Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Encryption of "data at rest" in servers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Encryption of "data at rest" in servers

Over in the SANS ISC discussion forum, a couple of readers have started a good discussion about which threats we actually aim to mitigate if we follow the HIPAA/HITECH (and other) recommendations to encrypt "data at rest" that is stored on a server in a data center. Yes, it helps against outright theft of the physical server, but - like many recent prominent data breaches suggest - it doesn't help all that much if the attacker comes in over the network and has acquired admin privileges, or if the attack exploits a SQL injection vulnerability in a web application.

There are types of encryption (mainly field or file level) that also can help against these eventualities, but they are usually more complicated and expensive, and not often applied. If you are interested in "data at rest" encryption for servers, please join the mentioned discussion in the Forum.


385 Posts
ISC Handler
Sep 1st 2015

Sign Up for Free or Log In to start participating in the conversation!