Defense in Depth: Combining Persistent and Transparent Data Encryption

Traditional data security has always started from the outside in: lock down the systems, lock down the disks, and keep attackers away from the infrastructure. That model still matters. In fact, modern regulations and auditors continue to expect strong block-level (disk-level) encryption as a foundational control, which is delivered with transparent data encryption (TDE).

At the same time, evolving state and federal requirements now assume that sensitive data will also move to cloud services, partners, and remote users. As a result, it’s essential to protect the data itself with Persistent Data Encryption (PDE). It complements your TDE strategy.

Transparent data encryption protects data “on disk” by encrypting databases, files, and backups at the storage or file system level. It doesn’t require application changes or slow down users. TDE is most valuable when organizations store data in specific, controlled locations, such as production databases, core file servers, and backup systems.

Regulators and internal risk teams expect strong data encryption at rest as a baseline control for exactly these scenarios. In these environments, if disks, snapshots, or backups are lost, stolen, or accessed outside the system, the data remains unreadable without the keys. Thus, organizations can minimize the impact of a breach and demonstrate compliance with encryption at rest.

Because TDE operates transparently between the operating system and the file system, it delivers broad, low-friction coverage. This applies to structured and unstructured data at rest. With TDE, you meet traditional security and compliance expectations—such as encryption requirements under GDPR, CCPA, HIPAA, GLBA, CMMC, and state-level cybersecurity rules. At the same time, you ensure critical applications and workflows run as usual.

What has changed is not the value of TDE, but the scope of the problem. Regulators and standards bodies increasingly presume that sensitive data will move across networks, clouds, and organizations. They expect encryption to follow it.

Once data leaves a database, travels via email, syncs to a cloud repository, or flows into an analytics platform, disk-level protection alone is no longer sufficient. Traditional transparent encryption no longer protects data once it leaves the original storage layer. Plaintext copies are then exposed in new locations.

That is where persistent data encryption becomes essential. PDE encrypts the data itself—at the file or field level. Protection travels with the information wherever it goes, regardless of storage, application, or platform.

Whether a user downloads a document to an endpoint, shares it with a partner, moves it into object storage, or replicates it to another environment, PDE keeps it unreadable without the appropriate keys and policies.

PDE makes it easier to demonstrate to auditors and regulators that sensitive records remain encrypted not just at rest in a single system, but throughout their lifecycle.

The strongest security and compliance posture comes from using TDE and PDE together. Each has its own job. They aren’t competing approaches.

• TDE provides efficient, transparent, block-level encryption for critical systems and databases. It ensures minimal operational overhead while protecting data at rest in known locations.
• PDE extends that protection to the data itself. When those same records move across endpoints, file shares, cloud storage, email, mainframes, and partner environments, they remain encrypted and controlled no matter where they land.

Starting with a TDE foundation and layering PDE on top enables you to:

• Align with both traditional and emerging regulatory expectations.
• Reduce breach impact.
• Maintain consistent protection from core infrastructure to the edge.

In a world where sensitive information must be both safely stored and shared, our combination of TDE and PDE provides security and compliance teams with the complete, defense-in-depth encryption strategy they need.