Lost in transit

By Jessica Twentyman

In February 2006, Bridgeport, Connecticut-based People’s Bank was forced to make a hugely embarrassing admission.

A computer back-up tape containing the personal details of around 90,000 of its customers, it announced, had been “lost in transit”. The bank’s parcel service provider, UPS, could only say that it had no evidence that the package had been stolen – leaving its whereabouts very much a subject for speculation. Worse still, the tape had not been encrypted – leaving the data it contained highly vulnerable to anyone with the IT skills and inclination to perpetrate a massive identity fraud scam.

People’s Bank is not alone in having had to contact customers to inform them of that kind of data loss and to apologise profusely to them. Indeed, the story follows hard on the heels of numerous other serious losses of back-up tapes among high-profile US companies.

In 2005, backup tapes belonging to Time Warner, Bank of America, Citigroup, Marriott and the Ford Motor Company all went astray – and that is just the ones that are publicly known about. The fact that the companies involved admitted the losses openly, say analysts, strongly suggests that, in these cases too, no measures had been taken to ensure that the data they held was encrypted.

Incidents such as these have catapulted encryption into the corporate spotlight. The physical movement of back-up data to offsite locations – by post and by lorry, for example – may be done with the best interests of security and recovery in mind, but it also leaves that data inherently vulnerable if it is lost or intercepted en route.

“Companies continue – against all advice – to send out back-up tapes containing incredibly sensitive data in trucks with no security where they are open to theft and loss,” says Michelle Borovac, senior manager of marketing at encryption specialist Decru (now owned by storage systems vendor Network Appliance).

Often, these back-up tapes are being transported to a specialist storage service provider – and it is worth noting that one of the largest of these, Iron Mountain (itself a self-confessed party to an embarrassing loss of customer tapes), recently issued the following guidance to its corporate customers:

“Iron Mountain [recommends] that companies encrypt backup tapes containing personal information. It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to re-assess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy.”

Few companies have heeded that call in the past, says John Oltsik, an analyst at IT market research company, the Enterprise Strategy Group. His organisation recently polled almost 400 companies and found that, despite a renewed focus on securing customer data, more than 60 per cent of the companies surveyed do not encrypt any of their backup data, while only seven per cent do encrypt all their backup data.

Many such companies, says Carl Douglas, a storage specialist at systems integrator Morse, continue to argue that encryption technology is either too expensive, too complex, or simply adds too much latency into the storage process to be suitable for their businesses. “There may be obvious security benefits from encrypting back-up data, but there are also a number of operational issues that organisations need to consider before going down this route. For example, most companies are already battling with the problem of back-up windows extending into hours as the amount of data being backed-up increases day by day,” he says.

But that situation is changing quickly, insists Rich Mogull, a Gartner Group analyst. “Thanks to a combination of large exposures, new regulations and industry initiatives, many enterprises are turning to encryption to protect their data at rest, and Gartner believes that 85 per cent of large enterprises will initiate encryption projects by the second quarter of 2006 in response to these regulations and industry initiatives,” he says.

The standards they will use to achieve encryption will vary. Data can be encrypted according to several standards, where the difficulty of breaking the encryption largely lies in the key length (provided that the encryption algorithm used is not flawed). An 8-bit key allows only 28 (256) permutations, but material encoded with such a key can be cracked relatively quickly with modern computers. Today, most encryption systems use the 128-bit Advanced Encryption Standard (AES) which has 2128 (340 ‘undecillion’ – or 340 followed by 36 zeroes) possible permutations. Vendors are also beginning to offer 256-bit AES encryption.

Nevertheless, significant barriers remain, says Mogull of Gartner. “Although encryption tools have advanced significantly in the past few years, particularly with dedicated network appliances, encryption is still a difficult and costly proposition,” he says. Carl Douglas of Morse agrees. “We’re not saying that organisations should not look at encryption. It’s just that they need to consider it in relation to their wider data storage and back-up strategies. If encrypting back-up data is critical, organisations should seek specialist storage advice to ensure that the measures they put in place to improve the security of backed-up data do not create a raft of other problems.”

Indeed, Gartner Group’s Mogull recommends encryption only in certain cases – but certainly in all cases where back-up tapes are going to be physically moved from one location to another. “Tapes are highly portable and contain large volumes of data. Today, even just misplacing a tape may require a loss disclosure that could be highly embarrassing, even though the risk of someone acquiring and reading the data is low,” he says.

Achieving encryption

How then should encryption be achieved? According to analysts, there are several different approaches to encryption, each with its own inherent strengths and weaknesses:

At the host

This means within the computer itself, with data encrypted at application level. “The benefit of this is that the data is definitely encrypted and secure, but the downside is that the data remains encrypted always and thus can’t be compressed for storage or for sending across the network, for example,” says Martin Warren, tape business manager for the UK and Ireland at storage vendor StorageTek.

Using back-up software

Most suppliers of tape back-up software have built encryption capabilities into their products. The advantage here is that companies that have deployed back-up management suites from suppliers such as Veritas or IBM Tivoli have probably paid for encryption capabilities already.

However, there are several weaknesses associated with this kind of encryption, not least that it can place an unwelcome overhead on ‘touchy’ servers, says Galen Schreck of analyst group Forrester Research. “Although encryption doesn’t place additional load on the backup server, it can impose some additional overhead on the backup client while it’s backing up,” he says.

And since encrypted data does not compress well, any data compression will have to be done on the client, adding to the CPU overhead. “Encryption will increase data volume by only 5%-7%, but deactivating the now-superfluous hardware compression functions, such as those found on LTO-3 tape drives, will double their data throughput to nearly 500 Gigabytes (GB) an hour,” he adds.

On the network

In these situations, a ‘black box’ somewhere in the network encrypts the data en route and directs it to a storage device. “This is a very straightforward approach to encryption, the only negative being that the box could potentially be bypassed making the data insecure,” says Warren.

One company that manufactures these ‘black boxes’ (and partners with major storage technology suppliers such as StorageTek, IBM and EMC to distribute them) is Decru (part of Network Appliance). The company’s ‘security appliances’ sit in front of tape or disk storage systems and encrypts the data at speed before it reaches the storage medium.

According to Decru’s Michelle Borovac, the company’s security appliances can encrypt at speeds of around 10GB per second. “We sit in the data path and if we are encrypting something someone needs access to quickly, we only make them wait a microsecond, encrypt it, then send it straight back to them,” she explains.

Decru has many large banking and financial services customers using its appliance, but is starting to see interest from a far broader cross-section of industries, says Borovac.

Within the storage device

This approach involves encrypting the data at the point of storage. This is the approach that StorageTek favours out of the three, explains Warren, because it enables storage administrators to make decisions about whether encryption is necessary for the particular piece of data in question and also to apply rules to it (such as when it should be deleted or how long it needs to be retained). Likewise, IBM is working to make encryption a standard feature of its next-generation tape drives, says Peter Macnamara of IBM UK’s tape business. “We’ve been working on embedded encryption for some time because we see that real market demand for encryption as a feature is rapidly gaining momentum,” he says.

There can be no doubt that as organisations look to drive out costs and ensure compliance, encrypted storage will grow in importance. Ultimately, corporate use of encryption may become standard. Already, the Payment Card Industry (PCI) Data Security Standard for private industry states that merchants should “encrypt transmission of cardholder and sensitive information across public networks”. Other industries will no doubt follow suit and the shameful excuse – lost in transit – will no longer be tolerated.

Backup encryption: Beyond simply scrambling the bits

As encryption moves from a niche security technology to an everyday part of the storage infrastructure, many organisations will naturally assume that their information is adequately protected. Not so, says John Oltsik, an analyst with IT market research company, the Enterprise Strategy Group. In fact, he says, “encryption should be looked at as a single layer in a defence-in-depth security implementation.”

To truly protect the confidentiality, integrity and availability of confidential information in an operationally efficient manner, back-up encryption should:

Integrate seamlessly into the back-up process and associated devices

Back-up processes tend to be well-defined and carried out under tight time limitations, so back-up encryption will not be welcomed if it demands process, equipment or scheduling changes. “To improve off-site rotation and data recovery efficiencies, encryption operations should be invisible to the back-up software itself but well-integrated with tape management utilities,” advises Oltsik. For example, he says, tape encryption should be able to support tape duplication and media reclamation without sacrificing security.

Require a modest amount of training – not the skills of an IT security professional

“There is no need to make storage administrators into security specialists or cryptographers. If tape encryption tools feature simple GUIs [graphical user interfaces] that resemble familiar storage and device management tools, storage managers can quickly assimilate tape encryption into their routines,” says Oltsik.

Support the security concept of ‘separation of duties’

Many IT departments will want to separate back-up processes from security. That demands administration tools that support the concept of ‘role-based access control’, so storage and security administrators can attend to their individual duties with restricted access based upon roles and policies. Encryption tools must also protect encryption keys by limiting the number of individuals with access. Security best practices should also include separation of duties as a failsafe mechanism demanding that at least two individuals authenticate themselves to the key management system before being granted access.

Include robust key management tools

“Key management is perhaps the most important but often overlooked component of strong encryption,” says Oltsik. Key management includes functions such as: key generation; rotation; storage; and back-up. “In terms of back-up encryption, it is also important to remember that the data may sit in storage facilities for years. These complex requirements demand a key management system that can maintain an association between keys and media over time,” he says.

Offer flexible options for data restoration and disaster recovery

Since encryption algorithms and tape technology changes over time, encryption products must provide ways to restore data regardless of the different generations of libraries involved.

This again points back to key management and the integration of keys into the libraries. As long as the keys can be accessed, the libraries should be able to accommodate restores. As a last line of defence, decryption of tapes must also be provided through secure utilities.

Encompass the backup media

“As an additional security layer, encryption processes should also include the media itself. Best practices include barcode serialization to prevent duplication, and some media-based metadata that can help guide IT managers to the right date ranges and encryption keys if barcodes are lost or altered,” advises Oltsik. “These media-based features help keep data secure while easing the efforts to match media and keys for data restoration,” he says.

Contain compression along with encryption

One potential downside of encryption is that scrambling the bits can increase file sizes and thus consume more media. To alleviate this problem, tape encryption technology should also include compression so that tape data is compressed before encryption.

Source: Enterprise Strategy Group