News

Unencrypted Backups Can Be Worse than Worthless

• By John K. Waters
• June 1, 2005

When Iron Mountain lost 40 backup tapes containing personal information about 600,000 current and former employees of Time Warner earlier this year, it grabbed headlines, but it wasn't such big news. The Time Warner incident came just weeks after Bank of America reported losing backup tapes containing financial information about more than 1.2 million federal employees, including 60 U.S. senators. And a month before that, Ameritrade acknowledged losing backup tapes containing information about 200,000 clients.

Forget for a moment that people are still using tapes for backup, what is most striking is that the data was not encrypted.

According to a study by the Enterprise Strategy Group, a leading researcher in the storage industry, only seven percent of companies encrypt their backup tapes.

Iron Mountain, one of the first companies to introduce off-site data protection and electronic vaulting services, has owned up to losing four sets of customer backup tapes this year—which is a small percentage of the five million or so trips the company makes annually. Iron Mountain recommends that its customers evaluate encryption for backup tapes taken off site.

Incidents of reported loss have thrown a disturbing spotlight on enterprise encryption practices, and drummed up business for such companies as Decru, NeoScale Systems, Vormetric, nCipher and Application Security—which sell encryption products.

"We hear a lot more than the public hears about security breaches," says Kevin Brown, VP of marketing at Decru, "and I can tell you that these breaches are not the most spectacular, they’ve just been in the news."

Data stored on portable media presents a special security problem, says Brown, because these media are portable. Backup tapes are often transported off site for disaster recovery, but they can be lost or stolen.

Adding to the obvious environmental risks associated with these media are factors such as professional ID thieves, the availability of higher-capacity tapes and disks, and the growing tendency among enterprise to save just about everything.

"More and more data is being captured today," says Brown, "and because of retention requirements—many of them regulatory—people have to keep all of the data forever. And for high availability, they make half a dozen copies of it: a primary copy, a DR copy, a local mirror copy and four copies for outsourcing partners. And then they scroll it off onto a tape and hand it to a guy who makes six bucks an hour."

Decru develops appliance-based storage security solutions for enterprises and government. The Decru DataFort appliances are designed to protect the core of the storage network with a layer of strong encryption, authentication, access controls and compartmentalization. The appliances secure data across all operating systems, major database systems and storage environments, including NAS, DAS, SAN, iSCSI and tape.

Brown, a member of the founding team of infrastructure software firm Inktomi before joining Decru, says that the process of encryption can involve changes in the way data is stored, accessed and backed up. Large-scale encryption can be a real challenge, because it changes how applications interact with one another. And then there's the issue of managing and administering encryption keys.

Decru's pitch is that it offers a "turnkey appliance" that bypasses these issues. As Jon Oltsik, senior analyst with Enterprise Strategy Group, explains it, "In today's environment, every enterprise handling sensitive customer or corporate data needs to develop and execute a storage security plan. Encryption of backup tapes is an obvious first step. By simplifying and accelerating encryption with a turnkey appliance…Decru has delivered one of the first attractive solutions to this problem."

"Encryption has been around for four thousand years, and there are lots of companies that do some flavor of encryption," says Brown. "The awarness is there now, and there's just no excuse for not having an encryption policy in place."