Encryption of Data at Rest

The NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices,” provides guidance for encrypting data at rest. Data at rest is data that is not in motion and may or may not require encryption, depending on the requirements for securing that data. For example, encryption is required for mobile devices, but may not be for servers and desktops which have other data protection controls in place. Encryption requirements for servers and desktops may be required by specific compliance requirements, depending on the sensitivity of the data. This section describes how to use Tenable Compliance & Audit Files to assess various Operating Systems and platforms for encryption of data at rest.

The following audit files contain encryption checks for data at rest. There are additional audit files that can be used to assess various platform versions:

CIS_Apple_macOS_12
CIS_Juniper_OS
CIS_Kubernetes_v1.6.1
CIS_MS_Windows_10_Enterprise_Bitlocker
CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker
CIS_MS_Windows_10_Enterprise_Level_2_Bitlocker
CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_Next_Generation_Windows_Security
CIS_MS_Windows_10_Enterprise_Level_2_Bitlocker_Next_Generation_Windows_Security
CIS_OSX_10.11
DISA_STIG_Apple_iOS_12_v1r2-AirWatch
DISA_STIG_Apple_iOS_12_v1r2-MobileIron
DISA_STIG_MSSQL_2016_Database
DISA_STIG_Samsung_Android_7_with_Knox_2.x_v1r1-AirWatch
DISA_STIG_Samsung_Android_7_with_Knox_2.x_v1r1-MobileIron

As shown below, the CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker audit file contains a check to ensure that hardware-based encryption is enabled for fixed drives. The description is the audit check name, which becomes the Plugin Name in Tenable Security Center. The Cross References that this audit check maps to are also listed at the bottom in the reference section.

The audit check displayed below is from the CIS_Apple_macOS_12.0_Monterey audit file. The Cross References are highlighted for this check, which ensures FileVault is Enabled.