Re: Storing SSN on file server

[randy <marchany () VT EDU>]

A word of caution about WDE/FDE: remember that WDE/FDE is designed to work
only then the host is powered off. If malware runs under your user context
(the usual case), it will be able to decrypt any files your account can
access. While we are requiring WDE/FDE in general, you need some sort of
encryption scheme that's not based on access. Microsoft Office does do a
decent encryption job but it is password protected. Newer versions of Adobe
Acrobat allow password and certificate based encryption on a file basis. I
don't know if the PDF portfolio feature is still around. There are
certainly a ton of 3rd party vendor solutions. Microsoft AD-RMS (Azure RMS)
is another tool. most of the "centralized" tools work great when everyone
is under the same umbrella. It goes south when sending in/out of your
institution.

Our sensitive data standard ( says all PII (ssn, ccn, passport#, DMV#,
bank, debit numbers) must be encrypted at rest or in transit. I believe the
majority of users are using the Office Encryption or encrypted PDF files
here. Databases use column encryption to encrypt the relevant fields in a
record.

Hope this helps.

-Randy Marchany
VA Tech IT Security Office and Lab



On Mon, Mar 19, 2018 at 2:23 PM, Kevin Wilcox <wilcoxkm () appstate edu> wrote:

> On 19 March 2018 at 13:52, Macatiag, Darwin <dmacatiag () mtsac edu> wrote:
>
> > I’ll second Brent’s solution since it will help with data classification.
> > You’ll probably also want to set up whole disk encryption on that
> separate
> > file server as well since most regulations require encryption of data at
> > rest.
>
> Since you're the second person to mention WDE, I would only say that
> *especially* in the context of file and database servers one should
> take a long, hard look at how to interpret "at rest".
>
> kmw