Security Basics mailing list archives
RE: PCI, EFS and the future?
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 2 Feb 2007 17:07:16 -0500
EFS is a very good, and more than adequate solution, with one caveat- it is file/folder-level encryption versus drive or volume-level encryption; and all that those differences entail. EFS is free with Windows 2000 and above, and it is good encryption. You don't want to lose the private or recovery keys. No matter what solution you choose, make sure to automate backing up the recovery keys. PCI and other commercial/public requirements don't care what the specific solution is as long as it is a strong and reliable solution. EFS fits that bill, and you gotta love the price. Some folks like PGP or Truecrypt. Both are excellent solutions as well. Other vendor solutions, which may cost, can also provide a good solution, and some people feel third party mgmt tools make it easier than free tools...but show me any encryption product and I'll show you advantages and disadvantages. None are perfect. I say try out a few solutions, including EFS, talk to other users who have been using the products for awhile, and choose one that fits in your environment. Don't just talk to the "EFS sucks" people, who haven't spent time implementing it and using it. That's like an EFS-zealot dogging Truecrypt without really using it or understanding it. Properly setup and understood, there are many good solutions, including EFS. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej Sent: Friday, February 02, 2007 12:04 PM To: security-basics () securityfocus com Subject: PCI, EFS and the future? Good morning list In the past I have asked about encryption solutions to attain PCI compliance. There are numerous solutions our there and I have some questions about EFS in particular. We are trying to create a small area on our corporate fileserver to be an encrypted location. When used with EFS this area should be transparent to the end user since it ties into AD. My gut feeling is telling me that EFS is the wrong solution and I fear that it won't be in compliance with PCI's data at rest specs. Does anyone have any experience with EFS file level encryption, PCI and what the future outlook is? Are you looking at a replacement product because the auditor didn't find EFS adequate? Thank you Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur."
Current thread:
- PCI, EFS and the future? Nick Vaernhoej (Feb 02)
- RE: PCI, EFS and the future? Roger A. Grimes (Feb 05)
- Re: PCI, EFS and the future? Saqib Ali (Feb 05)
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- RE: PCI, EFS and the future? Gressick, Michael (Feb 07)
- RE: PCI, EFS and the future? dave kleiman (Feb 05)
- Message not available
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- RE: PCI, EFS and the future? Dan Anderson (Feb 19)
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- <Possible follow-ups>
- Re: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- Re: PCI, EFS and the future? Craig Wright (Feb 06)
- Re: PCI, EFS and the future? Sean Waddell (Feb 06)
- Re: PCI, EFS and the future? Saqib Ali (Feb 07)
- Re: PCI, EFS and the future? Sean Waddell (Feb 06)