Back-ups: The weakest link in data security

Posted June 05, 2007 by Security Renegades to Data Protection |
. What's this?

There have been many examples of misplaced hard drives exposing sensitive information.  The most recent example being the Travel Security Administration losing an external hard drive which contained 100,000 employee records.  Companies continue to strive to lock down their live environment yet ignore the security implications of back-ups.  What makes this data less sensitive when it exists on a back-up tape than when it existed on a live server?


The attack surface of course changes.  You can’t use an SQL injection attack over a web connection against a back-up tape sitting on a shelf.  However it is a lot easier to walk out the door with a back-up tape under your coat than to try and carry out a live server.  The fact of the matter remains; regardless of attack surface the data classification does not change.  The business impact of that data being exposed is no less significant.  So what should be done?


Security for data back-ups is not a cut and dry issue.  The answer of “encrypt the data” is too simple to be helpful.  How often are back-ups taken?  What media are they stored on and in what format?  Where is this media kept?  How long do we keep back-ups?  How is media handled when the data has reached the end of its life cycle?  These are all questions to be considered.


The type of back-up makes a huge difference in how it is handled.  Consider a “hot” back-up of a system which is a duplicate of a live system which can be made live should the main system experience issues.  Obviously encrypting this drive makes it less viable as a “hot” back-up.  However, encryption may be the answer for a back-up tape which simply holds copies of old records for a data preservation or disaster recovery use.  This raises other questions though.  Where are those tapes stored?  How do they get from the back-up machine to that storage facility?  Encryption is not fool proof.  While it will provide some protection if the tape is lost or stolen, it is obviously better to avoid such events all together by securely transporting and storing these drives and tapes.


While each type of back-up is a very different animal and should be treated in different ways, in the end one tenet holds true of all back-ups regardless of shape or size: A copy of data is no less sensitive than the original data.


- John

Print
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
WHITE PAPER
Reduce Email Archives up to 60%

Clearwell Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.

» Learn More

WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)

Secunia The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.

» Learn More

Browse CSO Blogs

See all CSO Blogs »

Recent Comments

RESOURCE CENTER