Disk drive encryption may help your organization to comply with PCI DSS standards, but there are strict requirements that must be followed. Additionally, relying solely on disk drive encryption for data protection has serious potential risks that your organization needs to be aware of.
Requirement 3.4.1 of the PCI DSS standards reads as:
3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.
3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating systems mechanism (for example, not using local user account databases).
3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored. Note: Disk encryption often cannot encrypt removable media, so data stored on this media will need to be encrypted separately.
Your organization will also need to ensure you are in compliance with the Key Management requirements listed in sections 3.5 and 3.6 of the PCI DSS standards.
Risks of Disk Encryption
Disk encryption can minimize the risks if the physical disk drive is stolen, but disk encryption cannot protect an organization from an online attack by a hacker or rogue employee. Once a hacker gains access to the system, all data will be automatically decrypted regardless of which application (or tool) is running and regardless of the user’s credentials.
Additionally, encrypting the disk-drive (which is the lowest level in the application’s stack), leaves all layers above the disk-drive vulnerable to snooping. Given the complexity of today's applications, there are potentially numerous opportunities for attackers to snoop unencrypted data on a compromised machine.
Disk encryption has some short-term risk mitigation properties, but the strongest long-term data protection comes from encrypting data at the database column (field) level. With field encryption, data is protected no matter what the storage media (disk, tape, etc.) is, and no matter how many layers intervene between the application and the storage media.
Benefits of Field Encryption with Crypto Complete
Database field encryption has traditionally been very difficult and time-consuming to implement on IBM i. In the past, major application changes would have to be made to expand database field sizes and implement complicated API calls to encrypt/decrypt data. In contrast, Crypto Complete was designed to allow organizations to encrypt fields quickly and effectively using its intuitive screens and proven technology. Today, organizations worldwide rely on Crypto Complete's encryption suite to secure confidential information from both external hackers and unauthorized internal users.
Crypto Complete will protect sensitive database fields on IBM i using strong encryption algorithms of AES or TDES. You can encrypt almost any database field with Crypto Complete including:
- Credit card numbers (PAN)
- Health-related information
- Social security numbers
- Drivers license numbers
- Bank account numbers
- Financial data
Crypto Complete's innovative "Field Encryption Registry" allows you to automatically encrypt sensitive database fields and columns using strong encryption AES or TDES without making changes to your application programs for data encryption. You simply indicate the database fields to encrypt within your database files and then have the ability to perform mass encryption of any activated fields in the Registry. Crypto Complete can also encrypt the field values automatically on an ongoing basis as new records are added or when field values have changed. This automated feature saves significant time and money for customers, since applications do not need to be changed for data encryption.
Access to data can be tightly controlled at the field/user level and only authorized users will have the ability to decrypt data and gain access to the full or masked values. The decryption of any data can be fully audited in Crypto Complete, which will log the user id, date, time, job information and key utilized.
Crypto Complete offers the most comprehensive encryption and key management features - making it easy to protect sensitive data and comply with stringent compliance requirements.