Secure Data Protection: Separating Myth From Reality

While security is regularly in the headlines, it is one of the least understood areas of IT. This lack of knowledge has manifested itself in a series of myths about data security and backup encryption. Data protection experts from Enterprise Strategy Group, GlassHouse Technologies and Iron Mountain have gotten together to help you separate myth from reality - and to give you practical advise.

Myth: It is the responsibility of the backup administrator to worry about the integrity of backup data.

Reality: Backup data integrity and security are the responsibility of everyone in the company who is responsible for information protection and security.

Advice: Every company should have a Chief Risk Officer (CRO), a Chief Information Security Officer (CISO) or General Counsel representative that can communicate the importance of protecting corporate assets, and someone who can oversee the process of information security and protection.

Myth: The backup process is secure.

Reality: Think this through. IT employees generally do backups late at night. The tapes are often stored in unmarked boxes, picked up by delivery services, and transported over public transportation infrastructure. Even if nothing malicious occurs, tapes get lost, people make mistakes, and equipment fails. Just one lost tape could have devastating consequences.

Advice: Given these details, it is best to assume that the backup process is insecure and live with this risk or address it directly through tape encryption.

Myth: Hackers use networks like the Internet to get into systems; they do not steal backup tapes.

Reality: Data thieves are no different from other criminals - they look for the easiest way to commit their crimes and get away with it. Unprotected tapes that can be easily stolen present a very attractive target.

Advice: Encrypt the most sensitive customer data in your environment that you back up. If there is a way to steal something, “data thieves” will figure out a way to get it.

Myth: Encryption is slow and expensive.

Reality: This used to be true, but abundant and cheap processing power is now readily available. Specialized manufacturers sell lightning fast encryption chips, and these chips are often integrated into encryption solutions that encrypt at “wire speed.” Tape encryption is a modest insurance investment that won't impact the backup window.

Advice: Don't be afraid to explore multiple options for encrypting data. Utilizing encryption from the backup software is not always the answer.

Myth: Backup encryption is ineffective. Hackers can simply “crack” the tapes.

Reality: This false impression has its roots in reality. Many backup servers provide encryption using the 56-bit Data Encryption Standard (DES), which became a National Institute of Standards and Technologies (NIST) standard in 1976. DES was in fact “cracked” by researchers in 1998 because its 56-bit encryption keys could be discovered through “brute force” by high-powered computers. Today's tape encryption products no longer use 56-bit DES but rather much stronger encryption algorithms like 128-bit 3DES (“triple DES”) or 256-bit AES. It would take millions of years to “crack” these algorithms even if you employed the world's most powerful supercomputers to do it.

Advice: Utilize the latest and greatest in encryption technology. The process of continual upgrades might not be simple, so have a process for doing so. Keep in mind the standards are upgraded for a reason and it makes sense to stay on top of the latest technology available.

Myth: If I do encrypt my backup tapes, I am protected.

Reality: Security is a process, not a product so it is important to look at ALL the risks and threats. For example, do system passwords adhere to a secure model? Are they changed regularly? Do unauthorized personnel have “root” access to critical systems? How are the files unencrypted and by whom? Encrypting the backup tapes provides excellent data protection but it is only a piece of an entire data security plan.

Advice: Having a good process in place for secure backup encryption is paramount to having a good, secure backup strategy. Assess risks, implement controls and technologies, remediate gaps, audit, and review.

Myth: If I am going to do encryption, I must encrypt all my data.

Reality: It is not necessary to encrypt all of the data that is backed up in an environment.

Advice: It is an important part of the job of the CRO or CISO to analyze the data within the corporation that, if it was compromised, could affect the business. This would be the most important information to encrypt.