Blog

Posts Tagged ‘Zserver Backup’

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

A Safe Isn’t Safe When it Comes to Protecting Data

Tuesday, January 19th, 2010

It sounds like a good idea to provide some extra security for your backup data by storing the media in a locked safe. It is certainly better than storing the media in an unlocked drawer or on a shelf somewhere. But, if a thief simply takes the whole safe, as happened to Goodwill of Greater Grand Rapids in Michigan, the data is not really protected any more.

While it seems fair to assume that the thief expected to find money inside, the safe actually contained names, addresses, dates of birth, and Social Security numbers from thousands of Goodwill workers. Since the thief took the whole safe, it also seems fair to assume he or she had a plan for how to open it and extract its contents.

After that, it gets a little more difficult to speculate. According to Jill Wallace, VP of Community Relations for Goodwill, the official stance seems to be based on an assumption that the thief is simply too dumb to know what a backup tape is or how to find out what is stored on it. “Basically it would be impossible for an individual to even know what to do with that data or even how to open it up.”

I’ve worked with backup tapes. While they may not be your standard audio cassette tape, it is obvious that it is a tape. Contrary to Wallace’s sentiment that the data must be safe because the thief would be too clueless to use it, I think its reasonable to believe that the thief *would* know that its a data tape, and–especially after the disappointment of realizing there is no money in the safe–the thief would do everything possible to determine what *is* on the tapes and try to make lemonade from lemons by capitalizing on the data they contain.

According to the article from the Grand Rapids News Channel 3 Web site, “Goodwill of Greater Grand Rapids thought that personal data would be more secure if those tapes were not in a corporate office, but inside one of its stores. The organization has decided not to do that anymore.”

I think Goodwill missed the point and learned the wrong lesson. The location of the safe is not the problem–thieves are just as likely to break into the Goodwill corporate office and take the safe. The issue is that the data stored on the backup tapes–or any other media you might store your backup data on–should be encrypted so that the data is protected even if the storage container is breached.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »