It is often touted that encrypting data at rest will add a level of protection that can allay most fears of data breach. I like to differ on this matter and suggest that this is not necessarily a strong argument.
A better view in my opinion is that improving access-control measures (i.e. authentication, authorisation) can provide a much more useful and effective approach to data security than encryption at rest. The cost, complexity and functionality-reduction overheads of applying an encryption solution to data at rest far outweigh any perceived benefits. Perhaps the recent increased focus and interest in encryption of data at rest is due to the heightened appetite of organisations wishing to move to the cloud. A number of commercial organisations nowadays are creating big business by making big claims and offering encryption services/solutions for protecting data in the Cloud.
The practical truth in my view is that no current encryption solution for data at rest, in Cloud environments at least, adds much protection to the data. Typically the easiest route to the data for most adversaries is through circumventing the access-control mechanism. E.g. via hacking legitimate accounts, using social engineering to steal/phish relevant credentials, hijacking encryption keys, pilfering/intercepting open information sources/systems, back-dooring systems/applications, coercing insiders or planning malicious insider access, etc. In other words, the ultimate route to the data at rest will most likely be through circumvention of the access-control mechanisms. Thus it is far easier, cheaper and more effective to bolster the access control barriers and overlay a monitoring and alerting mechanism for timely detection and response to anomalous activity. Simply adding a complex and costly encryption solution will unlikely offer a solid defence against a compromised access-control mechanism because by definition anyone with the right access credentials will have unfettered access to the data.
Another argument against the usefulness of encryption at rest is the fact that current encryption regimes are:
Starting to become plausibly susceptible to being broken due to increasing and ubiquitous computing power and increased perpetrator motivation and capability (not to mention recent advances in quantum computing). See this Atos blog article “Encryption: We Lost” covering some relevant aspects on the topic <here>.
- Being subverted by state security agencies such the NSA in the US and GCHQ in the UK to name a couple. (Read <this> New York Times article. Also a recent Bruce Schneier article <here>).
It is unlikely that this short article will do justice to such a big and complex topic but my intention is really to share thoughts and equally hear the challenge from the opposite view in order inform and update any readers that are looking to form an opinion.
It is helpful to examine and debate the true value of data encryption at rest. We need to inform not just the end-users of encryption services but also, and more concerning, the law-makers/advisors that hail encryption as a primary solution (or even a crucial prerequisite in some cases) for preserving data privacy and security.
It is important to make well founded decisions about the value of encryption and not be blown away by the hype. We need to have the opportunity to choose the best value security solution for each case and not be dictated to or stifled by law-makers who are not necessarily best positioned to understand the technical advantages/disadvantages of encryption technology/science. We also need to be in an informed position to objectively validate the claims made by commercial organisations that sell encryption solutions and services.