It is often touted that encrypting data at rest will add a level of protection that can allay most fears of data breach.  I like to differ on this matter and suggest that this is not necessarily a strong argument.

A better view in my opinion is that improving access-control measures (i.e. authentication, authorisation) can provide a much more useful and effective approach to data security than encryption at rest.  The cost, complexity and functionality-reduction overheads of applying an encryption solution to data at rest far outweigh any perceived benefits.  Perhaps the recent increased focus and interest in encryption of data at rest is due to the heightened appetite of organisations wishing to move to the cloud.  A number of commercial organisations nowadays are creating big business by offering encryption services/solutions for protecting data in the Cloud.

The practical truth in my view is that no current encryption solution for data at rest, in Cloud environments at least, adds much protection to the data.  Typically the easiest route to the data for most adversaries is through circumventing the access-control mechanism.  E.g. via hacking legitimate accounts, using social engineering to steal/phish relevant credentials, hijacking encryption keys, pilfering/intercepting open information sources/systems, back-dooring systems/applications, coercing insiders or planning malicious insider access, etc. In other words, the ultimate route to the data at rest will most likely be through circumvention of the access-control mechanisms.  Thus it is far easier, cheaper and more effective to bolster the access control barriers and overlay a monitoring and alerting mechanism for timely detection and response to anomalous activity.  Simply adding a complex and costly encryption solution will unlikely offer a solid defence against a compromised access-control mechanism because by definition anyone with the right access credentials will have unfettered access to the data.

Another argument against the usefulness of encryption at rest is the fact that current encryption regimes are:

  1. Being subverted by state security agencies such as the NSA in the US and GCHQ in the UK to name a couple. (Read <this> New York Times article. Also see Bruce Schneier’s article <here>).
  2. Becoming increasingly susceptible to advances in technology and novel computer processing capabilities which may render it totaly unusable in the not too distant future. (Read <this> article from the Global Risk Institute).

It is unlikely that this short article will do justice to such a big and complex topic but my intention is really to share thoughts and offer a different perspective on an issue that often tends to be treated by default according to old security precepts and rules.  Encryption at rest is not a panacea and must not always be considered as the ultimate solution to data security.  It has its use-cases but every solution architect needs to weigh its merits on a case by case basis and not take it as a mandatory measure by default because the rule book says so.

We need to inform not just the end-users of encryption services but also, and more concerning, the law-makers/regulators that hail encryption as a primary solution (or even a crucial prerequisite in some cases) for preserving data privacy and security.

It is important to make well founded decisions about the value of encryption and not be blown away by the hype.  We need to have the opportunity to choose the best value security solution for each case and not be dictated to or stifled by regulatory or standards bodies who are not necessarily best positioned to understand the technical advantages/disadvantages of encryption technology/science.

We also need to be in an informed position to objectively validate the claims made by commercial organisations that sell encryption solutions and services.