Re: PCI, EFS and the future?

[Sean Waddell <swaddell () espgroup net>]

Brandon just setup a zabbix server on our stack 2 here to monitor the
wellpoint server as well as go out and monitor our portals. I would
suggest in the interim let's setup and monitor the 7 dr portals down
there....that would at least tell us if there is network connectivity.
Once we can get a zabbix monitor down there we can have it monitor the
router etc.


Sean Waddell
Director of Operations
The ESP Group LLC
703.418.6314

Craig Wright wrote:
> Let assume that the datbase is a standard one such as Oracle or SQL. The
> database is loaded into the systems memory decrypted. EFS does not
> encrypt database tables. It may encrypt the ENTIRE file, but when the
> database is live it is loaded Unencrypted. EFS is thus not the be all
> and end all for PCI requirements.
>
> Next, EFS does nothing to help with ensuring backups are secure on tape.
>
>
> It does nothing to secure the network or internal system transfers.
>
> The idea is that there is no cut and dry solution out of the box. It is
> something that requires thought.
>
> Craig
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Saqib Ali
> Sent: Saturday, 3 February 2007 9:14 AM
> To: Nick Vaernhoej
> Cc: security-basics () securityfocus com
> Subject: Re: PCI, EFS and the future?
>
> > My gut feeling is telling me that EFS is the wrong solution and I fear
> > that it won't be in compliance with PCI's data at rest specs.
>
> May I ask why you feel that EFS is the wrong solution? On the face, it
> seems to satisfy all the PCI data storage encryption requirements ....
>
> I will tell you more why EFS might not be a good idea, but I want to
> hear your opinion first.
>
> Here is some white-papers (disclaimer: they are self-serving, but
> still good) that cover data storage requirements for PCI.
> http://www.neoscale.com/English/Solutions/Whitepapers.html
>
> Also check out http://www.decru.com/
>
> saqib
> http://www.full-disk-encryption.net
>
> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is confidential. If you are not the intended recipient, 
> you must not use or disclose the information. If you have received this email in error, please inform us promptly by 
> reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 
>
>
> Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
> unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed 
> by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
> interception, corruption or unauthorised access.