Data backup security is an ongoing challenge for many organizations and encryption is an obvious step to protect backup data. However, there are a number of ways to perform backup encryption today. One way is to use an encryption appliance. These appliances sit in the backup stream and encrypt data as it is being sent to the backup target. But, are encryption appliances right for your particular needs? Kevin Beaver, information security consultant with Principle Logic LLC, discusses the pros and cons of using encryption appliances for backup encryption and what you need to consider before deploying an encryption appliance. His answers are also available as an MP3 below.
Table of contents:
>> Who needs an encryption appliance?
>> What are the benefits of using an appliance for encrypting data backups?
>> What are the drawbacks of using an appliance for encrypting data backups?
>> Are encryption appliances widely used today?
>> Can you get similar benefits at a lower cost?
I'd say that encryption is becoming one of those necessary technical controls, because tape backups, and other kinds of backup media, have evolved to the point where they are growing legs and can run away. I just looked at the Privacy Rights Clearinghouse's Chronology of Data Breaches, and several mishaps involving data backup media have occurred in the past few months alone.
For example, earlier this year an Arkansas Department of Information Systems tape with over 800,000 records containing criminal background check information went missing from an information protection company's vault. About a month after that, a civilian employee of NYPD's pension fund was accused of stealing tapes containing the social security numbers and bank account information of more than 80,000 police officers. Also, as many as 100,000 patients of Peninsula Orthopedic Associates had their information breached when tapes containing sensitive records were stolen. And, these are just the breaches that have been reported. What about all the other issues that are overlooked or kept under wraps?
Now, whether or not the tapes in these breaches were encrypted or not is unknown. But, I can tell you that, based on what I see in my work performing security assessments, I'd be willing to bet that they weren't. So, to answer the second part of your question, really any organization that has a need to stay out of hot water when it comes to compliance or other regulations can benefit from encryption appliances.
First of all, they are transparent to the operating system and the applications. They just kind of sit right in the middle of the backup stream. There is minimal configuration required. They can be easier to manage in terms of compliance. A lot of them have audit logging and recording features, which you probably won't get otherwise. Also, you are typically going to get better and more secure encryption key management. These devices either store the keys within the device itself or work with a third-party key management application.
First of all, they can be pricey, so you have to be open to the investment involved in purchasing and maintaining the appliance. The implementation can take a good amount of time to get everything set up and tweaked for your particular network. The biggest thing is that it's just another piece of equipment to patch and maintain.
I'm actually not. I work with small businesses up through large enterprises and I'm not really seeing a lot of application in this area. I think the reality of it is that so many organizations can't get their arms around data storage, data backup and especially information security. So how can an IT staff struggling with day-to-day IT issues deploy another complex technology, when they don't have the time, effort or money to spend on other aspects of IT.
That being said, there are organizations in which management believes that as long as they have some nice technical controls around backup, then everything will be hunky dory. That could be a driver for the encryption appliance market. But, the reality of it isn't that simple. These technical controls can't just be thrown in place and expected to work without having some sort of overhead.
Encryption is usually one of those things that come out the checklist audits that so many organizations are performing against their systems. Whether or not that's the right way to go about it, that's to be determined by your organization.
Absolutely. Most current backup applications have built-in backup encryption capabilities. So, it doesn't matter whether you are writing to tape, to disk, whatever. The problem with going that route is the overhead required for backup time and management. Especially with tape, it can become overwhelming trying to figure out what to encrypt and what not to encrypt. It can also create some administrative gaps and potentially even availability issues. There are also tape libraries on the market with built-in encryption.
But really, you have to take a step back and ask yourself what really matters here. Are you worried about a tape going missing? Is price an issue? Is overall business risk management an issue? How does it fit into your environment? That's going to determine whether you need an encryption appliance or if you can do this with something you may already own.