Beth Pariseau, Senior News Writer
Data security for backup and recovery has been a topic that keeps reappearing in the news since 2005, when Bank of America suffered a high-profile loss of unencrypted data backup tapes that forced it to disclose a potential data breach to customers.
In the wake of Bank of America's breach, some bank IT admins said their organizations had been turned off by the high price tag on tape encryption appliances. Other organizations at that time saw data encryption as a kind of insurance policy, which wasn't high on their priority list, or found it difficult to coordinate purchasing decisions between backup and security groups.
However, following the Bank of America incident and other breaches at high-profile companies came a wave of new regulation, mostly at the state level, though legislation like the 2005 Specter-Leahy Act also attempted to address data security and identity theft at the federal level. State laws modeled on the California's 2003 SB-1386 began to spring up, requiring disclosure in the event of a breach. Other regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have also gone into full effect in recent years, and mandate individuals' medical records be kept private.
"We've seen what happens when compliance merges with information management," said Wikibon partner and principal research contributor for information security Michael Versace. "Regulations in the past few years have defined the responsibility to protect non-public information."
There are currently four major areas where data security intersects with the data backup world: tape encryption, cloud backup security, key management and data deletion/destruction. Learn all about these areas of data backup security in this tutorial.
DATA BACKUP SECURITY STRATEGIES TUTORIAL TABLE OF CONTENTS
In 2005, even banks were balking at the price tag for data encryption appliances that were then among the only options available for encrypting backup tapes. Software-based encryption was a cheaper alternative, but performance was dismal.
Since then, the LTO-4 tape format and proprietary tape products from IBM Corp. and Sun Microsystems have "begun to commoditize tape encryption," according to Versace. "People are starting to think about how to engineer it in to the tape infrastructure."
However, Storage magazine's most recent Purchasing Intentions survey shows tape encryption still isn't totally ubiquitous in the enterprise. Some 50% of respondents now say they're encrypting, and others have identified tape encryption as a priority for next year, but for many users, it remains on the to-do list for a later time year in and year out. Meanwhile, high-profile data breaches continue to make news; most recently at the UK's Rural Payments Agency. There are more where that came from: the Open Security Foundation's DataLoss DB keeps daily track of the data breaches among enterprises.
"Some users are worried about, 'what if I do something wrong, and encapsulate information in a way that makes us not be able to recover,'" according to Versace.
Still, "any company not on board with this at this point is a laggard," said Enterprise Strategy Group (ESG) analyst Jon Oltsik.
Data security is also a key element of this year's buzz around cloud storage. Earlier this year, Gartner cited data security concerns as one of the chief barriers to cloud storage. Generally, the conservative enterprise data storage and data backup audience is wary of trusting data to a third party.
Still, most cloud backup services like IBM's service, based on its acquisition of Arsenal Digital, encrypts data in flight as it's transmitted from the user site as well as at rest in their own data center. It is customary for cloud backup services not to have access to their users' data in cleartext; users are responsible for managing encryption keys necessary to restore data. It's also standard practice for cloud backup services to allow users to monitor and manage their cloud backup back-end through Web self-service portals over a secure SSL connection.
For some businesses, however, the economies of scale from aggregating data at a centralized cloud data center can actually improve on the security they're able to afford for themselves. "Look at it this way," argues Versace. "If you're a small to medium enterprise and your servers are in a hall closet -- is that environment more secure than a Level 5 data center with all the bells and whistles for data protection?"
Still, information security consultant Kevin Beaver wrote in a recent article that encryption and SSL are not the whole battle when it comes to security; there are ways for bad actors to get around those methods and potential loopholes in the way services upload data.
Oltsik points out that anyone with access to encryption keys could still pose a security risk for organizations employing encryption for cloud or internally managed backup. "There's nothing saying somebody couldn't pay a junior nighttime admin to decrypt and make a copy of data, for example."
Key management products made by storage vendors alone abound, as do products from generalist and data security-focused vendors. Encryption and key management methods have proliferated across different data center disciplines as well as both enterprise and consumer-grade products.
While there's a broad selection of approaches to choose from, experts agree that the sheer number of products and encryption methods available, and a lack of industry standards to unite them, has become one of the chief problems with key management in the market today.
Earlier this year, however, Hewlett-Packard (HP) Co., EMC Corp./RSA Security, IBM Corp. and Thales Group led a coalition of vendors that submitted a standard for interoperability between key management systems and encryption devices to the Organization for the Advancement of Structured Information Standards (OASIS) At first this standard appeared to overlap with a spec by the Institute of Electrical and Electronics Engineers (IEEE) approved in January 2008 for managing encryption on storage devices, but IEEE has since pledged to integrate its spec into the broader OASIS Key Management Interoperability Protocol (KMIP).
"I think you'll see a lot more activity around this in 2010, when we should have a ratified KMIP standard," said Oltsik.
However, some players say the problems with key management don't end at interoperability. CA Inc. launched new z/OS mainframe-based Encryption Key Manager (EKM) software in early November, saying many customers are also concerned with the reliability of open-systems based encryption key managers, since without keys to access it, encrypted data can be lost (this may come as a surprise to z/OS maker IBM, whose key management product can be deployed on open systems).
"There's still debate whether key management should be centralized or decentralized," added Versace. "The first key management systems were all distributed, with keys deployed to endpoints, but there are also centralized activities [that need to be done] like key changes, auditing and logging. I think you'll end up with a hybrid approach."
There are also several options for destroying or deleting data at the end of its lifecycle, from auditable professional services through vendors like Iron Mountain Inc. to physically destroying media with a hammer. This latter method isn't workable if a piece of media containing sensitive data is being sent out for recycling or repair, so some vendors like EMC offer the ability to perform a "wipe" of disks by writing several layers of ones and zeros over the existing data. Degaussing, which demagnetizes media, is another option that keeps the underlying material intact. Finally, encrypted data can be securely deleted -- or at least rendered inaccessible -- by simply destroying the corresponding key.
Still, analysts say, it's not the process of destruction that's the biggest hurdle to this aspect of data security management -- it's the larger task of organizational records management and data classification to determine what data should be deleted in the first place.
This topic, like tape encryption in 2005, also falls low on the priority list for many organizations, according to Oltsik. "Most people don't see deletion as a major headache, and I don't think anyone's doing audits of their deletion process outside of the military."
For even more information on data backup security, bookmark our special section for the latest backup security news and resources.