Ten ways you can make your data backups more secure

Millions of records have been compromised in 2008 alone in backup-related gaffes.

Millions of records have been compromised in 2008 alone in backup-related gaffes. And these are just the known breaches affecting personal information. There's little doubt that unknown and unreported data backup-related compromises affecting all types of sensitive information -- including intellectual property -- are just as plentiful.

Many storage professionals responsible for backups believe that the mere existence of a process for replicating sensitive data is all that's needed to keep the organization secure. But that's only half the battle. It's what can be done with the data backups after the fact that introduces an entirely different set of risks that are often overlooked. Here are 10 ways you can ensure that your data backups are secure:

1. Ensure your security policies include backup-related systems within their scope. Practically every type of security policy -- from access controls to physical security to system monitoring -- applies directly to data backups.
2. Include your data backup systems in your disaster recovery and incident response plans. Data backups can be breached, compromised or destroyed. Be it a malware outbreak, employee break-in or hurricane -- otherwise good backups can be adversely affected and you need to have a plan outlining what you're going to do if that time comes.
3. Assign backup software access rights only to those who have a business need to be involved in the backup process. Be sure not to overlook any Web-based interfaces that provide backup access and keep your original backup software media secured as well.
4. Store your backups offsite or at least in another building. I know this sounds pretty basic, but I still see it a lot. A fire or other incident could be all that's needed to take out your data center and your backups in one fell swoop.
5. However you choose to store your backups -- be it on tape, network-attached storage (NAS), or external drives -- be sure to control access to the room/car/house in which the backups stored. Handle your backup media as you would any other critical hardware.
6. Use a fireproof and media-rated safe. Many people store their backups in a "fireproof" safe, but typically one that's only rated for paper storage. Backup media such as tapes, optical disks and magnetic drives have a lower burning/melting point than paper and a standard fireproof safe only serves to provide a false sense of security.
7. Find out the security measures that your vendors for offsite storage, data center and courier services are taking to ensure that your backups remain safe in their hands. Although lawyers like good contracts, they're not enough. Contracts do offer fallback measures but they won't keep sensitive data from being exposed in the first place, so make sure reasonable and consistent security measures are taking place with any vendor that has a hand in your backups.
8. Password-protect your backups at a minimum. Passwords aren't foolproof because some people with special skills and tools may be able to crack the code, but it is a level of security that should be considered. That said, password-protection is better than nothing, and at least provides a layer of security.
9. Encrypt your backups if your software and hardware support it. As with laptop computers and other mobile devices, portable backup media need to be encrypted with strong passphrases especially if they're ever removed from the premises. Encryption implemented and managed in the right way serves as an excellent last layer of defense. It also helps provide peace of mind knowing that the worst outcome is that you'll have to buy new backup media -- especially when it comes to compliance and data breach notifications.
10. You've heard it a thousand times but it deserves repeating: Your backups are only as good as what's on the backup media. There are two sides to this coin. First, make sure your backing up everything that's important. Most backups are server-centric but what about all of that unstructured data scattered about on your workstations and mobile devices that isn't getting backed up? Second, test your backups occasionally -- especially if you're using tape. There's nothing worse than recovering from a loss and only to find out you backed up the wrong data or no data at all.

Odds are that many of these data backup weaknesses exist in your shop. It'll pay to find out where you're vulnerable before you're impacted. Look at both your data backup processes and systems to identity where the gaps are. Or hire an unbiased third-party to find the holes. It's usually little problems like these that are not so obvious to uncover but oh so painful when the time comes.

About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. Kevin has authored/co-authored seven books on information security including "Hacking For Dummies" and "Hacking Wireless Networks For Dummies". He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful backup tip, timesaver or workaround? Email the editors to talk about writing for SearchDataBackup.com.

Rate this Tip To rate tips, you must be a member of SearchDataBackup.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Backup and recovery Criteria for choosing the right tape encryption solution for your data backup plan Creating a System Recovery Disk in Windows 7: A step-by-step tutorial Modern data backup and recovery system considerations SQL Server data backup and recovery best practices Secure your data backups with encryption key management best practices Using data deduplication with backup applications: Source vs. target dedupe Data backup for virtual machines: Alternative methods to VMware Consolidated Backup Upgrading from LTO-3 to LTO-4 tape for data backup and recovery Is VMware Consolidated Backup right for your enterprise? Is cloud data backup service right for your organization? Data backup security Criteria for choosing the right tape encryption solution for your data backup plan Data backup and recovery news briefs: Thales Group releases CryptoStor Tape 3.0 appliance Secure your data backups with encryption key management best practices Podcast: Backing up data on mobile devices Secure data destruction options for old backup tapes and disk Putting a solid data backup and recovery plan behind mobile devices Data storage backup security tutorial: Tape encryption and cloud backup Quantum adds VMware data backup, encryption key management device How do you make sure your data is secure when using a online/cloud backup provider? Using an encryption appliance for data backup security RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.