Back-ups: The weakest link in data security
by Security Renegades, More posts from Security Renegades
Tue, 2007-06-05 16:15
Topic(s): | |

There have been many examples of misplaced hard drives exposing sensitive information.  The most recent example being the Travel Security Administration losing an external hard drive which contained 100,000 employee records.  Companies continue to strive to lock down their live environment yet ignore the security implications of back-ups.  What makes this data less sensitive when it exists on a back-up tape than when it existed on a live server?

The attack surface of course changes.  You can’t use an SQL injection attack over a web connection against a back-up tape sitting on a shelf.  However it is a lot easier to walk out the door with a back-up tape under your coat than to try and carry out a live server.  The fact of the matter remains; regardless of attack surface the data classification does not change.  The business impact of that data being exposed is no less significant.  So what should be done?

Security for data back-ups is not a cut and dry issue.  The answer of “encrypt the data” is too simple to be helpful.  How often are back-ups taken?  What media are they stored on and in what format?  Where is this media kept?  How long do we keep back-ups?  How is media handled when the data has reached the end of its life cycle?  These are all questions to be considered.

The type of back-up makes a huge difference in how it is handled.  Consider a “hot” back-up of a system which is a duplicate of a live system which can be made live should the main system experience issues.  Obviously encrypting this drive makes it less viable as a “hot” back-up.  However, encryption may be the answer for a back-up tape which simply holds copies of old records for a data preservation or disaster recovery use.  This raises other questions though.  Where are those tapes stored?  How do they get from the back-up machine to that storage facility?  Encryption is not fool proof.  While it will provide some protection if the tape is lost or stolen, it is obviously better to avoid such events all together by securely transporting and storing these drives and tapes.

While each type of back-up is a very different animal and should be treated in different ways, in the end one tenet holds true of all back-ups regardless of shape or size: A copy of data is no less sensitive than the original data.

- John

» read more from Security Renegades | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field