In the month of October, I wrote about reducing scope for PCI DSS. In this blog, I take it a step further with a discussion about the options available for securing data.
Not all types of encryption give you the coverage and flexibility you need
There’s no one-size-fits-all solution for protecting account data; every organization is different, faces different threats and has different security objectives that (ideally) go beyond PCI DSS compliance. To make things more complicated, merchants typically now need to protect data in multiple data repositories and archives together with the spill over into test location, audit logs and reports – multiple structured and unstructured instances of data present in various form factors across numerous locations!
One of the most common and most effective approaches to protecting data is encryption. Both hardware and software-based encryption (cryptographic) solutions are available but selecting what is needed in terms of easy key management and scalability is not as simple as you might think. Encryption is typically employed on four layers of the technology stack:
- Disk (or media)
- File
- Database
- Application
The one that is easiest to deploy (Disk) offers the least protection, whereas the one that is the most complex to deploy (Application) can offer significantly higher levels of protection. Choosing which option or range of options needs some careful analysis and planning.
The pros and cons of encrypting at different layers in the technology stack
Generally, when you employ encryption lower in the stack (where Disk is the lowest) it’s less likely to interfere with operations in the layers above. In many cases, it will be totally transparent to users and no changes to applications will be necessary. Unfortunately, sole reliance on Disk encryption (which may be a free option with a database or operating system product purchase) only protects against physical theft and does little or nothing to prevent against malicious individuals inside and outside an organization.
Going to the other extreme and applying encryption at the Application layer enables organizations to protect primary account numbers (PANs) at the initial point of capture and can therefore significantly simplify PCI DSS compliance as well as delivering high levels of security. The major downside is that it normally involves significant application development work (which can be costly) and support for all the inevitable key management processes that will be required.
Important considerations to maximize your investment
In our latest book on data protection, “PCI Compliance & Data Protection for Dummies” we examine the various encryption technology options in detail, supplementing this with practical advice and tips on what may work best for different types of organizations. We identify places where simplification (through centralized control), especially in the demanding area of key management, is feasible and advantageous.
You can download a copy of the book at this link to find out more. The information provided should prove useful far and beyond any needs you have for meeting PCI DSS requirements. If you are wondering why this is important…it’s because it’s always best to approach data protection as a strategic investment rather than as a purely compliance-driven obligation.
Have questions? Feel free to leave a comment below.