Home page logo
/

basics logo Security Basics mailing list archives

RE: PCI, EFS and the future?
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Mon, 5 Feb 2007 09:15:09 -0600

Dave

I think what you are referring to is:
3.4.1   If disk encryption is used (rather than file- or column-level
database        encryption), logical access must be managed
independently of native         operating system access control
mechanisms (for example, by not using   local system or Active
Directory accounts).
        Decryption keys must not be tied to user accounts.

The wording suggests this applies to databases. Not file servers.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com] 
Sent: Saturday, February 03, 2007 12:06 AM
To: security-basics () securityfocus com
Subject: RE: PCI, EFS and the future?

Nick,

Correct me if I am wrong.....but I thought I remember reading that the
DSS
specifically stated that keys could not be tied to user accounts, which
they
are in EFS. Or, was that only for certain pieces of data?



Respectfully,

Dave Kleiman - http://www.davekleiman.com/about.php 



     -----Original Message-----
     From: listbounce () securityfocus com 
     [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
     Sent: Friday, February 02, 2007 12:04
     To: security-basics () securityfocus com
     Subject: PCI, EFS and the future?
     
     Good morning list
     
     In the past I have asked about encryption solutions to 
     attain PCI compliance.
     
     There are numerous solutions our there and I have some 
     questions about EFS in particular.
     
     We are trying to create a small area on our corporate 
     fileserver to be an encrypted location. When used with EFS 
     this area should be transparent to the end user since it 
     ties into AD.
     
     My gut feeling is telling me that EFS is the wrong 
     solution and I fear that it won't be in compliance with 
     PCI's data at rest specs.
     
     Does anyone have any experience with EFS file level 
     encryption, PCI and what the future outlook is?
     
     Are you looking at a replacement product because the 
     auditor didn't find EFS adequate?
     
     Thank you
     
     Nick Vaernhoej
     "Quidquid latine dictum sit, altum sonatur." 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]