"Never underestimate the bandwidth of a '56 Buick station wagon loaded with three-quarter-inch tapes" as the old saying has it. But one should never overestimate its security either.
The fact is, transporting backup tapes to offsite storage represents one of the most critical vulnerabilities in storage security. Even if you practice good security at your data centers and store your tapes in a facility that can withstand a nuclear attack, the process of getting the tapes from here to there is typically fraught with vulnerabilities.
The point was driven home this spring when tapes containing the identification information of 600,000 Time Warner employees, past and present, disappeared en route from Time Warner's New York offices to a secure storage facility run by Iron Mountain, one of the leaders in business record archiving. The tapes were being transported in the back of a Ford Econoline van, which made no less than 19 stops around Manhattan before it arrived at Iron Mountain's facility.
Over the next couple of months, it was reported that UPS had lost the financial data of nearly four million Citigroup customers while the data was en route to a credit bureau, and Iron Mountain lost an unspecified number of customer records from City National Bank of Los Angeles.
In all of these cases, the tapes were apparently lost rather than stolen. Unfortunately, that hardly mitigates the consequences for the businesses because it's impossible to be sure the data hasn't fallen into the wrong hands. Further, these companies are now required to notify the public of such failures.
If you store backup or archival data offsite, or if you move data to business partners on tape, you need to make sure you establish and protect the chain of custody of those tapes. This involves four essential steps, both procedural and technical.
1. The technical step is straightforward: Encrypt your tapes. At the very least, any critical data should be encrypted with an appropriately strong encryption method before it leaves your premises. This implies having the appropriate procedures, such as key management, in place and tested before you begin to encrypt information.
2. Establish agreements with both the transporter and storage facility or business partner. This includes specifying in writing how the tapes are to be handled, who is to have access to them and how they are to be stored and transported. The agreement should include provisions for regular audits of the procedures to make sure they are followed.
3. Establish appropriate procedures for checking out tapes at their original location and checking them back in at their destination. At a minimum, this includes assigning responsibility to a specific person at each end to sign out and sign in the material, identifying the drivers who pick up the tapes and logging the serial numbers of the tapes as well as the identification numbers of the containers holding the tapes.
4. Use the appropriate transportation service. Whether it's you or the tape recipient who handles the arrangement, make sure the transportation is sufficiently secure. This includes bonding and background checks on the drivers and other personnel, using reasonably secure vehicles and making sure that the tapes will be carefully tracked through the entire transportation process.
Ideally, the tapes will be locked in secure containers and the keys will be held securely at the other end of the trip.
A number of express companies, such as Federal Express, can provide special high-security shipping for additional cost. In the case of Federal Express, its Custom Critical service provides a dedicated secure van with two drivers who stay with the cargo until it is delivered.
While the cost of the entire procedure can vary greatly, the cost of not securing tapes properly is enormous. Just ask Time-Warner, Citigroup and City National Bank of Los Angeles.
For more information:
About the author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years, he has been a freelance writer specializing in storage and other computer issues.
This was first published in August 2005