IT Compliance Institute, June 6, 2006:

Trends and Technologies

Why Ubiquitous Backup Tape Encryption Lags

Despite high-profile data breaches, storage encryption practices won’t change overnight

By Mathew Schwartz

When it comes to backup tapes, encryption offers a simple security formula. If properly encrypted, the stored information is essentially inaccessible to any unauthorized user.

As a number of high-profile backup tape losses over the past year have illustrated, many organizations—including Bank of America, Citibank, and Marriott—have not been encrypting their backup tapes. Such embarrassment “could have been avoided if these organizations simply utilized a tape-encryption solution using a standard 128- or 256-bit encryption algorithm,” writes Jon Oltsik, a senior analyst at Enterprise Strategy Group (ESG) of Milford, Massachusetts, in his recent “Tape Loss and Data Theft: Myth and Reality” research report.

Encryption offers a way out of the data breach notification scenario since HIPAA, California SB 1386, and numerous other data-breach notification laws exempt companies from having to publicly disclose the loss of backup tapes, if the stored information was encrypted.

However, only 7 percent of organizations currently encrypt all of their backup tapes, while 60 percent never do, notes Oltsik. Even so, “there are some signs of progress.” For example, a recent ESG survey—assessing the impact of numerous data-breach disclosures of other companies’ information security practices—found 42 percent of 232 storage professionals say “these events have prompted their organizations to move forward with activities like backup process reviews or tape encryption technology evaluations.”

The Tape Management Nightmare

Beyond the threat of someone stealing a backup tape, there exists another problem: simply knowing when a backup tape goes missing. For example, meticulous inventory process and procedures are required to account for every backup tape as they are created. The same accountability measures are needed to track the tapes as they cycle in and out of the data center, third-party backup services, disaster recovery sites, and to their decommissioning.

Along the way, backup tapes might go missing for a variety of reasons. Here’s a novel one: “We had a customer call us when they received someone else’s backup tapes during a disaster recovery trial,” says Michele Borovak, marketing director for Decru, a division of Network Application based in Redwood City, CA. Is a wrong delivery a security risk, per se? “In many cases it’s a not malicious situation, necessarily. Though it does depend on what the receiver does with it.”

There is also the question of how backup tapes get decommissioned or recycled. “Let’s say you’ve made all these copies of data, and one way you can manage risk, especially with consumer data, is you delete it,” says Kevin Brown, vice president of marketing for Decru. “It turns out that when you delete data, it’s not really deleted. Because once you write something onto a disk, it’s indelible, you can’t get it off. The new forensic software the government uses can see 10, 12, 20 rewrites deep.”

One way to circumvent this problem is to only write cipher text—information already in encrypted format. “The approach is, you never write clear text to disk, ever. Then if you want to delete [information] so even you can’t get it, you delete the encryption key, and every copy of it gets deleted at the same time,” says Brown. So instead of auditing backup tapes, organizations can audit the keys to the encrypted information. “Maybe back the keys up to CD, then every month shred the CD.”

The Need for Ubiquitous Encryption

If organizations don’t encrypt their storage or backup tapes, how do they secure such information? The answer is that many don’t. “In most cases, the perception would be the SAN or the storage network is ‘secure’ based on lock and key. That’s been the historical view, where we’ll protect the perimeter and no one is going to get far enough to access the data,” says Dore Rosenblum, vice president of marketing at NeoScale Systems in Milpitas, California. Of course now, with publicity over lost backup tapes, “that perception is changing.”

Even so, many organizations are waiting to encrypt all stored information until they can simply encrypt everything. As Oltsik notes, “limited encryption practices introduce an unnecessary risk.” Having either no encryption or complete encryption is easier to manage than having just some encryption, or a patchwork of encryption practices.

Furthermore, ubiquitous encryption may perform better than partial encryption, at least when organizations consider just encrypting parts of databases or directories. “It turns out that by trying to encrypt less data, you can end up with a performance penalty,” says Brown. “In many cases, it’s actually quicker to encrypt all the data,” especially, he notes, if encryption is added at a low level in the storage hierarchy.

With that approach, any applications’ request for stored information gets routed through a storage appliance, which—unbeknownst to the application—decrypts needed information on the fly, then encrypts anything subsequently needing to be stored. “The idea is by implementing this at the network level, it just works,” says Brown. “Your storage array doesn’t need to know if it’s in English or Spanish, or 256-bit AES.”

Stolen Tapes: A Declining Security Risk

Thanks to notification laws, companies must secure their stored information or face the post-breach notification fallout with the public. One notable risk to backup tapes, as to all IT systems, is the malicious insider, as a number of reports from such organizations as the FBI and Secret Service continually highlight. “They’re saying one of the biggest threats is someone who gets a job at your company specifically to steal millions of lines of data,” notes Brown. “That’s become a big mind shift for companies.”

Hence, if someone does make the effort to steal backup tapes, that may signal their ability to actually recover information from the tapes—no matter the partial or incremental backups—and that of course is bad news.

Yet such thefts are rare: they require a lot of work, and attackers generally select an easier attack vector. “Today’s logical hacking exploits, often using the Internet, are far more efficient, effective, and safe—for the thief—and can be accomplished without the challenges associated with stealing physical assets like tape cartridges,” notes Oltsik. As a result, “for the most part, this means that attacks based upon tape theft are nearly obsolete.” That’s good news for consumers, since it means most data-breach notifications arise from lost tapes, making the threat of ensuing identity theft quite low.

Encryption on the IT Agenda

Even so, the enterprise imperative is clear: companies need to encrypt their backup tapes. And while most companies don’t do that today, expect things to change as encryption gets increasingly baked into the tape drives themselves, predicts Oltsik. “Users should soon have additional encryption options to choose from as specialized cryptographic processors and encryption standards are proliferating on more and more types of devices.” Recently, for example, “enterprise tape vendors like IBM, Quantum, and Spectra Logic added encryption capabilities to their tape libraries.”

Other companies, including Decru, Kasten Chase Applied Research, NesoScale Systems, and Vormetric, offer another option: storage appliances that automatically encrypt some or all data at rest, whether it’s stored on servers, in SANs, or on backup tapes.

Despite the existence of such technology, however, “ubiquitous encryption won’t happen overnight,” cautions Oltsik. “In the meantime, there will likely be many more instances of lost tapes, which may lead to embarrassing public disclosures and expensive notification efforts.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.