Don’t Let “Encryption at Rest” Be Your Blindspot

Security leaders universally agree protecting data is important but juggling protection against budgets and the potential of disrupting workflows makes it a difficult decision. Most databases and devices today come with some form of at-rest encryption, but is that enough?

The shift to cloud-first architectures and remote work has made it inefficient to rely solely on legacy tools like disk encryption. With today’s processing speeds, AI, data discovery, and data classification capabilities, organizations can now adopt a data-centric approach that protects information not just at rest, but also in motion and in use, exactly where modern risks emerge.

For many organizations, Microsoft BitLocker represents a foundational layer of endpoint security. BitLocker is device-centric, encrypting the entire drive until a user authenticates. This makes it highly effective against device theft – a stolen laptop without credentials is practically useless to the thief.

But today, the big risk isn’t someone stealing a laptop; it’s a phishing attack that hands threat actors access to the environment from anywhere in the world. With one wrong click, attackers can infiltrate endpoints, file servers, email systems, and cloud resources. Once inside, they conduct “smash and grab” operations, exfiltrating as much data as possible before sorting and monetizing it later.

Third-party breaches and most of the recent data breaches from 2025 confirm this reality: supply chain vulnerabilities and partners with insecure credentials have played a direct role in several high-profile incidents.

This is where BitLocker’s shortcomings become evident.

Zero Trust is a security framework based on the principle of “never trust, always verify.” It assumes that threats exist both inside and outside the network and emphasizes strict identity verification before granting access to any resource, regardless of whether a user is inside or outside the traditional network perimeter.

In this context, relying solely on encryption at rest falls short of a true Zero Trust strategy. Disk encryption like BitLocker protects data only when the device is powered off or locked, but once a user authenticates or credentials are compromised, attackers can move laterally and access sensitive data freely.

Read blog: The Evolution of Zero Trust: From Concept to Modern-Day Imperative

The contrast between BitLocker’s device-centric encryption and PKWARE’s Persistent Data Encryption (PDE) can be summed up in five key areas:

1. Protection Boundary
   • BitLocker: Encrypts the drive, but once accessed, data can be freely copied or shared.
   • PDE: Encrypts each file individually, keeping data protected wherever it travels.
2. Collaboration & Third-Party Sharing
   • BitLocker: Protects only at-rest data while the device is powered off.
   • PDE: Enables seamless collaboration inside the organization and secure sharing with external partners, with the ability to revoke access at any time.
3. Platform Coverage
   • BitLocker: Primarily effective in the Microsoft Windows ecosystem.
   • PDE: Extends across endpoints, servers, M365, email, cloud, and even iSeries/mainframes—ensuring files remain protected everywhere.
4. Keys, Formats & Control
   • BitLocker: Device-bound keys (TPM, PIN, recovery key) managed via Entra ID/AD and Group Policy.
   • PDE: Supports enterprise identity policies, AES, OpenPGP, X.509, certificate-based models, and granular user access controls, including revocation.
5. Compliance Outcomes
   • BitLocker: Satisfies basic at-rest encryption requirements, mainly for Windows endpoints.
   • PDE: Meets and exceeds requirements for at-rest and in-motion data protection across global mandates such as PCI, HIPAA, GLBA, GDPR, and more.

BitLocker and similar encryption-at-rest solutions are akin to locking the front door of your house – they keep honest people out.Most people lock up valuables, heirlooms, and money in safes within the house or at off-site locations for added defense. PKWARE’s end-to-end encryption acts as that safe for your data, providing continuous protection wherever your data goes and however it’s used.

Don’t let encryption at rest be your blindspot. Embrace a data-centric security strategy that safeguards sensitive information against today’s evolving threats.