Practice : Data Encryption-in-Transit & at-Rest

Purpose and Strategic Importance

Encryption-in-Transit and at-Rest protects sensitive data from unauthorised access, theft, or tampering - whether it's moving across networks or stored in databases, file systems, or object stores. It's a fundamental security and compliance requirement in any modern system.

Implementing strong encryption mechanisms ensures data integrity and confidentiality while meeting the expectations of regulators, customers, and business partners.

Description of the Practice

  • Encryption-in-Transit protects data as it moves across internal or external networks. TLS (Transport Layer Security) is the most common implementation.
  • Encryption-at-Rest protects stored data in volumes, files, databases, and object storage. This includes disk encryption, database-level encryption, and file-level encryption.
  • Modern systems use encryption by default, often with customer-managed or cloud-provider-managed keys (e.g. AWS KMS, Azure Key Vault, Google Cloud KMS).
  • Key management, rotation, and access policies are critical enablers of this practice.

How to Practise It (Playbook)

1. Getting Started

  • Identify all data flows and storage locations - both user and machine data.
  • Ensure TLS 1.2+ is enforced for all network communications (internal and external).
  • Enable default encryption-at-rest in databases, cloud storage buckets, volumes, and backups.
  • Use managed key management systems (KMS) to handle encryption keys securely.

2. Scaling and Maturing

  • Implement customer-managed keys (CMKs) where additional control or compliance is required.
  • Rotate encryption keys automatically and audit access to keys and encrypted data.
  • Extend encryption to logs, telemetry, and configuration files where sensitive data may reside.
  • Validate encryption coverage and effectiveness during architecture reviews and risk assessments.
  • Ensure secure exchange of keys using protocols such as PKI, HSM integration, or envelope encryption.

3. Team Behaviours to Encourage

  • Treat encryption as a default expectation, not an optional feature.
  • Include encryption decisions in architecture design and threat modelling.
  • Monitor for plaintext data in transport or storage through automated scans.
  • Train developers and ops on secure key usage and safe handling practices.

4. Watch Out For…

  • Weak encryption standards (e.g. outdated TLS versions, self-signed certificates).
  • Misconfigured or unaudited key management systems.
  • Shadow data sources without encryption coverage (e.g. logs, snapshots, test dumps).
  • Inconsistent encryption policies across environments or services.

5. Signals of Success

  • All sensitive data is encrypted at rest and in transit by default.
  • Encryption is enabled and auditable across environments, storage types, and services.
  • Teams can demonstrate key ownership, access controls, and rotation policies.
  • No incidents of plaintext exposure in logs, backups, or traffic.
  • Encryption aligns with regulatory and contractual requirements confidently.