWS KMS, BYOK, and HYOK.

Baffle DPS allows CPG companies to secure data on the fly as they’re migrating data to the AWS Cloud, which can greatly accelerate the data transfer process, especially as part of a digital transformation project or a DTC sales initiative. It also supports any data schema, which gives you the flexibility to configure data privacy policies that suit your company’s needs. Also, your IT team won’t need to create multiple clones or manipulate data.

Reference architecture for Baffle DPS on AWS

Reference architecture for Baffle DPS on AWS

Because Baffle DPS supports secure computation on deidentified data, your business analysts and data scientists can access data for in-depth analysis and reporting without compromising security or breaking business processes.

If you want more information about Baffle DPS on Amazon RDS, be sure to read the How to Tokenize and De-Identify Your Data in Amazon RDS with Baffle blog post, and look for our blog post about Baffle DPS on Amazon Redshift. Until then, you can read this Baffle Adaptive Data Security Expands to Amazon Redshift Data Warehouses press release for more information.

Baffle DPS is available on AWS Marketplace. If you have questions for Baffle or AWS, please leave a comment on this blog. To request a demo, visit Baffle. If you’re ready to migrate your on-premises data to the cloud, contact your AWS account team today.

Danny Yin

Danny Yin

Danny (Yen-Lin) Yin is the Global Technical Lead for AWS Partners in the CPG industry. He joined AWS in 2018 with 18 years of experience in ecommerce application development and operations. Danny helps CPG companies enhance the consumer digital user experience and gain operational efficiency across different lines of business. Danny is also responsible for solutions architecture and technical guidance for CPG technology and consulting partners on AWS. Before he joined AWS, Danny was Director of Digital Engineering at Toys”R”Us, where he successfully migrated the world’s largest toy webstore from an outsourced application to an in-house hybrid cloud application on AWS.

Harold Byun

Harold Byun

Harold Byun is VP of Products at Baffle, a cloud data protection company. His career has focused on data containment and security technologies including data loss prevention and activity monitoring, cloud access security broker, and mobile data containment capabilities. He has a BA from Tufts University and an MBA from the Haas School of Business at UC Berkeley. Harold holds several data security-related patents.