So I've been wracking my brain on this one, and I'm hoping some community involvement might help.
I'm trying to have a healthy way to back up some PCI In-Scope devices.
Storing the devices and credentials to get into them requires you to have a username and password somewhere, because not all devices support certificate based authentication. So somewhere you have to have a system that accesses a plain text, "this username, this password." It could be stored in a database, and the database itself is encrypted, but somewhere you need to have some method that says, "You'll access this database at this location with these credentials", so if its on the same host as the backup system, where's the real mitigation?
PCI data at rest needs to be encrypted. So, the config files when resting need to be in an encrypted location. Which, I suppose an EFS should handle that accordingly, and as long as you limit access to the box, shouldn't be that bad. But if you're using encryption at rest, wouldn't the mitigated risk by the device list in an encrypted database not be as necessary?
Am I overthinking this as a problem, or is backing up plain text files of configs just something that isn't as complicated as I feel it's being? Or maybe I'm just circling around in my own head for the day overthinking issues.