Gartner Blog Network

New research on IaaS data at rest encryption

by Joerg Fritsch  |  June 2, 2014  |  3 Comments

Data at rest encryption in the cloud is a powerful technology with a downside: with present- state of the art solutions the confidentiality and protection of data in the cloud ultimately remains always a trade-off between confidentiality and availability of data. Although there are application and data specific exceptions, computers can currently only process data that is not encrypted. Parts of the confidential data must always be in cleartext in RAM, – even the necessary encryption keys!

Until first April 2014 most decision makers and IT specialists had probably believed that this is a purely theoretical security gap. After Heartbleed it became finally clear to everyone that cleartext in RAM it has “unpleasant” consequences if an attacker can gain access to it. But all is not lost. My new research note “Enabling High-Risk Services in the Public Cloud With IaaS Encryption” tells you what useful things data at rest encryption in the cloud can do for you and guides you in picking the sweet spot for your data in the cloud by selecting the encryption key management strategy.

P.S. Access requires Gartner GTP subscription.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Joerg Fritsch
Research Director
1 year at Gartner
15 years IT Industry

Joerg Fritsch is a Research Director in the Gartner for Technical Professionals Security and Risk Management Strategies team. His specialties include information security, data center and cloud security, big data (analytics), cloud computing, PaaS, distributed systems, messaging and event-driven systems, and very fast networks and servers. Read Full Bio

Thoughts on New research on IaaS data at rest encryption

  1. David Mytton says:

    A number of cloud IaaS providers promote the fact that their storage offers encryption at rest by default. This is a good feature to protect against unauthorised access to the physical disks or perhaps a security flaw which allowed access to the at rest data. However, it’s not much good for anything else i.e. breaches which are likely to happen unless the data owner controls the keys.

    If the cloud vendor does the encryption transparently without the user being able to control the keys, then there’s no protection from things like vendor access, government requests, etc.

  2. Interesting read – sounds like your favorite IaaS cloud service provider would have to respond to a “national security letter” or the like by turning over memory that could include encryption keys for data-at-rest (even if the enterprise controls the encryption keys).

    Would the “Cloud Hardware Security Module” concept do anything to mitigate the risk of data compromise? I suppose I have to read the research to find out….


  3. […] point that Joerg highlights in a blog post announcing the report is, ‚ÄúParts of the confidential data must always be in cleartext in […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.