Enterprises Still Lax on Storage Security
Encrypting backup tapes is a good way to prevent data losses, but few companies do this correctly -- or know where to store their encryption keys.
Despite the explosion of data and the large numbers data breaches, enterprises are not doing enough to encrypt their backup data, according to a study conducted jointly by security vendor Thales Group and Trust Catalyst.
The results of the study, released yesterday, show that backup tapes are neglected in administrators' security efforts. Of the 330 respondents from large enterprises worldwide, 35 percent said they do not know whether or not they will encrypt their backup tapes.
"Traditionally, storage has been a domain in and of itself, and IT security has been focusing on front-facing business applications, so they don't pay that much attention to security," Kevin Bocek, director of product marketing at Thales, told InternetNews.com.
Not having a backup tape encryption plan could place an organization's data at risk, leading it into a breach of compliance. Data breaches can cause heavy financial losses, as retail store chain owner TJX discovered.
The storage department is more concerned with the cost and speed of data recovery than with encryption, according to Bocek. Also, enterprises felt they lacked access to technology adequate for enterprise-grade tape encryption.
"Previously, tape encryption technology used to be bolted on or would be an application used for general backup, and some didn't trust those to encrypt their tapes for backup," Bocek said.
The situation is changing, as more and more applications come with built-in encryption. However, a new problem then emerges -- managing the encryption keys. "If you're going to use encryption, you must have good key encryption, because if you lose your keys, you lose your data," Dave Hill, principal at analyst firm Mesabi Group, told InternetNews.com.
Keys should not all be given to one person, he added. "If they do something wrong, either in error or maliciously, that could be a problem."
For instance, giving control over all means of access to a system can lead to severe consequences, as San Francisco found out when rogue system administrator Terry Childs gained control over all the passwords to its fiber optic wide-area network.
Hill recommends enterprises have keys stored with a trusted third party "so somebody can get them back in case of an emergency."
Where the keys are
The Thales study found that most people do not know where to store their encryption keys. More than 40 percent of the survey's respondents answered that they didn't know where to store keys for seven out of 13 encryption apps. Most of the remainder stored their encryption keys in software or on a disk, while very few stored the keys in a dedicated appliance, which happens to be the market Thales is in.
"Key management issues will continue to be an issue for backup media," Bocek said. He added that the "very largest enterprises" are adopting encryption key management appliances like the ones Thales sells. In the future, such appliances will be made for medium-sized companies, Bocek said.
However, Mesabi Group's Hill does not like the idea of dedicated appliances.
"If you keep the appliance inside your building, what happens if you have a disaster and have to restore to a remote site?" he asked. Most companies "manage their keys on-site, with a copy sent off to a trusted third party, and this seems to be working."
Security News Solutions