Backup-Tape Security: Enter the “Brown Bag”
Are your backup tapes a security risk? After numerous high-profile tape losses, and the resulting notifications to millions of Americans, many companies still don’t encrypt their backup tapes.
Are your backup tapes a security risk?
Backup tapes are a convenient and widely used method for backing up files, moving essential records to disaster recovery or offsite storage sites, and sharing sensitive information with business partners, law firms, and regulators.
Yet when backup tapes contain sensitive information, especially relating to consumers, losing control of the tapes—either through loss or theft—can put a company in violation of such regulations as HIPAA or California’s SB 1386, not to mention other states’ data-notification laws.
The roster of companies that lost backup tapes this year or last, and the resulting number of customers or clients whose information was potentially compromised, includes such heavyweights as Ameritrade (200,000), Bank of America (1.2 million), CitiBank (3.9 million), CitiFinancial (3.9 million), City National Bank (unknown), and Time Warner (600,000). Multiple class-action lawsuits have been launched as a result.
As Forrester analysts Michael Rasmussen and Paul Stamp note in a recent report, “Incidents like those at Bank of America or Citibank, where unencrypted backup tapes containing large amounts of customer data went missing on the way to the archive repository, accentuate the need for greater understanding between physical security and information risk management.” In particular, using encryption can prevent lost or stolen tapes from being read, and California SB 1386, for one, specifically exempts companies with lost but encrypted information from having to notify consumers.
To encrypt backup tapes, companies have multiple options, including encrypting information as it’s stored on tapes, or using security appliances to automatically encrypt (and thus protect) all data at rest, whether it’s on backup tapes or database servers.
Despite the relatively low cost of encrypting backup tapes (and the inherent regulation-compliance benefits of doing so), most companies still haven’t improved their tape-related security practices, according to a recent survey of 388 storage professionals conducted by Enterprise Strategy Group (ESG) in Milford, Mass. “One would expect that security-conscious organizations would include tape encryption as a standard security defense. Unfortunately, this hypothesis simply isn’t true,” reports ESG analyst Jon Oltsik, who found 60 percent of organizations simply don’t encrypt their backup tapes, while only seven percent encrypt all backup tapes. “Furthermore, security-focused industries like financial services, healthcare, and government agencies do not demonstrate encryption use more than other industries, while large organizations are only slightly more apt to encrypt their backups than smaller firms.”
According to a recent study by data-storage encryption vendor DISUK Ltd. in Silverstone, England, only 34 percent of companies have a security policy requiring backup tapes to be encrypted, though only 23 percent said backup encryption was actually used. While many firms do have plans to implement encryption for backup tapes, one in six did not.
Beyond problems dealing with encryption, DISUK says many companies also face chain-of-custody issues. For example, while half of all companies use a third-party service to transport or store backup tapes, many don’t actively manage that service. Furthermore, one in five companies says responsibility for backup tapes is shared by the security manager and the storage manager, one in 10 says responsibility wasn’t clear, and two percent simply don’t manage their tapes.
“Someone needs to have specific, overall responsibility for that relationship,” notes Paul Howard, the managing director of DISUK. “Muddled chains of responsibility often end in tears.”
Brown-Bagging Backup Tapes
No matter how well courier services are managed, tapes in transit are a security and compliance risk. To help companies that use backup tapes keep tabs on them, Fujifilm announced it was releasing Fujifilm Data Tape Couriers, a single-use, inexpensive case (about $15 for 10) for shipping a single tape (LTO, DLTtape, SuperDLTtape, 3590, or 3592). The recyclable shipping containers include tamper-evident seals, are moisture resistant, and have a “plain-brown wrapper” appearance; they also help keep a tape oriented vertically—the best way to ship a tape without damaging it.
Fujifilm designed the tape cases after reading about a number of companies’ tape-handling practices. “We read one story about a company that simply threw tapes into a box, and the box was damaged and tapes fell out of it, and that’s when we asked ourselves: Why isn’t there a low cost, affordable, disposable shipping box that’s specially created for data care handling and media?” says Rich Gadomski, a vice president of marketing for the recording media division of Fujifilm.
Tapes in transit face a number of risks. “One of the major hazards is improper handling,” he says. “If you send something through the mail, it can be in for a pretty rough handling, rough environment, left out on a storage dock, dropped from a storage dock, left out on a truck.”
Of course, such shipping cases won’t help if the tapes actually go missing in transit. Accordingly, Fujifilm also announced that Brink’s Inc. will use its tape couriers. “The physical loss of a tape in the shipping system is another issue, and if you’re sending something valuable, that’s something Brink’s addresses,” notes Gadomski.
Expect Fujifilm to continue releasing new types of shipping containers. “We have plans for other storage containers, and vaulting containers as well, again driven by all the new government regulations dictating how companies handle data,” he says.
Beware Recertified Tapes
Beyond managing the tape-shipping process, also beware selling used backup tapes or purchasing reconditioned tapes.
For example, in September 2005, after Fujifilm saw tapes labeled as “recertified LTO data tapes” appear on the market, it decided to study exactly what was being offered. Gadomski says Fujifilm was suspicious of recertified tapes because erasing LTO tapes is a time-consuming process. Degaussing (exposing a tape to a strong magnetic source to scramble all information it contains) won’t work, for example, on LTO and 3592 tapes—which use a magnetic servo—except to render it useless. The typical tapes needs to sit in a drive long enough to be completely overwritten with zeros and ones. Would a busy IT department, or a company selling the tapes, take that time?
To find out, Fujifilm acquired 30 backup tapes from third-party sellers, then commissioned a third-party data recovery company (Ovation Data Services) to study them. According to Fujifilm, over half of the 30 tapes exhibited signs someone had tried to erase, or at least hide the data on them. Yet eight tapes (27 percent) still contained easily recoverable information. On the opposite front, Ovation also found several were so damaged they couldn’t be used by drives.
Based on Ovation’s findings, “what the re-certifiers do today is they erase the table of contents—a quick erase—but that will leave the rest of the data on the tape,” says Gadomski. “So I think a lot of companies, especially with the government regulations in mind, don’t want to be selling their tapes into the used marketplace, unless the data can be removed.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.