|
In spite of a series of embarrassing "tape loss" headlines in 2005, most companies continue to turn their backs on backup encryption. Why? Most storage professionals still think that backup encryption will lead to new costs, performance problems, and recovery headaches so they continue to turn a blind eye toward the problem.
ESG believes things are about to change to radically upset the backup encryption status quo. This white paper concludes:
- Backup encryption will move from the storage fringes into the mainstream. Over the next few years, a combination of new privacy regulations, security threats and technology offerings will inspire large organizations to embrace backup encryption.
- Users must learn that backup encryption goes beyond scrambling data. As encryption becomes more routine, firms must look past cryptographic operations and consider things like key management, ease-of-use, role-based access control, and key protection.
- Spectra Logic's BlueScale Encryption solution is in the right place at the right time. Spectra Logic's recent entry into backup encryption is worth noting. The company has done a good job of matching security protection with management requirements and existing backup operations.
Backup Encryption Continues To Lag
The year 2005 will certainly be remembered for the number of publicly-disclosed security breaches related to lost backup tapes. In February, the Bank of America reported that it had lost a box of tapes in transit containing account information on 1.2 million federal employee credit cards. Financial services giant Citicorp suffered the same fate in June, losing tapes holding the personal information of 3.9 million customers. As the year 2005 winds to an end, Marriott Vacation Club International added another record to the lost tape annals. The travel and leisure company announced that it had lost tapes containing 206,000 employee, time-share, and customer records.
This is just a small sample of the widespread lost tape problem but it does paint a frightening picture. Bank of America, Citicorp, and Marriott are world class companies with sophisticated IT operations. How could these well-run organizations simply misplace their critical data assets?
Unfortunately, it's easy to make this mistake for several reasons. First off, the backup and off-site rotation procedure is full of manual processes, loose tape cartridges, unmarked boxes, loading docks, and 3rd party shipping. As boxes of tapes are transported from location to location they can easily get lost in a warehouse, delivered to the wrong location or simply disappear. It happens all the time.
Of course, this would not be an issue if organizations simply encrypted their backup tapes using a standard AES 128 or 256 bit algorithm. Without access to the encryption key, an attacker would have a chance of approximately one in a million million million of successfully breaking a 128-bit cipher with a brute force attack.
Given this level of protection, one would assume that security-conscious organizations would include tape encryption into their standard security defenses. Unfortunately, this hypothesis simply isn't true. In a survey of 388 storage professionals, ESG found that only 7% of users claim that they always encrypt their backup data while 60% say that they never do (see Figure 1).
These broad market numbers are certainly disheartening so ESG decided to further examine the data, looking at backup encryption behavior by industry and company size. Regrettably, this study led to more bad news. Security-focused industries like financial services, healthcare and government agencies do not encrypt their backup tapes on a regular basis. When encryption habits are analyzed by company size, large enterprises are only slightly more apt to encrypt their backups than smaller firms (see Figure 2).
Why Hasn't Tape Encryption Caught On?
Encryption is a well-understood security defense that is used to protect data confidentiality and integrity throughout the enterprise. Network communication is commonly encrypted using an IPSec VPN when it is transported across an untrusted network. E-mail is often secured using the S/MIME protocol that supports encryption based upon the RSA public-key encryption technology. Many consumer banking and e-commerce sites use the ubiquitous SSL protocol to encrypt private information like account or credit card numbers between clients and servers. Since these encryption technologies are already an accepted piece of enterprise security, why hasn't backup encryption proliferated as well?
|
