SOC 2 Controls: Encryption of Data at Rest

Controls are the procedures, processes, and systems your business uses to drive its operations and to meet the requirements of regulations, standards, and recommendations such as those that makeup SOC 2. Controls both define and enforce your business policies and, when implemented well and enforced consistently, help to mitigate risk. This is the first in what will be an occasional series of posts focused on specific SOC 2 controls.

What this Control Does: Encryption is an important element of cybersecurity and the protection of proprietary and personal information. This SOC 2 control focuses on encryption of data stored on specific platforms such as servers, as opposed to data in transit.

Who It Affects: Engineering, IT, and everyone involved in managing or operating your IT infrastructure or stored data.

Why It Matters: Encryption can reduce the risks of data being accessed by unauthorized individuals. The Encryption of Data at Rest control also addresses elements of the SOC 2 Common Criteria 6.x series. Specifically, this control addresses Common Controls 6.1 (Logical Access Security), 6.6 (Mitigate Outside Threats), and 6.7 (Data Transmission).

How to Implement This Control

In a word, selectively. Encryption is a powerful protection, and it can often make sense to encrypt all data at rest. However, encryption can slow down the processing of requests and data considerably, especially on older systems. If you can’t upgrade those older systems, you may need to consider a trade-off between the risk of exposed data and your systems and business performance.

Fortunately, you have options beyond “encrypt everything” and “encrypt nothing.” Most public cloud solutions allow you to “flip a switch” and encrypt data at rest. On-premise storage arrays can be configured to encrypt specific drives. Modern databases can even be configured to encrypt specific data fields, such as those that contain proprietary or personally identifiable information (PII). You can therefore encrypt everything where performance is not slowed and make choices that combine encryption with minimal performance degradation if necessary.

To optimize the effectiveness of your encryption efforts, you need to answer two questions.
Where is my data stored?
Which of my data is the most sensitive?

To answer these questions, you need at minimum complete, accurate, and up-to-date diagrams of your network and data flows. You can use these to prioritize your most sensitive data at rest and focus your encryption efforts on that data.

Once you’ve identified and located your most sensitive data at rest, you need to ensure your encryption methods are adequate for your organization’s data objectives and SOC 2 compliance. The Advanced Encryption Standard (AES) is a widely adopted industry benchmark. The two dominant “flavors” of the standard are AES-128 and AES-256. The numbers refer to the size of the encryption/decryption keys in bits. AES-128 is faster, while AES-256 may be more resistant to some cyberattacks. Your chosen encryption solutions should comply with the AES. Fortunately, most cloud providers and modern system providers support AES “out of the box.”

You will also need clear, documented, and enforced policies for data classification, data management, and encryption. Both NIST and the Center for Internet Security (CIS) can be valuable sources of information when developing these policies.

These steps will help you ensure that your most sensitive data at rest is encrypted, while less sensitive data flows unfettered across your IT infrastructure. They will also help you show your auditor that you’re serious about optimizing cybersecurity and SOC 2 compliance for your company, which can strengthen and elevate your relationship with them.

How Trustero Can Help

Trustero Compliance as a Service includes multiple features to help you implement the Encryption of Data at Rest control, and to demonstrate compliance with its requirements to your auditor credibly and on demand. The solution’s user interface consolidates the description of the control, information about it and its status, and the ability to test compliance with it on a single screen, in plain, clear language.