While threat modeling, you talk about specific scenarios and specific threats. That does not mean other scenarios and threats don't exist. It just means they aren't the focus of that particular conversion.
>In web applications and cloud services drives could still be misplaced, stolen, or improperly disposed of.
This is explicitly called out in the article by the author, despite it not being part of the threat model the author is examining. And people are still bringing it up like some sort of gotcha.
See (again):
>This is not a comprehensive blog post covering every possible use case or threat model relating to encryption at rest.
> I’d say the author is being so restrictive in the scope of threats that it isn’t very useful.
Loss of control of the hard disks may have many different ways it can manifest in the real world, but from a cryptography and software development perspective, is congruent to other flavors of the same underlying problem.
That's not being "restrictive", it's recognizing the common denominator.
The problem is that after that common denominator is recognized, the post implies that it is outside the threat model of "web applications and/or cloud services", when it is not.
It doesn't need in-depth discussion, and the way data is still highly exposed despite disk encryption is very important, but that implication is not great.
>In web applications and cloud services drives could still be misplaced, stolen, or improperly disposed of.
This is explicitly called out in the article by the author, despite it not being part of the threat model the author is examining. And people are still bringing it up like some sort of gotcha.
See (again):
>This is not a comprehensive blog post covering every possible use case or threat model relating to encryption at rest.