Mon Sep 29 18:51:30 PDT 2014

Content control: Data at rest: What should I store encrypted?


When {required, sensitive, convenient} encrypt stored information in {servers, desktops, mobile devices, off-line backups, critical high-value authoritative storage systems, trustworthy systems} {with strong physical security}.


IF content is stored in trustworthy systems AND with strong physical security THEN encrypt when required or convenient.
OTHERWISE IF content is stored in a critical high-value authoritative storage system AND with strong physical security THEN encrypt only when required.
OTHERWISE IF content is stored in an offline backup AND with strong physical security THEN encrypt only when required.
OTHERWISE IF consequences of unauthorized disclosure are high THEN encrypt.
OTHERWISE IF consequences of unauthorized disclosure are medium THEN encrypt when required or convenient.
OTHERWISE IF convenient THEN encrypt.


Information that must be protected from observation either because it is confidential or because it revels operational information that could be used in intelligence, should be encrypted in storage when that storage may be physically accessible in order to prevent exploitation

Encryption of all high risk data at rest is reasonable unless there is a reason to not encrypt it, such as for recovery purposes or because it causes performance degradation that makes induced the high consequences, or because availability and forensics capability is considered more important than secrecy.

Some data is required to be encrypted by contract or regulation. In these cases, there is no choice.

These are computers in a fixed location, typically a data center or colocated with the users who have access to the same content, and which have physical controls.

These computers are typically used to access servers and other content but don't contain large quantities of sensitive data for long periods of time.

Mobile devices:
These devices move from place to place on a daily or regular basis. As a result, sensitive content contained within them is subject to a wider range of physical assaults.

Off-line backups:
These are redundant copies of data not connected to a computer (e.g., backup tapes, disks, etc.).

Critical high-value primary servers with strong physical security:
These are the primary servers that are required for real-time processing and that contain the authoritative copy of the data. They are generally required to operate continuously, have severe performance requirements, and recoverability of data is critical to their operational value.

The use of encryption for information in storage is specifically and solely for the purpose of preventing unauthorized revelation of content. It is moderately priced for entire file systems and media, but more expensive and harder to manage if only select content is to be encrypted. However, it is also far harder to do forensic analysis, data recovery, and management of systems in which content is encrypted. For that reason, encryption should be used only when the utility of secrecy is higher than the utility of access, or when enough redundant access and supporting encryption infrastructure is available.

In low risk and medium risk situations: encrypt content when it's convenient to do so or when the utility of secrecy is higher than the utility of access. It is often an option to only allow remote access to sensitive information stored on internal servers via encrypted communication to reduce the need to store sensitive information in encrypted form on remote systems. If backups are taken off site and stored elsewhere, encryption should be used in transit, however, be very cautious about encrypting backups because loss of keys or media errors can make the entire content permanently unusable. In cases where fine grained encryption is more expensive or harder to use than file system, user, or directory encryption, those should be used instead.

In high risk situations: In high risk situations systems with sensitive data that could lead to severe consequences if released should be encrypted as part of full-disk or full media encryption on servers, local systems, remote systems, and backups. Remote systems of this risk level should only be used if absolutely necessary. To the extent possible the systems with these requirements should be restricted to only computers and data absolutely necessary to run at these risk levels. When there is physical security present and when the data is a primary authoritative data source, the risk of loss of use may exceed the value of protection, so encryption is not recommended.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved