Crypto Complete vs Disk Encryption
Disk drive encryption may help your organization to comply with PCI DSS standards, but there are strict requirements that must be followed. Additionally, relying solely on disk drive encryption for data protection has serious potential risks that your organization needs to be aware of.
Requirement 3.4.1 of the PCI DSS standards reads as:
3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.
3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating systems mechanism (for example, not using local user account databases).
3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored. Note: Disk encryption often cannot encrypt removable media, so data stored on this media will need to be encrypted separately.
Your organization will also need to ensure you are in compliance with the Key Management requirements listed in sections 3.5 and 3.6 of the PCI DSS standards.
Risks of Disk Encryption
Disk encryption can minimize the risks if the physical disk drive is stolen, but disk encryption cannot protect an organization from an on-line attack by a hacker or rogue employee. Once a hacker gains access to the system, all data will be automatically decrypted regardless of which application (or tool) is running and regardless of the user’s credentials.
Additionally, encrypting the disk-drive (which is the lowest level in the application’s stack), leaves all layers above the disk-drive vulnerable to snooping. Given the complexity of today's applications, there are potentially numerous opportunities for attackers to snoop unencrypted data on a compromised machine.
Disk encryption has some short-term risk mitigation properties, but the strongest long-term data protection comes from encrypting data at the database column (field) level. With field encryption, data is protected no matter what the storage media (disk, tape, etc.) is, and no matter how many layers intervene between the application and the storage media.