Blog

Posts Tagged ‘Zserver Storage’

Zserver Protects Data in the Cloud

Friday, June 18th, 2010

A ComputerWorld article title Cloud Security in the Real World: 4 Examples cites Zecurion’s Zserver as a cloud-based storage encryption solution. 

Examining the issue of data encryption in the cloud, the article states “Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup.”

It also explains “At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup.”

 Read the white paper Protecting Data in the Cloud to learn more about encrypting and protecting data in the cloud with Zecurion’s Zserver.

Tags: , , , , ,
Posted in Data Storage Security | 1 Comment »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Protecting Your Fourth Amendment Rights in the Cloud

Monday, January 18th, 2010

It should not come as a surprise to learn that technology and digital data are evolving faster than the law can adapt. From copyright to privacy law, issues arise on a regular basis where existing laws and legal precedence simply don’t make sense in the context of electronic media and Internet communications.

The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property. Storing data in the cloud creates some gray area when applying  those Fourth Amendment rights, though. If a law enforcement agency has a probable justification to investigate the cloud storage provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have *your* data on those servers seized?

A recent article on CNet explores the question of whether or not your Fourth Amendment rights are protected in the cloud. The article focuses on discussing a paper featured in the June 2009 edition of the Minnesota Law Review titled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing.” In the paper, University of Minnesota Law School student David A. Couillard, provides a detailed and insightful analysis of the issues faced when applying the Fourth Amendment on the Internet.

In the paper, Couillard notes:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud…encryption is not simply a virtual lock and key; it is virtual opacity.

Basically, the fact that your data is stored in an encrypted state–even when stored on servers belonging to a third-party–implies an expectation of privacy.

Ultimately, Couillard suggests a legal framework that applies Fourth Amendment rights by treating data stored on with third-party providers the same as personal possessions kept in s storage unit, or valuables stored in a bank safe deposit box:

[T]he service provider has a copy of the keys to a user’s cloud “storage unit,” much like a landlord or storage locker owner has keys to a tenant’s space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

This paper is simply a proposal from a law student, and doesn’t represent any existing legal framework or precedent. However, the arguments seem sound. In the absence of an established legal precedent that makes sense, ensuring your data is stored in an encrypted state can serve as a reasonable expectation of privacy and help to ensure your Fourth Amendment rights even in the cloud.

Tags: , , , ,
Posted in Data Storage Security | 5 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 5 Comments »