Bitlocker and PCI Compliance

I’m currently developing a .NET application to acquire and authorize
transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for
advice on how to implement the PCI (Payment Card Industry) standards which
requires data at rest be encrypted. Bitlocker maybe a solution but it is
unclear how backups and shadow copy will work. I’d appreciate hearing from
anyone who has some real world expose to this new technology and can comment
on these concerns.
--
RodW

> I’m currently developing a .NET application to acquire and authorize
> transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for
> advice on how to implement the PCI (Payment Card Industry) standards which
> requires data at rest be encrypted. Bitlocker maybe a solution but it is
> unclear how backups and shadow copy will work. I’d appreciate hearing from
> anyone who has some real world expose to this new technology and can comment
> on these concerns.

You need to discuss this with your auditor. Anything anyone says on the
newsgroups is unlikely to be accepted as official advice.

Bitlocker has no impact on backups, and it has nothing to do with shadow
copy. If you are referring to shadow copies locally, they would be on the
boot volume, and Bitlocker would encrypt the entire boot volume. Therefore,
the shadow copies would be encrypted as well. If you use BitLocker to encrypt
non-boot volumes (which is not supported in Vista) then the situation might
change.

Rod,

Bitlocker encrypts the local disk only. If you copy anything off the disk to
cd/floppy/tape/network/whatever, then it's not encrypted - as soon as it leaves
the disk it's in clear.

This also means that anyone connecting to the drive on the pc remotely (i.e.
they map a network drive to it) gets to see the data in clear. But then if you
don't enable file sharing on the pc then that shouldn't be an issue.

If you don't allow remote access, and any copies/backups you take are
encrypted by a.n.other means, then you're probably ok PCI-wise.

But anyway, are you running this on a Vista PC? I'd have expected such an
application to be run on a server, and currently released server o/s's - i.e.
Windows 2003 - don't support bitlocker. For those you'd be looking at EFS or
a.n.other 3rd party solution.


> I’m currently developing a .NET application to acquire and authorize*
> transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for*
> advice on how to implement the PCI (Payment Card Industry) standards which*
> requires data at rest be encrypted. Bitlocker maybe a solution but it is*
> unclear how backups and shadow copy will work. I’d appreciate hearing from*
> anyone who has some real world expose to this new technology and can comment*
> on these concerns.*


Neil Pike. Protech Computing Ltd

The app is server based. Bitlocker runs on Longhorn. So far here are my
options:
1) Column level hashing (no need to return it to clear state) or shared
secret encryption.
2) Bitlocker on longhorn
3) third party like vormetric.

Option 1 seems best when some small portion of overall data needs
protection. Flat files that contain the data for use downstream become a
problem. Lots of programming needed.
Option 2 works for data at rest, once an authticated user with read
permission gets the data it can leave the server in clear. This is true for
backups. I think shadow copy would write data encrypted.
Option 3 -- is like option 2 except it adds additional security layer to
make sure admins (and any user w/o permission) can read the data but get it
returned encrypted.
--
RodW


"Neil Pike" wrote:

> Rod,
>
> Bitlocker encrypts the local disk only. If you copy anything off the disk to
> cd/floppy/tape/network/whatever, then it's not encrypted - as soon as it leaves
> the disk it's in clear.
>
> This also means that anyone connecting to the drive on the pc remotely (i.e.
> they map a network drive to it) gets to see the data in clear.
But then if you
> don't enable file sharing on the pc then that shouldn't be an issue.
>
> If you don't allow remote access, and any copies/backups you take are
> encrypted by a.n.other means, then you're probably ok PCI-wise.
>
> But anyway, are you running this on a Vista PC? I'd have expected such an
> application to be run on a server, and currently released server o/s's - i.e.
> Windows 2003 - don't support bitlocker. For those you'd be looking at EFS or
> a.n.other 3rd party solution.
>
>
> > I’m currently developing a .NET application to acquire and authorize
> > transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for
> > advice on how to implement the PCI (Payment Card Industry) standards which
> > requires data at rest be encrypted. Bitlocker maybe a solution but it is
> > unclear how backups and shadow copy will work. I’d appreciate hearing from
> > anyone who has some real world expose to this new technology and can comment
> > on these concerns.
>
>
> Neil Pike. Protech Computing Ltd
>

>
>

Rod,

If it's server based then if you use bitlocker, what's going to happen when
the server is rebooted? If you're prompting for a password/pin then that's
going to stop the server coming up automatically. Leaving a USB key
permanently attached wouldn't be great for security.


> The app is server based. Bitlocker runs on Longhorn. So far here are my*
> options:
> 1) Column level hashing (no need to return it to clear state) or shared*
> secret encryption.
> 2) Bitlocker on longhorn
> 3) third party like vormetric.
>
> Option 1 seems best when some small portion of overall data needs*
> protection. Flat files that contain the data for use downstream become a*
> problem. Lots of programming needed.
> Option 2 works for data at rest, once an authticated user with read*
> permission gets the data it can leave the server in clear. This is true for*
> backups. I think shadow copy would write data encrypted.
> Option 3 -- is like option 2 except it adds additional security layer to*
> make sure admins (and any user w/o permission) can read the data but get it*
> returned encrypted.*


Neil Pike. Protech Computing Ltd