Content control: Data at rest: What is stored encrypted?
Options:
When {required, sensitive, convenient} encrypt stored information in {servers, desktops, mobile devices, off-line backups, critical high-value authoritative storage systems, trustworthy systems} {with strong physical security}.Basis:
Sensitive:
Information that must be protected from observation either
because it is confidential or because it revels operational
information that could be used in intelligence, should be encrypted in
storage when that storage may be physically accessible in order to
prevent exploitation
All:
Encryption of all high risk data at rest is reasonable unless
there is a reason to not encrypt it, such as for recovery purposes or
because it causes performance degradation that makes induced the high
consequences, or because availability and forensics capability is
considered more important than secrecy.
Required:
Some data is required to be encrypted by contract or
regulation. In these cases, there is no choice.
Servers:
These are computers in a fixed location, typically a data center or collocated with the users who have access to the same content, and which have physical controls.
Desktops:
These computers are typically used to access servers and other
content but don't contain large quantities of sensitive data for long
periods of time.
Mobile devices:
These devices move from place to place on a daily or regular basis.
As a result, sensitive content contained within them is subject to a wider
range of physical assaults.
Off-line backups:
These are redundant copies of data not connected to a computer (e.g., backup tapes, disks, etc.).
Critical high-value primary servers with strong physical security:
These are the primary servers that are required for real-time
processing and that contain the authoritative copy of the data. They
are generally required to operate continuously, have severe
performance requirements, and recoverability of data is critical to
their operational value.
The use of encryption for information in storage is specifically and solely for the purpose of preventing unauthorized revelation of content. It is moderately priced for entire file systems and media, but more expensive and harder to manage if only select content is to be encrypted. However, it is also far harder to do forensic analysis, data recovery, and management of systems in which content is encrypted. For that reason, encryption should be used only when the utility of secrecy is higher than the utility of access, or when enough redundant access and supporting encryption infrastructure is available.
In low risk and medium risk situations: encrypt content when it's convenient to do so or when the utility of secrecy is higher than the utility of access. It is often an option to only allow remote access to sensitive information stored on internal servers via encrypted communication to reduce the need to store sensitive information in encrypted form on remote systems. If backups are taken off site and stored elsewhere, encryption should be used in transit, however, be very cautious about encrypting backups because loss of keys or media errors can make the entire content permanently unusable. In cases where fine grained encryption is more expensive or harder to use than file system, user, or directory encryption, those should be used instead.
In high risk situations: In high risk situations systems with sensitive data that could lead to severe consequences if released should be encrypted as part of full-disk or full media encryption on servers, local systems, remote systems, and backups. Remote systems of this risk level should only be used if absolutely necessary. To the extent possible the systems with these requirements should be restricted to only computers and data absolutely necessary to run at these risk levels. When there is physical security present and when the data is a primary authoritative data source, the risk of loss of use may exceed the value of protection, so encryption is not recommended.