You’ve just rolled out an enterprise-wide security program that protects your network against external attacks from the gateway all the way down to the desktop. So you stand back to admire your work and give yourself a pat on the back.
Then you get a call from your courier saying he lost the package of backup tapes you just sent out to an off-site storage location. Panic strikes as you realize those tapes contain millions of sensitive customer data files that were unencrypted.
It’s a scenario that became a reality for several high-profile companies last year as reports of lost or stolen data clogged the newswires, causing the industry to shift the focus from network security to backup data protection.
These incidents also caught the attention of government legislators, particularly in the U.S., leading to the introduction and enactment of laws mandating enterprise accountability in ensuring that customer information remains highly protected.
But the industry may be facing a long battle, as statistics indicate a large majority of organizations are not securing their backup data.
A 2005 North American survey conducted by the Enterprise Strategy Group found that while organizations were investing heavily on perimeter security, protecting backup data was amongst the lowest priorities.The survey showed 30 per cent of companies did not consider storage infrastructure part of their security policies and procedures.
Only seven per cent of respondents said they always encrypt data on tape backups. Sixty per cent said they never perform backup data encryption.
One of these rare companies that consider backup data encryption part of its security ecosystem is digital security service provider Soltrus Inc. in Toronto. The company has been encrypting all its backup data since 1987, according to enterprise product manager Marcus Shields.
“People think that encrypting [backup data] is a new thing. It’s absolutely not, this technology has been around for a very long time,” said Shields, stressing his company always had a backup security system in place, including encryption and off-site storage facilities.
Perhaps the biggest deterrent for enterprise adoption of backup security is the lack of a standards-based system for implementing backup data encryption, said Shields, adding proprietary storage security products, such as those offered by Decru and Kasten Chase Applied Research, currently dominate the market.
A standards-based system would ensure that a company could recover the encryption key several years from now. Even if the current service provider goes under years later, there’s a big chance another service provider will be able to recover the data on a backup device encrypted with a standards-based system, said Shields.
Standards body IEEE earlier announced that it is developing standards for backup tape and disk encryption. The IEEE’s Security in Storage Working Group is fine-tuning the proposed standards, expected to be completed in the coming months, according to the standards body.
Shields believed initiatives in the U.S. legislature were a driver for the increasing clamour for backup data protection and the move towards a standards-based tape and data backup encryption system. “Once the legislative requirements are worked out, I think you’ll find the standards following very rapidly after that.”
One Canadian analyst, however, doubts an IEEE-led standards initiative for data backup would get much traction in the industry.
“I would think that a standards-based approach would gain more momentum if something like SNIA (Storage Network Industry Association) would adopt it (because) SNIA involves pretty much all the heavyweights in the industry — both on the hardware and software side — and some major switch players,” said Vasu Daggupaty, analyst at Toronto-based IDC Corp.
And encryption is not the only solution for backup security, said Daggupaty.
Establishing security policies and best practices should be the focus of every enterprise implementing a security program.
“Encryption is (just) one tool within a total security environment,” said Daggupaty.
Companies should reassess security plans and policies, and perform security analysis and audits before acquiring any encryption technology, advised London, Ont.-based research firm, Info-Tech, in a research note released recently.
The research firm also warned companies to “resist the urge” to encrypt all data being archived, but rather undertake an audit and focus on data that contains sensitive information.