Encryption at Rest vs. in Transit — Which Should You Worry About?

A plain-English guide for advocates evaluating SaaS vendors on security.

#security #encryption #saas

Encryption marketing for SaaS products often blurs the difference between encryption at rest (the database, the backups) and encryption in transit (the network calls). Both matter, but in different threat models.

Encryption at rest protects against

An attacker who steals the physical disks or the cloud-storage object
An attacker who gets backup tapes
An insider with read-only access to raw storage

Encryption in transit protects against

An attacker on the same network watching packets (e.g. coffee-shop wifi)
Man-in-the-middle attacks against the SaaS endpoint
Eavesdropping on the connection between the firm's office and the SaaS

For a law firm, both are non-negotiable. Encryption at rest is more administratively useful (it satisfies most audit checklists). Encryption in transit is more practically useful (it actually defends against the most common attacks). AssociatesDiary uses AES-256 at rest and TLS 1.3 in transit by default, with no toggle to disable either.

Run your chamber on AssociatesDiary

Modern case management. Hybrid SaaS multi-tenancy. Drag-drop adjournment. The first month is on us.

See pricing Sign in

Encryption at rest protects against

Encryption in transit protects against

Related reading

Multi-Tenant or Dedicated Database? A Practical Guide for Law Firms