mailing list archives
RE: PCI, EFS and the future?
From: "Dan Anderson" <dan-anderson () cox net>
Date: Sun, 18 Feb 2007 04:18:36 -0600
Let assume that the datbase is a standard one such as Oracle or SQL. The
database is loaded into the systems memory decrypted. EFS does not
encrypt database tables. It may encrypt the ENTIRE file, but when the
database is live it is loaded Unencrypted. EFS is thus not the be all
and end all for PCI requirements.
Next, EFS does nothing to help with ensuring backups are secure on tape.
It does nothing to secure the network or internal system transfers.
The idea is that there is no cut and dry solution out of the box. It is
something that requires thought.
I know I am late to this thread, but anyone who seriously thinks EFS or FDE
is a silver bullet to PCI compliance needs to give this a lot more thought.
Like any tool (and I like and use all of these), they have their places, but
if the extent of your PCI "solution" is using EFS/FDE/Truecrypt/NeoScale you
will be found sorely lacking.
These solutions are great for solving the VA style "lost harddrive"
scenarios, but that is only part of PCI. Proper PCI security in an
enterprise environment requires a holistic effort be taken to protect the
data from a variety of attack vectors.
Your efforts should start with a risk-based system analysis and the
particular tools and techniques to be used should be determined based on