Encryption's Utility: Exploring Its Role in Risk Management and Compliance

Encouraged doubts often surface about encryption discussions, with skeptics often inserting smug remarks of doubt

, and Administrator

2025 September 18 . 11:35 AM

2 min read

"Encrypted Data: Its Use and Impact on Security and Regulations"

Encryption's Utility: Exploring Its Role in Risk Management and Compliance

In the ever-evolving world of technology, maintaining a secure digital environment is paramount, especially in the context of cloud computing. This article explores the current trends and best practices in cloud security, highlighting the importance of regular reassessments, user awareness, and attestation.

According to the Sarbanes-Oxley Act (SOX), management is required to establish and maintain internal controls for accurate financial reporting, and these controls must be reassessed every fiscal year. However, it's essential to note that this law focuses more on internal controls and financial reporting rather than encryption itself.

While encryption is a useful tool for building checklists, it offers limited protection against data security threats in the cloud, particularly when the attack vector is the user. In fact, as data migrates to the cloud, attackers have shifted their focus from exploits to credentials, making users a cheaper and more readily available attack vector.

This is evident in the rise of phishing attacks, which have become a simpler and more effective way to access and exploit data in cloud services. For instance, phishing attacks have been used to gain unauthorized access to encrypted data in cloud-based systems, as was reported in an unspecified organization in an unknown year and location.

In this context, SOX considers encryption as "lipstick on a pig" and places more emphasis on the attestation of internal controls. This shift in focus towards attestation is also reflected in modern compliance best practices, which prioritize the verification of controls over prevention.

To strengthen the security posture, investments in workforce phishing education and two-factor authentication are more effective than encryption. This is particularly true when a user with sufficient access privileges has been compromised, as the security value of encrypting data at rest in the cloud becomes nominal in such cases.

HIPAA, another compliance law, does not specifically mention encryption. Instead, it requires covered entities to document decisions regarding security measures, including the factors considered and the results of the risk assessment on which the decision was based.

In conclusion, while encryption plays a role in maintaining security in the cloud, it is crucial to remember that users are often the weakest link. By focusing on attestation, user awareness, and education, organizations can better protect their data and ensure compliance with relevant laws and regulations.