Blog post

New research on IaaS data at rest encryption

By Joerg Fritsch | June 02, 2014 | 2 Comments

Data at rest encryption in the cloud is a powerful technology with a downside: with present- state of the art solutions the confidentiality and protection of data in the cloud ultimately remains always a trade-off between confidentiality and availability of data. Although there are application and data specific exceptions, computers can currently only process data that is not encrypted. Parts of the confidential data must always be in cleartext in RAM, – even the necessary encryption keys!

Until first April 2014 most decision makers and IT specialists had probably believed that this is a purely theoretical security gap. After Heartbleed it became finally clear to everyone that cleartext in RAM it has “unpleasant” consequences if an attacker can gain access to it. But all is not lost. My new research note “Enabling High-Risk Services in the Public Cloud With IaaS Encryption” tells you what useful things data at rest encryption in the cloud can do for you and guides you in picking the sweet spot for your data in the cloud by selecting the encryption key management strategy.

P.S. Access requires Gartner GTP subscription.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • David Mytton says:

    A number of cloud IaaS providers promote the fact that their storage offers encryption at rest by default. This is a good feature to protect against unauthorised access to the physical disks or perhaps a security flaw which allowed access to the at rest data. However, it’s not much good for anything else i.e. breaches which are likely to happen unless the data owner controls the keys.

    If the cloud vendor does the encryption transparently without the user being able to control the keys, then there’s no protection from things like vendor access, government requests, etc.

  • Interesting read – sounds like your favorite IaaS cloud service provider would have to respond to a “national security letter” or the like by turning over memory that could include encryption keys for data-at-rest (even if the enterprise controls the encryption keys).

    Would the “Cloud Hardware Security Module” concept do anything to mitigate the risk of data compromise? I suppose I have to read the research to find out….