"Encrypted" means nothing by itself
Free Clip Art, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons

"Encrypted" means nothing by itself

Cliff Barbier Cliff Barbier

Cliff Barbier

Published Feb 19, 2025
+ Follow

Cliff's Conjecture

When someone makes a claim about data encryption, the likelihood that it is encrypted well or properly is proportional to the length of the sentence in which the data encryption claim is made.

Examples

Claim 1: "It's encrypted."

Likely reality:

  • The data is encrypted in transit.
  • There is no encryption of the data at rest.

Claim 2: "That data is encrypted."

Likely reality:

  • The data is encrypted in transit OR The data has data at rest encryption that is transparent at the application layer.
  • There is one key with one account used to access that key; or all users and applications use the same key.

Claim 3: "The data is encrypted at rest."

Likely reality:

Recommended by LinkedIn

We have a serious data problem... but we can fix it!
We have a serious data problem... but we can fix it!
Joe McGarvey 1 year ago
Drive recovery, Drive and Data Resurrection
Drive recovery, Drive and Data Resurrection
Vladimir Mareev 8 years ago
Role of a Data Processor under the DPDP Act
Role of a Data Processor under the DPDP Act
Kameswaran Subbaraman 5 months ago

  • The data has data at rest encryption that is app-layer transparent OR There is data at rest encryption transparent at the service- or OS-layer.
  • There may be some key selection or key control available, but all data operations use the same 1 or 2 keys.

Claim 4: "The data is encrypted at rest with CIPHER_NAME."

Likely reality:

  • The data has data at rest encryption that may be transparent OR The data is encrypted at rest in a separate, discrete step by the application.
  • There may be some key selection or key control available, but all data operations use the same 1 or 2 keys.

Claim 5: "The data is encrypted at rest with CIPHER_NAME and key access is segregated by role."

Likely reality:

  • The data has data at rest encryption that is encrypted in a separate, discrete step by the application.
  • The key selection and control is separated by role, but this may be simplistic.
  • Admins, users, and application service accounts may have different roles.
  • Different application service accounts may have different roles
  • Each non-administrative role will allow both decryption and encryption.

Claim 6: "The data is encrypted at rest with CIPHER_NAME and key usage is segregated by role and function."

Likely reality:

  • The data is encrypted at rest in a separate, discrete step by the application.
  • The key selection and control is separated by role for key admins, users, and application service accounts.
  • There are separate roles for users & application service accounts for encryption vs decryption.

Robert Matthews 1y

Good article Cliff...good article.

Like
Reply
1 Reaction
See more comments

To view or add a comment, sign in

More articles by Cliff Barbier

Others also viewed

Similar topics

Explore content categories