How many stories about lost backup media will it take before we all finally get serious about storage security? Like clockwork, you can count on a new story appearing every couple of weeks.
In the past month, we’ve learned of yet another bank sending unencrypted tapes with sensitive data via UPS as well as a health care company using an employee’s garage for off-site media storage. In the latter case, the employee’s car, which contained backup disks and tapes, was stolen. Interestingly, the tapes actually were encrypted; unfortunately, the disks were not. Too bad the car didn’t have LoJack!
Whenever this happens, companies suffer considerable public embarrassment and bear substantial costs in contacting potential victims. While surveys have shown rising interest in data encryption, it still ranks relatively low on IT project lists.
It seems that many companies either remain unaware of the risk (which is hard to believe) or have somehow come to the collective conclusion that the risk and its potential consequences are simply not worth the cost of prevention. Is this true?
While there is no evidence yet that data has been misused, that is little reassurance. What about the cost and effort?
A few years ago, the options for protecting off-site data were costly and few. However, technologies and services now exist that can provide more affordable levels of protection. In-line appliances can encrypt backup data prior to being written to tape with little effect on performance. Several tape drive and library manufacturers have introduced data encryption into their products. Other companies offer remote backup services that store data in an encrypted manner and never require handling of removable media.
To be fair, the maturity of these offerings varies significantly, so one must carefully evaluate and compare the various options. One area requiring particularly scrutiny is encryption key management. For stored data, well-defined key management policies and procedures are critical, and a product that can assist in this complex task is essential.
As more companies adopt encryption policies, the option for others to continue doing nothing becomes less viable. The good news is that this is a problem that has a solution. Now if I could get The Boston Globe to stop recycling reports containing my credit card number to wrap its newspapers?
Jim Damoulakis is chief technology officer of GlassHouse Technologies Inc., a leading provider of independent storage services. He can be reached at jimd@glasshouse.com.
