|
While network and Internet security have been addressed through rigorous authentication and encryption to restrict access to sensitive personal, financial, and medical information, data at rest remains vulnerable. Restricting access to data backups has been accomplished primarily by restricting access to the backup media. Yet a single backup tape might contain millions of credit card transactions, thousands of medical records, and multiple copies of a company's public and not-so-public financial data. A single backup tape can also fall off a truck, be mislaid in a warehouse, fit in a jacket pocket of a disgruntled worker, or be retrieved by dumpster divers after a tape has been discarded.
Compliance with privacy regulations and explicit legal liability for accidentally exposed information are forcing many organizations to revisit their protection procedures for backup data and media.
Several high profile examples have underscored the difficulty of the fortress approach. Companies with the most data tend to be the companies with the most sensitive data. It's unreasonable to expect that many thousands of backup tapes can be transported, stored, and discarded without a few that end up exposed to misfeasance or malfeasance.
A better solution is to encrypt the backup data, in the same way data is encrypted in network transfers. Like encrypted network data, this gives authorized users easy access while making it nearly impossible for unauthorized users to access data.
Encrypting data prior to storage can be accomplished in several ways, but most have substantive disadvantages in cost, performance, scalability, or management. Spectra Logic Corporation's BlueScale Encryption integrates hardware encryption directly into the electronics of a tape library, offering a practical, affordable, and scalable option. BlueScale exploits elements in the modular architecture of Spectra libraries to provide an easy-to-manage encryption solution.
Business Requirements for Encryption
A backup tape can contain a treasure trove of information that a network hacker can only dream about: company e-mail, customer databases, support databases, detailed sales and accounting figures, and salary and payroll data-all well-structured, accurate and complete.
Several recent, high profile cases have underscored the exposure and even driven new legislation to hold companies liable. A USA Today article dated June 13, 2005 listed several events this year including:
- "CitiFinancial, which blamed UPS for losing data tapes with personal data for 3.9 million people last week, intends to start encrypting backup data in July."
- "[Bank of America], which lost data tapes for 1.2 million federal employees - including U.S. senators - in February, is testing encryption on backup tapes"
- "Shortly after it lost track of Social Security numbers and other data for 600,000 current and former U.S. employees in May, Time Warner decided to begin encrypting backup tapes..."
- "[Ameritrade] loses up to 200,000 personal records on lost backup tapes" The article concluded "Most businesses copy computer data on backup tapes for storage with third-party vendors in the event of a disaster. Few encrypt it, because doing so is costly and technically challenging." Many regulations concerning privacy and protection dictate safeguards on all data, whether on the network or stored on backup media. Many organizations now need or will soon need to comply with one or more of the following:
- Payment Card Industry Data Security Standard (PCI DSS)
Covers credit card providers and merchants. As of June 30, 2005, Visa requires that any organization that processes more than 20,000 credit card transactions annually (that's an average of less than 55 a day) be certified compliant. The specification suggests: "Encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption."
- Health Insurance Portability and Accountability Act (HIPAA)
Covers health care providers, insurance companies, and company health plans. Encryption is suggested for data security in Section 164.312 (2) (iv).
- Gramm-Leach-Bliley Act (1999)
Covers banks, brokerages, insurance companies, and financial institutions that receive customer information. Compliance with the data security and privacy provisions of this act requires secure backups (encryption recommended) and data destruction safeguards.
- U.K. Data Protection Act (1998)
Designates fair practices for the storage and transfer of personal data in the United Kingdom and European Union. Also mandates data destruction: 'Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.'
|
