Cloud providers will tell you encryption is on by default. They are technically correct. They will not tell you which threat model that default actually defends against.
What "encryption at rest" actually buys you
- Protection if a physical drive is somehow extracted from the data center (vanishingly unlikely)
- Protection against the provider's bulk-storage operators reading the raw blocks
What it does NOT buy you
- Protection against an authenticated user reading the data through the normal API
- Protection against a misconfigured access policy
- Protection against a compromised application credential
Where the real work is
- Key management. Whose keys? Provider-managed, customer-managed, customer-supplied? The further to the right you go, the more control you have and the more operational responsibility you take on.
- Encryption in transit between your services. Provider-managed services usually use TLS by default. Your own services running in cloud compute do not unless you configure them.
- Field-level encryption for sensitive columns. When the database is breached through the application, blob-level encryption is irrelevant. Field-level encryption with separate keys still helps.
Practical guidance
- Use provider-managed keys for the 80% case, customer-managed for the 20% that includes regulated data, customer-supplied only when you have a clear reason
- Rotate keys on a documented cadence, not "when we remember"
- Encrypt sensitive fields at the application layer for tier-1 data, even if the database is already encrypted
- Treat key access as a high-privilege identity scope and review it the same way you review root access
HS Academy
All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.
Sign up free →