In the week since the TalkTalk breach there’s been commentary on encryption of data, particularly with their CEO’s comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the storage device.
The cause of the breach is unknown, but we can assume that the breach happened through an SQL injection or a similar application vulnerability. Does encryption protect you from these threats? Unlikely. By necessity the application needs access to cleartext data to be able to process and present it. So if a vulnerability is present in an application, it’s highly likely to give the same access to the data as the application had – in cleartext.
In many situations it may be possible to use more sophisticated schemes of encrypting individual objects stored in a database, in ways that the application only has limited access to cleartext data directly relating to the authenticated user. This is done in some databases to a limited extent, for example where storage credit card data is concerned, but it is not a simple or cheap task to scale to a database containing millions of users.
This is why management of information security risk is critical. Before spending time and resources on controls, you need to know that you are implementing the controls that address the right risks.