Data, data, everywhere – Securing back-up

By | November 5, 2006

Every day, organizations give backup copies of their data to a van driver. Media is often left in reception for collection by anyone who asks. Systems and their data are backed up so that they can be restored. Standard hardware and software can be used to reproduce corporate data and systems anywhere. Weekend or month-end backups normally contain a full copy of all systems and data, but they regularly leave the security of the data centre with little concern for their safekeeping.

Backup copies are often sent by postal or parcel service to update head office or central archives for regulatory compliance. Despite increasingly real threats of terrorism and organized crime, everyday incidents like road accidents are still the most common cause of lost backup media.

The potential disclosure of sensitive personal or corporate data is not just embarrassing. It can damage public confidence, tarnish brands and result in lawsuits for damages. It can breach privacy laws and the very regulations that require record keeping as evidence of compliance. Punitive fines often follow.

Years of painful disclosure incidents, losses and fines have caused leading organizations to rethink their backup security with varying degrees of success. Security is not a technology problem that can be fixed by more technology.

Standards like BS-7799/ISO-17799 promote prevention, detection and threat response by placing considerable weight on policy, awareness, process, auditing and risk management. There is simply no substitute for well-informed, intelligent risk management. As network and host security matures, attackers look for easier avenues like storage and backup infrastructures.

Fraudulent even terrorist abuse of data backup is a very real and present danger. Some organizations believe they are safe because sensitive fields like account or credit card numbers are coded or encrypted.

It is easy for a criminal or terrorist organization to generate transactions with their target organization. This provides them with known values, making it simply a matter of time to break the encoding. While there is no doubt that encryption is a valuable tool, the way in which it applied is critical.

A simple principle is that all client-server communication should be authenticated over a secure private connection. Enterprise backup applications can encrypt data on the client and transfer it safely over general networks without fear of interception.

The problem with this approach is that processing overhead can impact client performance. The financial overhead of additional licensing costs can also be considerable. It can be more cost-effective to transfer backup streams over secure physical or virtual private network to protect against interception or abuse. Either a remote backup server or remote backup library can be used.

The second simple principle is that all data ´at rest´ should be encrypted before any medium leaves the secure perimeter of the data centre. A VPN secures backup traffic but not backup media.

The simplest solution is to deploy an inline encryption appliance between the backup server and the backup device. This adds additional security to the remote library approach. There is no processing overhead on the server but data is still rendered incomprehensible.

Vendors like Decru and Neoscale also have sophisticated key management solutions to make restores as simple and straightforward as they needs to be in a disaster recovery situation. Without these keys backups remain unintelligible and even the location of known data cannot be pinpointed.

A third simple rule is that all data ´in-flight´ beyond the secure perimeter of the data centre should be encrypted. Organizations with multiple sites can back up directly from one secure data-centre to another. Each data-centre can then act as a recovery site for the other. In this way backup media may never leave corporate premises.

The stream of backup data between sites remains exposed. Even when cabling is privately owned the data remains vulnerable to interception. Wave-division technology does not encrypt data and optical signal processing can provide opportunities for interception.

The vast majority of security breaches occur from within and can be far more destructive than disclosure. Backup infrastructures read from and write to computer systems in order to back up and restore data.

While it’s unfair to describe backup software as a trojan or backdoor on every system, the comparison remains uncomfortable. Backup administrators often exercise extensive access rights over the largest number of applications and their data. Dividing responsibilities into separate backup domains contains the risks of potential abuse at the expense of higher staff costs.

Storing audit trails can act as a deterrent and help meet compliance requirements. This only becomes effective through the regular and meaningful analysis of logs against service records to identify potential abuse. This requires an intimate understanding of the IS and business process environment, not just backup.

Difficult to automate, it can often prove more complex and expensive than operating the backup and restore infrastructure itself.

Role-based access controls are also becoming increasingly sophisticated within backup applications. Determining how to apply them becomes a significant challenge that begs difficult process and organizational questions.

Trust is a conundrum to which there may not be easy logical answers. Organizations may even start to question the way data is protected and whether recovery objectives can be better met in other ways. Technology can only shift the problem and often complicates matters further.

Organizations with effective service level management find it easier to address security challenges, but there are still inconsistencies. Security is often seen as a function of service availability under ITIL, whereas it has a role to play in all disciplines. Security is at the very least a service level objective, an essential business requirement and even a pre-condition for operation.

Maybe the most effective solution to backup security is not a storage product. As always the thorniest question is who will pay for it.

Large departmentalized organizations often suffer from considerable duplication of both effort and investment in security that divides and compromises effectiveness. Backup teams often see security as yet another audit making unreasonable demands on limited resources and budgets.

They may even scrape their way through a self-assessment simply because they understand more about backup than any auditor. If security has become another specialization, security teams tend to have a background in networking or application development, often without any practical understanding of storage and backup infrastructures.

In theory at least, data is best encrypted within the host. It can then be backed up in its encrypted form and all the security issues described above simply evaporate.

Hardware-based application security may seem a step too far for many commercial organizations, but products from companies like nCipher are already well established within security conscious organizations.

As a matter of necessity, all organizations are becoming more security-conscious. Those who systematically encrypt data may even spend less on more effective security than that delivered by a fragmented case-by-case approach.

It is not just the technology but what an organization does with it that matters. Even when security products tick all the right security boxes, deploying them intelligently and effectively remains a significant challenge. For example, the deployment of application backup agents can still compromise the effectiveness of nCipher for backup security.

We must all act more intelligently to ensure that storage does not become the new security back door.

Leave a Reply