DAT-003 Encryption at Rest
Description
All sensitive and confidential data stored in databases, object storage, file systems and backup media is encrypted using approved algorithms (minimum AES-256 or equivalent). Encryption is applied at the storage layer, volume or field level as appropriate to the classification and risk.
Rationale
Encryption at rest limits the impact of physical or logical access to storage infrastructure. It is a baseline SaaS expectation across all major security frameworks.
Framework Mappings (8)
| CEK-03 | Data Protection | full |
| CEK-04 | Encryption Algorithm | partial |
| UEM-08 | Storage Encryption | partial |
| GDPR-Art.32.1 | Technical and Organisational Security Measures | partial |
| 8.24 | Use of cryptography | full |
| SC-13 | Cryptographic Protection | partial |
| SC-28 | Protection of Information at Rest | full |
| CC6.1 | Logical Access Security Software, Infrastructure, and Architectures | partial |
Evidence (2)
Cloud provider storage configuration demonstrating encryption at rest is enabled for all databases, object stores and backup media using approved algorithms.
Example: AWS S3 bucket policy export, RDS instance configuration, or equivalent GCP/Azure output showing server-side encryption enabled (AES-256 or KMS-managed key) for all buckets and database instances in the production account
Test: Query cloud provider APIs or console exports for all storage resources in production. Verify: (1) encryption at rest is enabled on every S3 bucket / Cloud Storage bucket, (2) every RDS / Cloud SQL / Cosmos DB instance has encryption enabled, (3) backup snapshots are encrypted, (4) no unencrypted EBS volumes or equivalent are present in production.
Encryption policy or cryptographic standards document specifying approved algorithms, minimum key lengths, and the requirement to encrypt sensitive data at rest.
Example: Cryptographic Controls Policy or Encryption Standard (Confluence), approved by CISO, specifying AES-256 as minimum, defining scope (databases, object storage, backups, laptops) and referencing FIPS 140-2 or equivalent
Test: Request the encryption policy or cryptographic standard. Verify: (1) names AES-256 (or equivalent) as the minimum approved algorithm, (2) explicitly requires encryption at rest for Confidential and Restricted data, (3) is approved by a named authority and dated within 24 months, (4) scope covers databases, object storage, backups and endpoints.
Questions (2)
Is all sensitive and confidential data encrypted at rest using an approved algorithm (AES-256 or equivalent) across databases, object storage, file systems and backup media?
Encryption must cover all environments holding sensitive or personal data including production databases, object stores (e.g. S3, Cloud Storage), backup snapshots, and attached volumes. Verify the algorithm meets AES-256 or an equivalent approved standard.
At which layer(s) is encryption at rest applied?
A defence-in-depth approach applies encryption at multiple layers. Field-level encryption for highly sensitive fields (e.g. national IDs, payment data) provides the strongest protection against logical access to the database layer.