Encryption at rest has several valid use-cases beyond SOC audits. End of sentence.
Edit: Since this has gotten some negative votes, I'll happily expand.
The two primary examples of FDE that are real-world useful (i.e. not just checking boxes) is loss of physical control of a device and cryptographic erasure (at device end-of-life).
Neither of these use-cases in relevant to the threat model the article is discussing, but it's ridiculous to say that FDE is only for SOC.
This is why I said "your cloud provider". If you're handling your own physical devices, yes, YMMV. (For example, FDE on company laptops should obviously be non-negotiable). But expecting it to do anything else is just magical thinking.
Cloud providers don't store stuff in a literal cloud, so it follows that they too must worry about their own physical devices.
If you agree that FDE is good for physical access to lost/stolen devices and cryptographic erasure, I'm not sure why you don't think that applies to hardware in a data center which is just as capable as being lost/stolen, and also needs to be securely disposed of.
>But expecting it to do anything else is just magical thinking.
It certainly does more than just check boxes for SOC, which was my entire point.
Edit: Since this has gotten some negative votes, I'll happily expand.
The two primary examples of FDE that are real-world useful (i.e. not just checking boxes) is loss of physical control of a device and cryptographic erasure (at device end-of-life).
Neither of these use-cases in relevant to the threat model the article is discussing, but it's ridiculous to say that FDE is only for SOC.