Data doesn’t stay at rest in the cloud, so what does data-at-rest encryption in the cloud really achieve?

I came across this post talking about data residency challenges and cloud applications, and the importance of keeping cloud data safe. We recently ran a popular webinar on this topic and how to elegantly handle the challenge. There's lots of comment on these issues these days, but it seems that the industry still thinks that data at rest encryption solves data privacy problems in the cloud. The bottom line is that it solves only a fraction of the risk and compliance problem, leaving gaping holes in security that attackers will love, malware will exploit, and auditors will drive trucks through — merrily tooting their non-compliance horns.

Data at rest encryption is a step in the right direction, but it isn't enough. It's also probably not an investment a CIO's going to be happy about, if the data that was thought to be protected finds its way into a hacker's data trading site. There are many, many instances of major data breaches where data at rest encryption has been in place — even in cloud and hosted service scenarios. The payments processing industry knows this all too well, and has the scars to prove it. The data at rest solutions did nothing to protect them. History evidences the millions of dollars spent to repair breached enterprises, and those only taking data-at-rest encryption measures will not be far behind.

So why doesn't data at rest encryption cut it? Here's why: data at rest encryption protects from theft of data at a server level — at rest, when powered off — not at the application or in transmission, or in use. And let’s face it — data really does not stay at rest for very long when it’s generating value for the enterprise. So if a cloud or enterprise application is executing with data protected at rest, then that same data is typically decrypted at the disk or database layer before it’s presented to the network and applications to use it. Also, server and database encryption require the keys to be right next to the data as it’s read from the server — constantly. That means the keys — and usually it’s one key per server — also needs to be managed and protected. The fact is, there are security gaps as data then leaves the server where it was formerly protected at rest, but is now in the clear, in motion and in use, up to and into the application running in the cloud or enterprise. This creates a huge window of opportunity for attack and an ideal opportunity for malware to sniff it out and steal it, or an insider to extract it. That's how breaches happen.

Even if a separate transmission approach is 'bolted on top', like SSL or VPNs, there are still gaps as the data appears in clear form from server to database to network to application and back. Traditional encryption approaches make it hard to do anything else without massive change and cost, but traditional is now old hat — there's something far better and easier.

Newer, secure, proven, innovative approaches are being adopted by leading banks, telcos, credit card processors and issuers, healthcare entities, government agencies and even industry regulators: they are all embracing data-centric security. Data-centric security protects the data across its lifecycle — from capture, in motion, at rest, and even in use. It stays protected anywhere it propagates, mitigating residency compliance risks, persistent threats, and attacks to data. To make data-centric security viable requires new data-level protection approaches — ones that don't require a lot of application or process re-engineering, new data models or schemas, or more complex IT and servers to manage.

Also, and critically, there's no point in trying to go data-centric if all that you can pin your entire breach mitigation and compliance strategy on is a vendor’s claim that it’s secure, with any validation, via published proofs and analysis. You cannot just assume that an approach is "random" or "secure" just because someone claims it is. Proofs, scrutiny, and evidence are mandatory. After all, un-mixing paint is rather difficult!

So, to avoid data residency challenges, to reduce risk, to adopt cloud, and to streamline compliance, data-centric security is the best approach. The method picks up where first generation data of at-rest solutions leave off, and is far more appropriate for the contemporary world of complex data privacy regulations, and sophisticated attackers going after data.

That's exactly why the US Government NIST is standardizing data-centric technology called Format-Preserving Encryption. Keep in mind, not all "FPEs" are the same — there are some unpublished and very probably insecure versions out there. And just because they've been submitted to NIST doesn't mean they are accepted — NIST will list all submissions, but there's only one strong, NIST recognized FPE going to standard — FFX mode AES. If you have any doubts, talk to NIST.

FPE is a powerful data-centric weapon in the battle against cyber-crime, and in our experience has a habit of making CIOs particularly happy by taking the data governance, risk, and compliance posture to the next level — at a pace that’s second to none, while cutting costs at the same time.

A safe cloud is a data-centric security powered cloud.


If you would like to learn more, have a look at the webinar, and if you'd like a more detailed whitepaper on the topic, dont hesitate to contact me – ask for Mark Bower at

Leave a Reply

Your email address will not be published. Required fields are marked *