Do We Need Baseline Security for all SQL Data Stores?

Nearly 7-in-10 SMBs Do Not Encrypt Their Data At-Rest

As we should all know, audit/compliance regimes have often failed to improve security practices. And so GDPR has come along to change things. At its core are: the focus on citizen’s rights for access and for the protection of their data; pseudo-anonymity; incident response; … and … encryption. For data we thus need to understand the different states that it may exist in: data-at-rest; data-in-transit; and data in-process.

For data in transit, we are fairly well covered, especially as we increase our usage of tunnels and VPNs, and few companies would be able to set up data infrastructures without actually implementing tunnelling between systems. For data in-process we still l have a major problem, and this can lead to memory leaks of data.

But data at rest is often the weakest part of any data infrastructure, and the data here should be encrypted, in order to stop intruders (or insiders) stealing the database and simply reading its contents. A single encryption key on the whole of the database can thus — at least — provide a barrier to an intruder. In the best case, multiple encryption keys would be used, and these would be managed by a key management system.