Data Thefts Reveal Storage Flaws

Recent high-profile thefts of sensitive data have enterprise IT executives looking hard at the relationships among storage, backup and security.

Recent high-profile thefts of sensitive data have enterprise IT executives looking hard at the relationships among storage, backup and security, even as vendors prepare new ways to lock down stored information.

Proposed solutions run the gamut from EVault Inc.s improved online backup to Decru Inc.s sophisticated encryption methods; all aim to mitigate risk at a time of heightened concern for data security.

The stakes in handling sensitive data, especially on storage tapes, came into stark relief last week when Bank of America Corp., based in Charlotte, N.C., said it lost unencrypted tapes that included personal information on 1.2 million federal employees.

Such catastrophic security and privacy breaches are leading customers to re-evaluate how often they access their stored tape data, who is granted access, what type of security is in place and whether online disk-to-disk backup is more favorable than traditional tape backup operations.

Kenan Luptak, IS manager at First National Bank, in Sidney, Neb., two months ago abandoned physical tape backup for EVault InfoStage, a self-managed online disk-array protection system. Luptak said his organization could not afford to take for granted tapes nonverification and lack of integrity checks.

"You dont have quality control of the individual taking tapes off-site," said Luptak. "Did they leave them in a car? Did they freeze or have heat exposure? The integrity of tapes is always a question, and this way we dont have to worry about how the tapes are handled."

Next month, EVault will unveil a new iSeries agent that will enable administrators to perform hot backups online without disrupting service and an iSeries database trigger method to more quickly capture changes during backups, said officials of EVault, based in Emeryville, Calif.

Security experts say that regardless of the format enterprises choose for backup, securing data should be a top priority. Right now few organizations take the time to encrypt stored data, but incidents such as Bank of Americas may change that.

With identity theft at the top of legislators agendas and on the minds of many consumers these days, banks, health care organizations and other groups that hold customer data are likely to find themselves under increased pressure to prove that they are doing everything they can to secure information. Encrypting data at rest on networks as well as backup media would be a step toward restoring customer confidence, experts say.

Daniel Chow, IT systems and security engineer for Boeing Employees Credit Union, of Tukila, Wash., said he deployed the Decru DataFort T-Series appliance to ensure the privacy of the credit unions customer data written to and stored on encrypted backup tapes.

"If theres ever a possibility that the vendor accidentally may lose our data or the carrier may lose it, because we do ship it to other locations, were always confident theres no way anyone can access that data," said Chow. "It was something that was apparent to us, and Decru provides a nice option to do that."

BECU maintains more than 60TB of stored data, distributed among several SAN (storage area network) islands with more than 300 ports.

Officials for Decru, which is based in Redwood City, Calif., said the company is working closely with large storage hardware vendors to enable its CryptoShred technology to automatically and remotely delete encryption keys used to encode stored data anywhere the information resides as part of an integrated business process or ILM (information lifecycle management) plan.

Had Bank of Americas tapes been encrypted, they would have been of no use to whoever stole them. In fact, under a bill before the U.S. Senate, the bank would not have had to disclose the loss of the tapes if they had been encrypted. Such incidents serve notice that thieves and crackers will seek new ways to get valuable information, experts caution.

"You dont have to be technically sophisticated to be a hacker anymore," said Maryann Davidson, chief security officer at Oracle Corp., in Redwood Shores, Calif. "Hacking isnt just for bragging rights and chest thumping. Theres real money in it."


Check out eWEEK.coms for the latest news, reviews and analysis on enterprise and small business storage hardware and software.