Data At Rest Encryption

Organizations of all sizes are dependent on large volumes of data, housed physically on computer data storage platforms, both on-premises and in the cloud. This data “at rest” is often critical and sensitive data, and if exposed or breached could result in major disruptions, losses or penalties. Protecting data at rest is more important than ever.

Options for Encrypting Data at Rest

When considering currently available encryption schemes, two prevailing data protection solutions are typically considered.

One is encryption at-rest, which is generally a storage level data security model for physical storage. The other is transparent data encryption, which is a database container model for encrypted data at the database level.

There are encryption at rest capabilities built into Amazon S3, and RDS, and there are different TableSpace or database-level encryption options available as basic services. But these are all container-based approaches to encryption, which do very little to protect against modern-day data systems attack or data leak.

These methods fall short in truly protecting data at rest, because any attacker who accesses systems using these above methods will get access to the data in the clear. These methods are very good for physical types of data breaches, where the data or storage is physically compromised, or if the end point is lost, or if the server is compromised in some physical manner.

But that is not typically how data is being exfiltrated or breached today in the onslaught of breaches that continue to make headlines.  At Baffle we jokingly refer to the Tom Cruise / Mission Impossible threat model, where Tom Cruise breaks into the data center by dropping in from the ceiling and steals your data. This is not how people are really stealing data today, and it is not how databases are being breached.

This represents a continual understanding gap in the market and why Baffle believes that breaches continue to occur. The security model is protecting against the wrong risk, or trying to protect against the threat in an incorrect manner.

Data-Centric vs. Standard Encryption Models

When we look at data-centric protection and how to comply with regulations such as GDPR and CCPA, organizations need to make sure that they are using the correct technical controls to secure non-encrypted, nonredacted data, which is subject to the data breach and the associated consumer-driven fines that an organization would be exposed to.

But not all encryption models actually protect at the data level. There is a difference between a data-centric method and a standard encryption at rest method. Encryption and data protection controls don’t actually protect at the data level in many cases, because these methods assume that only attackers outside of the organization – or outside of the Zero Trust areas – need to be thwarted.

But if an attacker is moving laterally in a network and the organization is already operating from an assumed breach posture, then you have to grant that an attacker is already moving laterally in your network. That means they have carte blanche full access to your data in the clear, so you remain unprotected.

It’s time for security teams to start looking at data-centric protection methods that protect the actual PII or consumer data values, and perform entitlements and access controls around them.

This needs to happen while also fulfilling the mandate to provide visibility and monitoring, or being able to discover consumer data as well as executing on the right to be forgotten, or deleting that actual PII.

Baffle: Data-Centric Encryption at Rest

Baffle tokenizes, encrypts or masks your data on the fly as it is created, inserted, updated and viewed at the record level or field level. You can then use Baffle to decrypt encrypted data from the database before the application receives the data.

The solution fundamentally addresses who can see what data by using a method to protect actual data values and control the presentation of that data by masking it for a given user or role.

This is all done without changing a single line of code in your applications, and without any additional overhead on your database operations.

Contact Baffle to learn more today.

AWS MarketPlace Download

Baffle also supports headless deployments via Docker images.  If you’d prefer to deploy via a Docker image and get up and running quickly.  Please email [email protected].

Encryption Simplified White Paper

Simplifying Encryption White Paper

Baffle Data Protection Services aims to make encryption simple to adopt without disrupting existing application functionality – it protects data all the way up to a record level granularity and supports four modes of protection depending on the level of security desired.

Our Solution

Baffle delivers an enterprise level transparent data security mesh that secures data at the field or file level via a "no code" model.  The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance or functionality impact.

Icon Simplified


No application code modification

Icon Fast


Virtually no performance

Icon Seamless


Integrates easily into your

Icon Secure


AES encryption in memory, in use,
and at-rest

Schedule a live demo with one of our solutions experts to get answers to your questions