tedSaulby Ted Saul

In today’s environment, computer security is more than simply ensuring passwords are enforced or access to servers is protected. One aspect to consider is the safekeeping of “data-at-rest” or files that have been backed up to tape for protection.  Recently I assisted a large university with a serious breech where the transport courier of their backup tape cartridges had been hijacked. Thousands of school records were now in unauthorized hands.  In a separate incident a major hospital reported that over 100,000 tapes in transit had been lost.  This breach violated HIPAA compliancy, which could potentially result in fines and even imprisonment of responsible parties.  These types of events need to be a wake-up call for any business that take regular backups and store them onsite or send them elsewhere for safekeeping.  The solution to this security problem is the encrypting of data as it is written to backup media.  The process of encrypting translates data into a format that cannot be read without having a “decipher key” available.  This key is defined by the business and kept it in a safe place to be shared on a need to know basis.

There are three different methods for encrypting  - hardware by the drive, encrypting appliances or software.  Drive hardware encryption is the easiest method to implement but tends to be the most expensive. Encryption appliances connect your computer to your tape drive and encrypts as the data passes through.  These devices can also be a more expensive solution but provide performance that large businesses may require.  Finally, there are multiple software applications available on the market that compress and encrypt the data before writing to media.  While more reasonable in price, they do generate more overhead causing the performance of backups to degrade.  Each method has two encryption standards available.  The Data Encryption Standard (DES) is more common but older and less secure.  It can only accept keys up to 56 bits in length, which to the serious hacker is not much a challenge.  A better choice is the Advanced Encryption Standard (AES) that allows creation of 128, 192 or 256 bit length keys. 

Your first line of defense is to encrypt the data on your laptop or PC in case they are stolen.  Data will not be able to be read and will be useless.  Protecting backup copies of the data is the next priority.  It should be noted that 34 states including California have introduced or passed legislation that require disclosure of lost unencrypted data such as California’s civil code section 1798.80-1798.82, requiring “notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized personal information held by a business or a government agency”.

Security is a process not a product.  Encrypting data on disk or stored should be a part of that process.

Ted Saul is a consultant specializing in the needs of small businesses.  He can be reached a This e-mail address is being protected from spambots. You need JavaScript enabled to view it and TWS777 on Twitter.