What should we encrypt?

As I have been thinking about encryption, the value it provides, and the applications to which it is applied, I started reviewing the types of encryption that still have some degree of efficacy. In 2014, when Snowden released documents with a lot of NSA capabilities, it was revealed publicly that the NSA had cracked the majority of the encryption schemes, with only a few exceptions. One of the unbroken tools was the open systems disk encryption utility, TrueCrypt. Since that time, the group supporting TrueCrypt decided to put it on the shelf, saying it was not possible to keep ahead of the rapidly growing capabilities of cracking tools.

Does that mean we shouldn’t use encryption anymore? Let’s consider that question with a different real world example. Do you have locks on the external doors of your home? If so, are there people in the world who can pick your locks? I’d say that the majority of us cannot purchase a lock that will take a professional very long to pick.

So, why do we use locks? Because not everyone is a hacker. Locks keep honest people honest. They keep people from doing unintended harm. They slow down those with bad intentions, and keep out all but the most determined individuals.

For that reason, we should also encrypt and protect our computer assets. I still use TrueCrypt on my personal laptop. My company uses a commercial disk protection software tool for both encryption and intrusion detection.

Still, I’m thinking about what we should be doing with our desktop and server resources. Because they don’t travel, the risks are different. Risks come from those inside the physical plant, or with remote capabilities. What about the individual who has a virus without their knowledge? They remote into your server allowing access to local disks. Can they do harm without knowing it? The risk increases as their rights increase. It’s likely they are going to have quite a few rights if they are remoting into a server.

How about when you de-commission a server? Do you still have intellectual property on the disk? If it was encrypted, your risk for intrusion is greatly reduced. So, is it worth the small impact on performance to encrypt the disk resources on a server?

I’m asking lots of questions here because I really don’t see a lot of guidance. As we move assets into the cloud, that throws a whole new spin on things. What are the questions we should be asking ourselves? Are there best practices that already exist? Do you have any recommendations of personal experience to guide us?