Post Ablqaq7SV4xABAALa4 by paco@infosec.exchange
 (DIR) More posts by paco@infosec.exchange
 (DIR) Post #AblorZkUQ1GaQCH6Wm by mttaggart@infosec.town
       2023-11-13T17:11:52.330Z
       
       0 likes, 0 repeats
       
       You know those compliance standards about data-at-rest? They're the floor, not the ceiling. Sure, keep full-disk-encryption, but for any sensitive data you are required to keep around for a while?Maybe additional encryption like with PGP or other methods is prudent. Why leave easy-to-read sensitive data around if you don't have to?
       
 (DIR) Post #Ablqaq7SV4xABAALa4 by paco@infosec.exchange
       2023-11-13T17:25:51Z
       
       1 likes, 0 repeats
       
       @mttaggart To take a slightly opposing view: there are more tools in the access-control toolbox than just encryption. While encryption is ONE way to make data confidential and to control access to it, there are other methods that also work.We have to get away from the attitude that encryption is the only thing that protects data: if it's not encrypted it's just "laying around" and "easy-to-read".Encryption is the most efficient way to turn any business problem into a key management problem.
       
 (DIR) Post #AblqaqtJd9EaZaYZAu by mttaggart@infosec.town
       2023-11-13T17:31:14.163Z
       
       0 likes, 0 repeats
       
       @paco@infosec.exchange I don't disagree, and I don't think anything I said should be interpreted as thinking of encryption as the "only" solution. Defense in depth, absolutely.But for some data, there are reasonable questions to be asked about:1. Who really needs to access the data? (This is an access control problem first, agreed)2. How often do they need to access the data?3. Does the frequency of access and audience require unencrypted storage?So yes, access control first. But after that, I really do think there is a strong case to be made for encrypted file storage. I hear you on the key management problem, but calling a problem hard is, imo, a poor excuse to leave it unaddressed.
       
 (DIR) Post #Ablr4D3sHT5njNUhJQ by darkcyberman@nerdculture.de
       2023-11-13T17:35:06Z
       
       1 likes, 0 repeats
       
       @mttaggart I always get a shortcut in my brain when I try to figure out where to leave the key. Especially if the data (and thus the key) needs to be available.
       
 (DIR) Post #Ablr4FcKmJqTepdFIm by mttaggart@infosec.town
       2023-11-13T17:36:32.317Z
       
       0 likes, 0 repeats
       
       @darkcyberman@nerdculture.de Yes, this is a challenge! It's a solvable one, especially with modern key management tools. I swear, PGP/GPG set us back years in adoption of reasonable encryption by providing just awful tooling.
       
 (DIR) Post #AblrYGdlXTlRWBcAPA by darkcyberman@nerdculture.de
       2023-11-13T17:41:04Z
       
       1 likes, 0 repeats
       
       @mttaggart The solutions known to me change the key problem to an Identity problem. For instance a keyvault that is accessible for the app managing the sensitive data. Is this what you mean?
       
 (DIR) Post #AblrYHQgbatbxuVEem by mttaggart@infosec.town
       2023-11-13T17:41:56.968Z
       
       0 likes, 0 repeats
       
       @darkcyberman@nerdculture.de Yes, and given the additional controls we have over identity, this might be a better problem to have!