> Nothing in this diatribe argues that encryption at rest is creating a net negative, outside of it being represented as a be-all and end-all security measure. When I say encryption at rest is a scam, I’m talking about it from the eyes of the purchaser. And given that it’s their data at risk, this is the standpoint that matters.
The point is that while “not creating a net negative”, is it still creating the net positive that providers claim and in some cases want you to pay for.
Significantly: there are a whole host of risks that is doesn't mitigate, that it is not intended at all to mitigate, that people who don't know any better might assume are dealt with when things are pushed as secure “because the data is encrypted at rest”. If you read TFA you'll see that it details some of these concerns.
Most corporate blogs are less than useless. Clickbait titles are getting more and more prevalent too. "We're not sustainable" from yesterday is another example.
Yes, a title with a question mark can usually be answered by a simple "no". If it was a yes, the title "Encryption at Rest is a scam" would be more likely.
I think "scam" is a bit strong. It maybe offers less value in some scenarios that people assume, so perhaps offers a false sense of security.
People have been saying for many years that ticking the "encrypt at rest" box in your cloud console only protects against things like people breaking in to their data centre, and they are right. On the other hand, it's easy to do, and while arguably not helping much with actual security, it can be a cheap way of meeting policy requirements.
The title is a bit click baity. I agree with the basic premise that people and companies often think that encryption at rest provides more protection than it really does.
We should however distinguish between encryption at rest for storage devices and other forms of encryption at rest.
You can also encrypt data at rest at the application or database layers too, and they provide protection against more than just physical access to the storage device.
Like all encryption, it's all about who can get the keys.
I can imagine a couple of scenarios where no physical access to the drive is required for it to be useful. It's not like you're always on the machine which has the key in memory or on storage, but the sensitive data could be accessed anyway, for example through a share.
"Encryption at rest protects companies against the least common—and trickiest—attack vector: physical theft of hard drives" is a pretty odd view to see it if you're into security, as these guys are.
Seems like a fine point, I guess, but this article exists mainly as a Trojan horse for that nerd-sniping "encryption by proxy" link. You go "Never heard of that, what is it?" And click and surprise! It's the thing they're selling to you!
Which is, hilariously, send us your data and we'll encrypt it for you! Very secure, much privacy.
Minimizing the time the data stored as plaintext in memory is still a good idea.
Minimizing the time the key stored in memory is still a good idea.
Minimizing the the code have access to the key is still a good idea.
No, it’s not a scam. Should you use it for your data? Yes. Does it prevent you being h4x0red? No. Defense in the depth.