[clue] Securing data in transit/at rest.
David L. Anselmi
anselmi at anselmi.us
Mon Nov 10 18:45:24 MST 2014
Quentin Hartman wrote:
> Just to pile on from Aaron, many people refer to this as the distinction
> between "security in transit" and "security at rest". They are useful
> phrases for talking about this sort of thing. Ideally you really want to
> have both, but whether or not it matters for your application is unknown.
So I have a file to send you. It will go on your server using an account that I can log in to. You
have complete and sole control over the server and every right to the data in the file. You have
contracted with me to keep the file secret from everyone.
My concern is the file's confidentiality from everyone except you.
Does that make sense?
Given the above, why do I care whether the file is encrypted (at rest on your end)? (Obviously it
has to be encrypted in transit.)
So you might say that other people could have access to the files on your server (perhaps it's
hosted by someone else, or you might worry that it could be compromised some day). In that case
encrypting the file keeps it away from those other people (as long as you keep your key secure).
But then encrypting the file is *your* requirement, not mine. To me, the file is equally secure
whether I encrypt it or not because I'm giving it to you alone and you're going to keep it secret
(per our contract).
Is that reasonable? Or should we argue about it tomorrow night? :-)
Dave
More information about the clue
mailing list