File or Folder level Encryption Pros and Cons
File or folder level encryption (or file system level) is an encryption system where specific folders, files, or volumes are encrypted by a third-party software package or a feature of the file system itself. Here is the pros and cons of implementing the file or folder level encryption. This pros and cons taken from Tony Bradley books about PCI compliances
- More granular control over what specific information needs to be encrypted can be accomplished. Items that you desire to be encrypted can be stored in a particular folder or volume, and data that does not need to be protected can be stored elsewhere.
- Many file-level encryption products allow you to integrate access level restrictions.This allows you to manage who has access to what.
- When data is encrypted on a file level and is moved off the storage location, it is moved encrypted.This maintains the confidentiality of the data when it is moved to a backup tape.
- Less invasive to a database than column-level encryption.The schema of the database does not need to be modified and the access of data by authorized personnel (based on access control) is not hindered when querying and other management activities take place. This is an aspect of availability, one of the three tenets of the CIA triad.
- Tends to consume less resource overhead, thus less impact on system performance.
- Logging and auditing capabilities. Some file-level encryption systems offer the capability to track who attempts to access a file and when. Since the majority of data breaches are internal to the network, this kind of information is good to have.
- Can cause performance issues for backup processes, especially with relational databases.
- Requires extra resources for key management.
- May not be granular enough when access to certain columns of a database is desired, but others need to be restricted.
- Possibility of encrypting more data than is necessary for a compliance.