What are good data-at-rest encryption strategies for sensitive data?
I need to protect sensitive data by doing data encryption at rest. Context : I have at least the data of 20 app to protect. I want protection from those with legitimate access to the virtual machine hosting the database (sysadmin) or the database (DBA, some end users) for 3 reasons : one of them could go rogue, some of their access are from "normal" PC which could be compromised, states or equivalent threat with a lot of power can do APT and try to steal credential or to make complex attack (rebound on machines, privileges escalation) and gain access to the VM or the database. In all those scenarios I want my sensitive data protected in confidentiality.
Option 1: Full Disk Encryption (FDE)
Weak level of protection protects only from physical loss of storage media. In 76% of data breaches, the attacker begins by stealing and using the credentials of a privileged account, making the protection provided by disk encryption useless (source https://www.forbes.com/sites/louiscolumbus/2019/02/26/74-of-data-breaches-start-with-privileged-credential-abuse/) I plan to discard this option. Am I right?
Option 2: Database Encryption
- Sub-option 1: Transparent Data Encryption which offers encryption at file level. I'm unsure if that is equivalent to FDE. Is it or not?
- Sub-option 2: use postgresql and pgcrypto to encrypt only sensitive data. If I understand correctly, anyone who has access to the virtual machine (like the sysadmin) or the database in the VM (like the dba or the humans who have valid account) will the the data only in the encrypted form. Only the app will see the sensitive data in decrypted form. Am I right? If so, this solution seems good.
Option 3: Application Layer Encryption
Highest level of security but hard to implement app-by-app so a possibility would be to use a third-party solution like cipher trust from Thales or for the specific case of elastic search a tool like cloaked search.
Option 4 : File-Based Encryption (FBE)
source https://cpl.thalesgroup.com/encryption/selecting-right-encryption-approach.
Encrypting data at the file or volume level (typically used for databases) offers security controls with software agents installed in the operating system. For many organizations and purposes, file encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.
In the case of database I don't understand the difference in security level obtained between FDE, FBE and TDE: I think that in the 3 cases, anyone who has access to the virtual machine or the database in the VM will access the data in plain text so I don't find those solutions relevant. Am I right?
