Neglecting storage security
According to ESG, companies spend far more on network perimeter security than on storage security. But the report said that "the onslaught of publicly reported security breaches and impending legislation will cause a profound change in security investment priorities."
According to Steve Kenniston, vice president for corporate strategy at Iron Mountain, encrypting backup data takes time, and with an explosion in data at most companies, the time windows for backups are already squeezed. Although encryption offers better data security, he says, it may adversely affect data protection -- that is, making sure backup data is available quickly and easily for recovery purposes.
Kenniston urges his customers to consider classifying data according to its function and sensitivity. For example, the most sensitive data, such as payroll records, might be encrypted and/or electronically vaulted, whereas other data might not justify the cost of those measures. But this kind of data discrimination isn't something IT shops have typically done as part of their backup processes, he says.
Rent-A-Center, a Texas-based chain of 3000 consumer-goods rental stores, produces 30 to 40 unencrypted backup tapes every day and turns them over to Iron Mountain. The company is now implementing a "stem-to-stern encryption process" based on 128-bit keys and hash signatures, which can be used to reveal whether the contents have been altered, says KC Condit, director of technical services.
"There is some overhead with encryption," which is why the company hasn't done it until now, says Condit. "There have been some technology concerns and some people concerns as well. But we are getting to the point that you really can't afford not to do it."
Meanwhile, a local government body is scrapping its tape backup system in favour of backing up data to disk over a secure network to a remote site it owns. CIO Masood Noorbakhsh says the goals are to decrease the time it takes to run backups and restores and to increase security. Because it's a private network, it won't be necessary to encrypt the data in transit, he says.
Church Mutual Insurance produces about 10 backup tapes a day, and its employees move them to the basement of a bank two miles away. Using a company such as Iron Mountain would offer some advantages, says CIO Christopher Graham, but it would cost more.
Church Mutual typifies the many companies that have yet to join the embarrassed ranks of Bank of America, Time Warner, Ameritrade and Citigroup. "Management right now thinks that what we have in place is adequate," Graham says. "Nothing bad has happened yet, so why spend more money?"
An ounce of prevention
- Perform a risk analysis of the entire backup process. Could a tape administrator secretly create copies of backup tapes? Are boxes of tapes left out in the open? Do couriers leave their trucks unlocked and unguarded during pickups and deliveries?
- Do a cost-benefit analysis of backup data encryption. It should go deeper than hardware and software costs to include the labor costs of encryption-related tasks.
- Inform business managers of risks, threats and potential losses from security breaches, as well as the costs of various security countermeasure options.
- Consider regulatory issues. Security decisions should be made with existing and future privacy laws in mind.
- Take an enterprise view. Information protection strategies must include all confidential data, not just data stored on back-office systems. Assess the risks to all confidential information, regardless of location, then create a priority list and schedule to address the top vulnerabilities.
- Make storage security a function of overall information security policies and architecture.
- Include security requirements in all request for proposals. Make sure that preferred vendors have security skin in the game.