Make sure your organization’s data security and backup encryption are safeguarding your critical information, whether your data is stored on disk, tape or in the cloud. Kevin Beaver, founder and principal information security consultant for Principle Logic LLC, talks about the current issues surrounding data backup security with SearchDataBackup.com Assistant Editor John Hilliard. Listen to the podcast or check out the transcript below.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
What are the major challenges right now with offering encryption for data backups?
I think the major challenge is people not understanding what’s at risk. Many people in management believe that firewalls and anti-virus are all that’s needed to keep things in check, and in many situations, IT managers and security administrators are left holding the bag with no budget, no support to do what needs to be done. The other thing is that backup encryption has been notorious when it comes to complexity, as far as system administration, key management, deployment, just really ongoing oversight, and even price. But I believe that many of these barriers are going away… so we’ve gotten beyond some of these hurdles. I think the technology is ripe and ready for use.
Are appliances for encryption a viable option for SMBs, or are they too costly for most smaller organizations?
I think they’re viable. Spending a few thousand dollars on a technology that’s going to keep your business’s name out of the headlines is most likely worth it. Regardless of the size of your business, the risk is there. In so many situations, backups are at risk if they’re not encrypted. To me, it’s a no-brainer, it’s like not using whole disk encryption on laptop computers or not having any controls on your smartphone. It’s really just a ticking time bomb. I recommend that people go with an appliance, go with self-encrypting drives, go with software, just do something to keep your backups secure.
Are host-based, tape and disk encryption developed enough for widespread use, or are there still headaches involved with implementing any of these?
I see and hear people using these things all the time. These technologies are more than ready for mainstream, in fact, with all the government and industry regulations dumped on us these days, I can’t imagine running a shop without some sort of backup encryption technology. It’s really a great last step of protection in the event that something happens and will exempt you from many compliance requirements. You have to step back, and before you go down the path of encrypting your backups, just make sure that you’re addressing all the important areas, that you’re doing it for all the right reasons and you have the right people on board, be it internal staff or maybe you get some help from an outside consultant or perhaps better yet, your backup encryption vendor – have them help you deploy it, make sure it gets set up properly and just make sure everything is in check. If you go about it wisely, I don’t think you can fail.
We often hear about cloud storage, and how service providers promise data kept in the cloud is safe and secure. What are the protections often used by cloud providers, and are they robust enough to protect critical or private data?
I’m guessing that many of the cloud providers use some of these very encryption technologies that we’re talking about. But the reality is, you often don’t know. A SAS 70 Type 2 audit report is not enough, but that’s what a lot of these cloud providers will hand over when you start asking them security questions. The thing is, you may be able to just ask your cloud provider how they’re protecting your data, how is it being done, how is it being protected [and] what technologies are you using. An interesting thing that I’m finding out is that your backups are only as secure as the web applications on the other end. You wouldn’t believe some of the glaring security holes I see on web portals that are designed to protect this type of sensitive information. So you need to find out what measures your cloud providers have taken… to ensure that their web environment is secure. Firewalls and SSLs just aren’t enough, you’ve got to make sure that everything is in check and that they’ve verified that things are in check through security testing, vulnerability assessments, penetration tests, things like that. So, in the end, it’s up to you to ask the tough questions and make sure that your cloud providers have your best interests in mind.
What are some of the common issues with cloud provider security that you’ve seen?
It’s really the web front end, the application that you log into, where you go and manage all of your stuff, whatever the application or the cloud service is for. I see a lot of issues with the login mechanism, I see where weak passwords are allowed, I see things like SQL injection and application logic flaws that will allow someone who does have legitimate credentials to actually elevate their privileges within the application. There’s a lot of stuff that’s not going to be uncovered by a SAS 70 Type 2 audit or going to be uncovered in a basic vulnerability scan. This is something that you have to dig into the application and see what’s there, what can be manipulated from the perspective of the bad guys.
On the other side of the issue, how seriously do organizations handle the disposal of old storage media like tape and disk? Do they do enough to destroy any data remaining?
I believe many people have good intentions and know how to properly destroy old storage media. In fact, a lot of organizations that I’ve seen, a lot of people that I speak with, they have a specific policy, a specific process for handling all that. One of the most common questions that I get is, “How should I destroy my old backup media?” Even if you recycle your media at some sort of electronics recycling facility or you throw it away, you really don’t know for sure where it’s going to end up, whose hands it’s going to fall into and what could potentially happen. I tell people to destroy it themselves if possible – you can use a degausser, you can physically destroy the media, you can buy a machine to do that, you can work a formal process around that, so long as you’re doing something. Interestingly, it’s not just old media that’s at risk: People are handling existing media in risky ways as well, as shown on the Privacy Rights Clearinghouse Chronology of Data Breaches. This year alone, about 2 million sensitive personal records have been compromised in data breaches involving unencrypted and mishandled backup. So I’m guessing that’s the tip of the iceberg as well. What goes undetected and unreported?
This was first published in September 2011