Encryption of Data at Rest

The NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices,” provides guidance for encrypting data at rest. Data at rest is data that is not in motion and may or may not require encryption, depending on the requirements for securing that data. For example, encryption is required for mobile devices, but may not be for servers and desktops which have other data protection controls in place. Encryption requirements for servers and desktops may be required by specific compliance requirements, depending on the sensitivity of the data. This section describes how to use Tenable Compliance & Audit Files to assess various Operating Systems and platforms for encryption of data at rest.

The following audit files contain encryption checks for data at rest. There are additional audit files that can be used to assess various platform versions:

  • CIS_Apple_macOS_12
  • CIS_Juniper_OS
  • CIS_Kubernetes_v1.6.1
  • CIS_MS_Windows_10_Enterprise_Bitlocker
  • CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker
  • CIS_MS_Windows_10_Enterprise_Level_2_Bitlocker
  • CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_Next_Generation_Windows_Security
  • CIS_MS_Windows_10_Enterprise_Level_2_Bitlocker_Next_Generation_Windows_Security
  • CIS_OSX_10.11
  • DISA_STIG_Apple_iOS_12_v1r2-AirWatch
  • DISA_STIG_Apple_iOS_12_v1r2-MobileIron
  • DISA_STIG_MSSQL_2016_Database
  • DISA_STIG_Samsung_Android_7_with_Knox_2.x_v1r1-AirWatch
  • DISA_STIG_Samsung_Android_7_with_Knox_2.x_v1r1-MobileIron

As shown below, the CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker audit file contains a check to ensure that hardware-based encryption is enabled for fixed drives. The description is the audit check name, which becomes the Plugin Name in Tenable.sc. The Cross References that this audit check maps to are also listed at the bottom in the reference section.

The audit check displayed below is from the CIS_Apple_macOS_12.0_Monterey audit file. The Cross References are highlighted for this check, which ensures FileVault is Enabled.