Enter the controls desired for data at rest:
|location||low risk||medium risk||high risk|
Information that must be protected from observation either because it is confidential or because it revels operational information that could be used in intelligence, should be encrypted in storage when that storage may be physically accessible in order to prevent exploitation
Encryption of all high risk data at rest is reasonable unless there is a reason to not encrypt it, such as for recovery purposes or because it causes performance degradation that makes induced the high consequences, or because availability and forensics capability is considered more important than secrecy.
Some data is required to be encrypted by contract or regulation. In these cases, there is no choice.
These computers are typically used to access servers and other content but don't contain large quantities of sensitive data for long periods of time.
These devices move from place to place on a daily or regular basis. As a result, sensitive content contained within them is subject to a wider range of physical assaults.
These are redundant copies of data and systems containing data.
Critical high-value primary servers with strong physical security:
These are the primary servers that are required for real-time processing and that contain the authoritative copy of the data. They are generally required to operate continuously, have severe performance requirements, and recoverability of data is critical to their operational value.
The use of encryption for information in storage is specifically and solely for the purpose of preventing unauthorized revelation of content. It is moderately priced for entire file systems and media, but more expensive and harder to manage if only select content is to be encrypted. However, it is also far harder to do forensic analysis, data recovery, and management of systems in which content is encrypted. For that reason, encryption should be used only when required.
In low risk and medium risk situations: Never encrypt content unless it is being used in mobile systems and in that case only encrypt sensitive information. It is often an option to only allow remote access to sensitive information stored on internal servers via encrypted communication to reduce the need to store sensitive information in encrypted form on remote systems. If backups are taken off site and stored elsewhere, encryption should be used in transit, however, be very cautious about encrypting backups because loss of keys or media errors can make the entire content permanently unusable. In cases where fine grained encryption is more expensive or harder to use than file system, user, or directory encryption, those should be used instead.
In high risk situations: In high risk situations systems with sensitive data that could lead to severe consequences if released should be encrypted as part of full-disk or full media encryption on servers, local systems, remote systems, and backups. Remote systems of this risk level should only be used if absolutely necessary. To the extent possible the systems with these requirements should be restricted to only computers and data absolutely necessary to run at these risk levels. When there is physical security present and when the data is a primary authoritative data source, the risk of loss of use may exceed the value of protection, so encryption is not recommended.