Security Basics mailing list archives
RE: PCI, EFS and the future?
From: "Dan Anderson" <dan-anderson () cox net>
Date: Sun, 18 Feb 2007 04:18:36 -0600
Let assume that the datbase is a standard one such as Oracle or SQL. The database is loaded into the systems memory decrypted. EFS does not encrypt database tables. It may encrypt the ENTIRE file, but when the database is live it is loaded Unencrypted. EFS is thus not the be all and end all for PCI requirements. Next, EFS does nothing to help with ensuring backups are secure on tape. It does nothing to secure the network or internal system transfers. The idea is that there is no cut and dry solution out of the box. It is something that requires thought.
Thank You! I know I am late to this thread, but anyone who seriously thinks EFS or FDE is a silver bullet to PCI compliance needs to give this a lot more thought. Like any tool (and I like and use all of these), they have their places, but if the extent of your PCI "solution" is using EFS/FDE/Truecrypt/NeoScale you will be found sorely lacking. These solutions are great for solving the VA style "lost harddrive" scenarios, but that is only part of PCI. Proper PCI security in an enterprise environment requires a holistic effort be taken to protect the data from a variety of attack vectors. Your efforts should start with a risk-based system analysis and the particular tools and techniques to be used should be determined based on these results. Dan
Current thread:
- RE: PCI, EFS and the future?, (continued)
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- RE: PCI, EFS and the future? Gressick, Michael (Feb 07)
- RE: PCI, EFS and the future? dave kleiman (Feb 05)
- Message not available
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- RE: PCI, EFS and the future? Dan Anderson (Feb 19)
- RE: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- Re: PCI, EFS and the future? Nick Vaernhoej (Feb 05)
- Re: PCI, EFS and the future? Craig Wright (Feb 06)
- Re: PCI, EFS and the future? Sean Waddell (Feb 06)
- Re: PCI, EFS and the future? Saqib Ali (Feb 07)
- CastleCops 5-Year Anniversary and Contest dave kleiman (Feb 08)
- Re: PCI, EFS and the future? Sean Waddell (Feb 06)
- RE: PCI, EFS and the future? Dan Anderson (Feb 19)