All news with #encryption at rest tag

Google transitions to cryptographic media sanitization

🔐 Google will transition in November 2025 from overwrite-based media sanitization to cryptographic erasure, using default encryption to render data unrecoverable by securely deleting encryption keys rather than overwriting drives. Recognized in NIST SP 800-88, this method is faster and better suited to modern storage technologies. Google says it will apply a layered, defense-in-depth model with independent verification, key rotations, and protections for device secrets to maintain strong safeguards.

Buyer’s Guide — Data Protection Platforms for Hybrid Clouds

🔒 This buyer’s guide explains why organizations need comprehensive data protection platforms for hybrid cloud environments and which capabilities to prioritize. It highlights core requirements such as data discovery and classification, layered protections (encryption, DLP, immutability), continuous monitoring, and automated recovery to address ransomware, misconfigurations, outages and compliance. The guide also surveys market trends and leading vendors to help IT teams evaluate DPaaS, cloud-native and on-premises options.

Microsoft Releases Enterprise Windows Backup for Orgs

🔒 Microsoft has made Windows Backup for Organizations generally available, offering an enterprise-grade, opt-in solution to preserve Windows settings, user preferences, and Microsoft Store-installed apps. The capability is available after installing the September 2025 Windows Monthly Cumulative Update on Entra-joined devices and must be enabled by administrators through Intune or backup and restore policy settings. Backups are stored in Exchange Online in the tenant's selected Country/Region, are protected by encryption, and are accessible to Microsoft personnel only under strict oversight for troubleshooting or legal compliance, helping streamline migrations to Windows 11 during device setup.

EC2 Image Builder: Pipeline Auto-Disable and Custom Logs

⚙️ EC2 Image Builder pipelines can now be automatically disabled after a configurable number of consecutive failures, and you can assign custom log groups with retention and encryption settings to meet organizational policies. This prevents unnecessary resource creation and repeated failed builds, reducing costs and operational noise. These capabilities are available at no extra charge across all AWS commercial regions and are usable via Console, CLI, API, CloudFormation, or CDK.

Amazon EC2 Auto Scaling Adds FIPS PrivateLink Endpoints

🔒 Amazon EC2 Auto Scaling now supports FIPS 140-3 validated VPC endpoints via AWS PrivateLink, enabling regulated workloads to use cryptographic modules that meet federal requirements. This update allows customers to create FIPS-compliant VPC endpoints in select US and Canada regions to satisfy government and regulated-industry encryption mandates. Refer to AWS guidance for setting up VPC endpoints and integrating AWS PrivateLink with EC2 Auto Scaling.

Security Hardening Essentials for Resource-Constrained SMBs

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

Threat Modeling Your Digital Life Under Authoritarianism

🔒 The article argues that personal threat modeling must adapt as governments increasingly combine their extensive administrative records with corporate surveillance data. It details what kinds of government-held data exist, how firms augment those records, and the distinct dangers of targeted versus mass surveillance. Practical mitigations are discussed—encryption, scrubbing accounts, burner devices—and the piece stresses that every defensive choice is a trade-off tied to individual goals.

AWS IAM Identity Center Adds Customer-Managed KMS Keys

🔐 IAM Identity Center now supports customer-managed AWS KMS keys to encrypt workforce identity data, including user and group attributes. While AWS-owned keys remain the default, a customer-managed key (CMK) lets organizations control key lifecycle, policies, and usage permissions for stronger security and compliance. CMKs can be set when enabling a new organization instance or added to existing ones, and their usage is auditable via AWS CloudTrail. Support is available for access to accounts and select AWS applications across all IAM Identity Center regions; standard KMS charges apply.

Amazon EventBridge Adds Customer-Managed KMS Support

🔐 Amazon EventBridge now supports AWS KMS customer managed keys for event bus rule filter patterns and input transformers. This lets you encrypt the logic that selects and modifies events with your own keys to meet security and compliance requirements while retaining full key control. The feature is available in all commercial AWS Regions and can be audited via AWS CloudTrail. There is no additional EventBridge charge, though standard AWS KMS pricing applies.

Preparing Organizations for the AI and Quantum Threat

🔒 This upcoming 60‑minute webinar examines how quantum computing and AI are jointly reshaping cybersecurity and accelerating new attack vectors. Top experts will cut through the hype to explain quantum-safe cryptography, practical defenses against AI-driven phishing and "harvest now, decrypt later" risks, and industry-specific controls for finance, healthcare, and critical infrastructure. Attendees will leave with a concrete roadmap for assessment, deployment, and ongoing resilience. Seats are limited.

Multi-Region Key Replication in AWS Payment Cryptography

🔐 AWS introduces Multi-Region keys for AWS Payment Cryptography, a built-in option to automatically synchronize exportable symmetric payment keys from a primary Region to one or more replica Regions. You can choose account-level defaults or per-key replication targets, keep consistent key IDs across Regions, and rely on asynchronous replication with monitoring via new CloudTrail events. The feature improves availability and disaster recovery for global payment operations while preserving granular control over replication.

Signal adds opt-in end-to-end encrypted backups for chats

🔒 Signal has introduced an opt-in secure cloud backups feature that creates end-to-end encrypted archives of users' messages and recent media. The capability is available now in the Android beta and will be rolled out to iOS and desktop after testing completes. The free tier stores messages and up to 45 days of media within a 100 MiB limit; a paid $1.99/month plan raises storage to 100 GB and extends media retention. Backups occur daily, exclude soon-to-disappear and view-once messages, and are protected by a 64-character recovery key generated on-device that Signal never receives.

Hidden Vulnerabilities in Project Management Tools: Backup

🛡️ Many organizations rely on SaaS project platforms such as Trello and Asana for daily operations, but native protections and short retention windows often leave critical data exposed. The piece highlights human error, misconfiguration, and targeted cyberattacks as leading causes of loss. It recommends adding a third‑party backup layer and presents FluentPro Backup as a solution offering continuous automated backups, granular restores, one‑click project recovery, and Azure‑backed security to ensure recoverability and auditability.

SageMaker HyperPod Supports Customer-Managed KMS for EBS

🔐 Amazon SageMaker HyperPod now supports customer-managed AWS KMS keys (CMKs) to encrypt EBS volumes, giving enterprises direct control over encryption for root and secondary storage. This enables integration with existing key management and compliance workflows and uses a grants-based approach for secure cross-account access. Customers can specify CMKs via the CreateCluster and UpdateCluster APIs for clusters in continuous provisioning mode. The capability is available in all Regions where HyperPod runs.

SageMaker HyperPod Supports EBS CSI Driver for Storage

🔧 Amazon SageMaker HyperPod now supports the Amazon Elastic Block Store (EBS) Container Storage Interface (CSI) driver, enabling dynamic provisioning and lifecycle management of persistent EBS volumes for machine learning workloads on HyperPod EKS clusters. Through standard Kubernetes persistent volume claims and storage classes, teams can create, attach, resize, snapshot, and encrypt volumes (including customer-managed KMS keys), and volumes persist across pod restarts and node replacements. Install the EBS CSI driver as an EKS add-on to get started; the capability is available in all regions where HyperPod EKS clusters are supported.

Amazon MSF for Apache Flink Adds Customer Managed Keys

🔐 Amazon Managed Service for Apache Flink now supports Amazon KMS Customer Managed Keys (CMK), giving customers the option to use their own keys instead of AWS-owned keys. This provides greater control over encryption at rest, key rotation, and access policies for data stored in MSF. The update helps address compliance and governance requirements and is available by region; refer to the documentation for implementation details.

AWS Achieves HITRUST Certification for 177 Services

🔒 Amazon Web Services announced that 177 AWS services achieved HITRUST certification for the 2025 assessment cycle, with five services certified for the first time: Amazon Verified Permissions, AWS B2B Data Interchange, AWS Payment Cryptography, AWS Resource Explorer, and AWS Security Incident Response. A third‑party assessor audited the services under the HITRUST CSF v11.5.1 framework. Customers can inherit the certification for validated assessments when they use in‑scope services and follow the AWS Shared Responsibility Model, and evidence is available through AWS Artifact.

Malware Analysis on AWS: Building Secure Isolated Sandboxes

🔒 This AWS blog explains how security teams can run malware analysis in the cloud while complying with AWS policies and minimizing risk. It recommends an architecture that uses an isolated VPC with no internet egress, ephemeral EC2 detonation hosts accessed via AWS Systems Manager Session Manager, and secure S3 storage via VPC gateway endpoints with encryption. The post emphasizes strong IAM and SCP guardrails, immutable hosts, automated teardown, centralized logging, and monitoring with CloudTrail and GuardDuty to maintain visibility and lifecycle control.

Secure File Sharing in AWS: Security and Cost Guide

🔒 This second part of the guide examines three AWS file‑sharing mechanisms — CloudFront signed URLs, an Amazon VPC endpoint service backed by a custom application, and S3 Access Points — contrasting their security, cost, protocol, and operational trade‑offs. It highlights CloudFront’s edge caching and WAF/Shield integration for low‑latency public delivery, PrivateLink for fully private TCP connectivity, and Access Points for scalable IAM‑based S3 access control. The post emphasizes choosing or combining solutions based on access patterns, compliance, and budget.

Twitter Whistleblower Alleges Major Security Failures

🔍 An 84-page whistleblower complaint from former Twitter head of security Peiter “Mudge” Zatko alleges systemic security and privacy failings at the company, including excessive staff access, unpatched servers, and potential foreign-agent infiltration. Zatko says these issues violate a 2010 FTC order and pose a national security risk. Twitter calls him a disgruntled ex-employee and says many issues are addressed. Congressional inquiries have already begun.