Data at Rest Security Controls

Data at rest security controls govern the protection of stored information — data residing on disk drives, solid-state storage, backup media, database systems, and archive repositories when it is not actively being transmitted or processed. These controls form a foundational layer of any data protection program, addressing exposure risks that arise from physical theft, unauthorized logical access, insider threats, and media disposal failures. Regulatory frameworks including HIPAA, FISMA, PCI DSS, and the NIST control catalog each impose specific requirements that make understanding this control category operationally essential for security architects, compliance officers, and procurement professionals navigating the .

Definition and scope

Data at rest refers to all information stored persistently on physical or virtual media — including relational databases, file servers, object storage buckets, endpoint hard drives, removable media, backup tapes, and cold storage archives. The control category covers cryptographic protections, access restrictions, media sanitization requirements, and integrity monitoring applied to that stored state.

The National Institute of Standards and Technology (NIST) addresses data-at-rest protections across two primary control families in NIST SP 800-53, Rev. 5: SC (System and Communications Protection) and MP (Media Protection). SC-28 specifically requires protection of information at rest, and SC-28(1) mandates cryptographic mechanisms when the risk of unauthorized disclosure is elevated. The MP family covers media access, marking, transport, sanitization, and disposal.

Scope boundaries matter in practice. Data at rest controls apply only to stored states — they do not govern data in transit (covered by transport layer encryption standards such as TLS) or data in use (addressed by memory protection and trusted execution environment controls). This three-state classification — at rest, in transit, in use — is formalized in the NIST Cybersecurity Framework and is the organizing principle behind most enterprise data protection architectures. Professionals seeking broader coverage of this taxonomy can reference the data security providers organized by control domain.

How it works

Data at rest security controls operate through four discrete mechanism types:

1. Encryption — Cryptographic transformation of stored data so that it is unreadable without the correct decryption key. The Advanced Encryption Standard (AES) with 256-bit keys (AES-256) is the dominant algorithm for federal and regulated-industry use, endorsed by the National Security Agency (NSA) for protecting classified information and required under FIPS 140-3 for cryptographic modules used in federal systems. Encryption can be applied at the full-disk level (Full Disk Encryption, FDE), at the volume or partition level, at the database column level, or at the file/object level — each with distinct key management implications.

2. Access controls — Identity-based restrictions that limit which users, processes, or systems can read or modify stored data. Role-based access control (RBAC) and attribute-based access control (ABAC) models are both addressed in NIST SP 800-53 under the AC (Access Control) family. Least-privilege enforcement is the operative principle: accounts should hold only the permissions necessary for their defined function.

3. Integrity monitoring — Hash-based or cryptographic verification mechanisms that detect unauthorized modification of stored data. File integrity monitoring (FIM) tools generate baseline checksums and alert on deviations. NIST SP 800-53 control SI-7 (Software, Firmware, and Information Integrity) establishes the baseline requirement.

4. Media sanitization and disposal — Procedures that render stored data irrecoverable when media reaches end-of-life or is reassigned. NIST SP 800-88, Rev. 1, Guidelines for Media Sanitization, defines three sanitization categories: Clear (overwriting), Purge (cryptographic erase or degaussing), and Destroy (physical destruction). The appropriate category depends on media type and data sensitivity classification.

Key management is the operational linchpin of encryption-based controls. Encryption is only as strong as the protection afforded to its keys. The separation of key storage from encrypted data storage — and the use of dedicated Hardware Security Modules (HSMs) — is a baseline expectation under federal guidance and PCI DSS Requirement 3.7.

Common scenarios

Healthcare organizations subject to the HIPAA Security Rule (45 CFR Part 164) must implement addressable encryption specifications for electronic protected health information (ePHI) stored on servers, workstations, and portable devices. The HHS Office for Civil Rights has assessed penalties in cases where unencrypted laptops containing ePHI were lost or stolen, with individual breach penalties reaching up to $1.9 million per violation category per year ((HHS, Civil Monetary Penalties)).

Federal agencies operating under FISMA (44 U.S.C. § 3551 et seq.) are required to implement FIPS 140-validated encryption for all sensitive data at rest on federal information systems, as directed by Office of Management and Budget (OMB) Memorandum M-06-16.

Payment card environments under PCI DSS v4.0 (PCI Security Standards Council) must render stored Primary Account Numbers (PANs) unreadable using AES-256, tokenization, or truncation — Requirement 3.5 establishes this as a non-negotiable control for any entity storing cardholder data.

Cloud storage deployments introduce shared-responsibility boundaries where server-side encryption (SSE) provided by cloud platforms must be distinguished from client-side encryption managed by the data owner. The control jurisdiction — who holds the encryption keys — determines the assurance level.

Decision boundaries

Selecting the appropriate data-at-rest control profile requires resolution of three structural questions:

Full-disk encryption vs. application-layer encryption — FDE protects against physical theft of media but does not protect data once the system is running and the disk is mounted. Application-layer or database-level encryption remains protective against logical unauthorized access even on a live system. Regulated environments handling PHI or PAN data typically require column-level or field-level encryption for the most sensitive data elements, regardless of FDE status.

Symmetric vs. asymmetric encryption for stored data — Symmetric algorithms (AES-256) are standard for bulk data-at-rest encryption due to performance efficiency. Asymmetric cryptography (RSA, ECC) is used for key wrapping and key exchange, not for encrypting large stored datasets directly. NIST SP 800-57, Recommendation for Key Management, defines the appropriate algorithm selection criteria by data sensitivity and key lifecycle requirements.

Addressable vs. required specifications under HIPAA — HIPAA distinguishes between "required" implementation specifications (mandatory) and "addressable" ones (must be implemented or the organization must document why an equivalent alternative was used). Encryption of ePHI at rest is addressable under 45 CFR § 164.312(a)(2)(iv), but HHS guidance makes clear that the burden of justifying non-implementation is substantial, particularly for portable devices. Professionals assessing this boundary can access supporting reference material through the how to use this data security resource section.

The control selection process is not binary. Layered controls — combining FDE, database encryption, RBAC, and FIM — produce defense-in-depth architectures that satisfy regulatory requirements across HIPAA, PCI DSS, and FISMA simultaneously while reducing the residual risk that any single control failure creates an exploitable exposure.