RE: PCI, EFS and the future?

["Roger A. Grimes" <roger () banneretcs com>]

EFS is a very good, and more than adequate solution, with one caveat- it
is file/folder-level encryption versus drive or volume-level encryption;
and all that those differences entail.

EFS is free with Windows 2000 and above, and it is good encryption. You
don't want to lose the private or recovery keys. No matter what solution
you choose, make sure to automate backing up the recovery keys.

PCI and other commercial/public requirements don't care what the
specific solution is as long as it is a strong and reliable solution.
EFS fits that bill, and you gotta love the price.

Some folks like PGP or Truecrypt. Both are excellent solutions as well.

Other vendor solutions, which may cost, can also provide a good
solution, and some people feel third party mgmt tools make it easier
than free tools...but show me any encryption product and I'll show you
advantages and disadvantages. None are perfect.

I say try out a few solutions, including EFS, talk to other users who
have been using the products for awhile, and choose one that fits in
your environment. Don't just talk to the "EFS sucks" people, who haven't
spent time implementing it and using it. That's like an EFS-zealot
dogging Truecrypt without really using it or understanding it.

Properly setup and understood, there are many good solutions, including
EFS. 

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Nick Vaernhoej
Sent: Friday, February 02, 2007 12:04 PM
To: security-basics () securityfocus com
Subject: PCI, EFS and the future?

Good morning list

In the past I have asked about encryption solutions to attain PCI
compliance.

There are numerous solutions our there and I have some questions about
EFS in particular.

We are trying to create a small area on our corporate fileserver to be
an encrypted location. When used with EFS this area should be
transparent to the end user since it ties into AD.

My gut feeling is telling me that EFS is the wrong solution and I fear
that it won't be in compliance with PCI's data at rest specs.

Does anyone have any experience with EFS file level encryption, PCI and
what the future outlook is?

Are you looking at a replacement product because the auditor didn't find
EFS adequate?

Thank you

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."