Encryption at rest is something your cloud provider does to pass SOC audits. End of sentence. If you have stronger security concerns, then you need to turn to other tools in your toolbox.
Encryption at rest has several valid use-cases beyond SOC audits. End of sentence.
Edit: Since this has gotten some negative votes, I'll happily expand.
The two primary examples of FDE that are real-world useful (i.e. not just checking boxes) is loss of physical control of a device and cryptographic erasure (at device end-of-life).
Neither of these use-cases in relevant to the threat model the article is discussing, but it's ridiculous to say that FDE is only for SOC.
This is why I said "your cloud provider". If you're handling your own physical devices, yes, YMMV. (For example, FDE on company laptops should obviously be non-negotiable). But expecting it to do anything else is just magical thinking.
Cloud providers don't store stuff in a literal cloud, so it follows that they too must worry about their own physical devices.
If you agree that FDE is good for physical access to lost/stolen devices and cryptographic erasure, I'm not sure why you don't think that applies to hardware in a data center which is just as capable as being lost/stolen, and also needs to be securely disposed of.
>But expecting it to do anything else is just magical thinking.
It certainly does more than just check boxes for SOC, which was my entire point.
