
Evolving FS-ISAC Encryption Standards: Embracing Zero Trust Data Security
1. Introduction
The Financial Services Information Sharing and Analysis Center (FS-ISAC) has long been instrumental in guiding financial institutions on implementing robust cybersecurity practices. Its recommendations, particularly regarding encryption controls, play a critical role in helping organizations safeguard sensitive financial data.
However, as cyber threats become increasingly sophisticated, it’s essential that FS-ISAC’s guidance evolves to reflect these changes. The current emphasis on traditional, storage-based encryption techniques, such as Transparent Data Encryption (TDE) and Full Disk Encryption (FDE), needs reevaluation. While these methods were once sufficient, they fall short in today’s dynamic, interconnected environments where data moves fluidly across applications, cloud platforms, and databases.
This blog advocates for an updated approach that aligns with Zero Trust data security principles. We propose a shift towards file- and record-level encryption, coupled with identity-driven, data-level security controls, to provide financial institutions with more comprehensive protection against modern threats.
2. Current State of FS-ISAC Guidance
FS-ISAC’s current encryption guidance highlights the use of Hardware Security Modules (HSMs) and storage encryption techniques like TDE and FDE to secure data at rest. While these methods serve to meet compliance standards, they lack the adaptability required in today’s environments where data is accessed, processed, and transmitted across multiple systems.
Though the guidance briefly acknowledges that “unique file-level encryption offers better protection,” it stops short of advocating for a shift away from traditional storage encryption. This leaves institutions open to risks, as the evolving threat landscape demands more than perimeter-focused encryption strategies.
3. The Ineffectiveness of Traditional Storage Encryption
To understand why FS-ISAC’s guidance should emphasize a Zero Trust data security model, it’s essential to explore the limitations of TDE and FDE:
- Limited Protection Scope: Both TDE and FDE primarily secure data at rest, providing coverage only when systems are offline. When systems are running, these methods leave data in memory exposed, making it vulnerable to memory scraping, SQL injections, and other attacks.
- Lack of Granular Control: These encryption methods do not support fine-grained access controls. Once data is decrypted for use by an application, it becomes accessible to any authorized user or process, increasing the risk of insider threats and unauthorized access.
- “Security Theater” Effect: While TDE and FDE may offer a perception of security, they fail to provide practical protection against real-time, active threats in today’s interconnected environments.

4. The Case for File- and Record-Level Encryption Aligned with Zero Trust Data Security
File- and record-level encryption, when implemented within a Zero Trust framework, shifts the focus from securing infrastructure to protecting the data itself. This approach ensures sensitive information is encrypted at the most granular level, directly within applications and databases, regardless of where it resides or how it is transmitted.
- Zero Trust Alignment: By adopting file- and record-level encryption, organizations can enforce Zero Trust principles, ensuring that no entity—whether internal or external—is trusted by default. Access is continuously verified based on user identity and permissions, integrating directly with identity providers (IDPs) like Okta and Microsoft Entra ID.
- Comprehensive Data Protection: This method secures data across its lifecycle—at rest, in motion, and in use—minimizing the risk of exposure during attacks like SQL injections, memory scraping, or insider threats.
- Granular Access Control: File- and record-level encryption, supported by identity-driven policies, enables fine-grained control, ensuring that only authorized users can decrypt sensitive data based on their roles and attributes.

5. Integrating Identity-Driven Data Security (Ubiq’s Approach)
Ubiq’s solution exemplifies the next step in achieving Zero Trust data security. By integrating identity-driven, data-level security, Ubiq offers a modern, scalable approach that ensures sensitive data remains protected regardless of its state or location.
Key Benefits of Ubiq’s Identity-Driven, Data-Level Security:
- Granular Access Controls: Through integration with IDPs like Okta, Ubiq enforces role- and attribute-based access controls, tying data access directly to verified user identities and roles.
- Comprehensive Protection: Ubiq’s application-layer encryption secures data in use, ensuring it remains protected even when systems are active and data is being processed or transmitted.
- Seamless Integration: Ubiq supports a variety of application environments and platforms, enabling enterprises to deploy file- and record-level encryption with minimal disruption.

6. Recommendations for FS-ISAC
To strengthen the security posture of financial institutions, FS-ISAC can refine its encryption guidance by:
- Deprioritizing Generic Storage Encryption: FS-ISAC should clarify that TDE and FDE are insufficient as standalone encryption controls for securing sensitive data and should be phased out as approved methods.
- Encouraging Zero Trust, Identity-Driven Approaches: FS-ISAC should advocate for file- and record-level encryption integrated with IDPs, ensuring access is controlled based on verified identities and permissions.
- Promoting Modern, Scalable Encryption Solutions: By recommending solutions that support identity-driven, data-level security, FS-ISAC can help financial institutions implement scalable, Zero Trust frameworks that reduce risk and improve compliance.
7. Conclusion
As cyber threats continue to evolve, financial institutions must move beyond traditional storage encryption methods and embrace more adaptive, effective solutions. By aligning encryption practices with Zero Trust data security principles and advocating for file- and record-level encryption, FS-ISAC can lead the way in ensuring that sensitive financial data remains secure across its entire lifecycle.
Adopting these modern approaches not only enhances protection against emerging threats but also ensures that financial institutions are prepared for the challenges of a rapidly evolving digital landscape.