Back-ups: The weakest link in data security
by Security Renegades, More posts from Security Renegades
Tue, 2007-06-05 16:15
Topic(s): | |

There have been many examples of misplaced hard drives exposing sensitive information.  The most recent example being the Travel Security Administration losing an external hard drive which contained 100,000 employee records.  Companies continue to strive to lock down their live environment yet ignore the security implications of back-ups.  What makes this data less sensitive when it exists on a back-up tape than when it existed on a live server?

The attack surface of course changes.  You can’t use an SQL injection attack over a web connection against a back-up tape sitting on a shelf.  However it is a lot easier to walk out the door with a back-up tape under your coat than to try and carry out a live server.  The fact of the matter remains; regardless of attack surface the data classification does not change.  The business impact of that data being exposed is no less significant.  So what should be done?

Security for data back-ups is not a cut and dry issue.  The answer of “encrypt the data” is too simple to be helpful.  How often are back-ups taken?  What media are they stored on and in what format?  Where is this media kept?  How long do we keep back-ups?  How is media handled when the data has reached the end of its life cycle?  These are all questions to be considered.

The type of back-up makes a huge difference in how it is handled.  Consider a “hot” back-up of a system which is a duplicate of a live system which can be made live should the main system experience issues.  Obviously encrypting this drive makes it less viable as a “hot” back-up.  However, encryption may be the answer for a back-up tape which simply holds copies of old records for a data preservation or disaster recovery use.  This raises other questions though.  Where are those tapes stored?  How do they get from the back-up machine to that storage facility?  Encryption is not fool proof.  While it will provide some protection if the tape is lost or stolen, it is obviously better to avoid such events all together by securely transporting and storing these drives and tapes.

While each type of back-up is a very different animal and should be treated in different ways, in the end one tenet holds true of all back-ups regardless of shape or size: A copy of data is no less sensitive than the original data.

- John

» read more from Security Renegades | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Sponsored Links

Manage your IT more effectively

Efficient - Flexible - Compliant

Secure your virtual and physical environments with the same software

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Simplify your data center with Juniper Networks. View the webcast

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously