Should You Encrypt All Data At Rest?
If you find value in this story, please consider making a donation to the [HS]2 program. It prepares a group of first-generation and/or low-income students of color to succeed in college by empowering them with STEM-based skills, a family of driven peers, and a space to see the light and power in their own voices. Even $1 helps by demonstrating broad support to larger institutions considering donations.
This is part of a series answering interview questions submitted to Glassdoor.com for security engineer jobs. All questions are available at my Github page.
It depends.
What kind of data is it? What’s the nature of it’s creation? Who would find it valuable? What could happen if it was stolen? What else is protecting the data?
Those questions all factor into the decision.
If your data is crazy sensitive (launch codes, AWS tokens, etc.) then yes, it’s wise to encrypt that at rest. Anything that would be absolutely horrible released in the wild should be encrypted at rest. If possible.
A lot of important data like source code isn’t, to many people’s surprise, encrypted at rest. Github is a good example. It doesn’t encrypt any of your data at rest.
“The website and git back-end would need to decrypt the repositories on demand, slowing down response times,” the company states on its security page. “Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.”
So what does that mean?
A good analogy is a bank.
Banks have a big, solid building covered with cameras outside and bathed in alarms. Inside, there are armed guards, locked drawers and employees with buzzers direct to a police station. On a subterranean floor behind where all the managers sit, there is typically a steel vault. Inside that vault there might be special safe deposit boxes. The keys for these boxes require…
You get the point. The bank has hardened so much around the cash that leaving the cash laying around in piles is, relatively speaking, risk free. That’s what Github and many others do with your data. They scrub user inputs, hire security engineers, conduct penetration tests, send your data over secure protocols like HTTPS, lock down ports, use iptables to restrict incoming traffic, throw up firewalls, etc.
Someone would need to work beyond hard to get at your data.
