Encryption – The Missing Defence Tool In Many Companies’ Security Policy

Over the last few years, protection against external attacks has been the main focus of information security policies and purchases but this has caused the other aspects of data security to be overlooked. A number of surveys over the last two years have highlighted the fact that the majority of real data losses have been through internal attack or simple loss of removable storage media. This revelation has caused information security officers to look at the wider aspects of securing data at all stages of its lifecycle.

Added to this a spate of legislation that highlights the need for a complete security policy means that companies of all sizes are now looking at what they need to do to reduce the problems caused when data is lost. The flurry of high profile losses of sensitive data stored on backup tapes reported by large corporations has highlighted the damage that the loss of even one high capacity tape cartridge can bring.

One of the most recent cases to come to light was when Bank of America lost a number of backup tapes whilst in transit between offices. Even though there was no belief that the data had fallen into the hands of unauthorised people, the loss of confidential personal data has made many of their customers reassessed where they place their business. The US Senate as a result is considering bringing in legislation to ensure any personal data recorded on a backup or archive tape must be encrypted in some form.

It is clear that there is a real threat to data security if tapes are not encrypted, no matter how high the level of physical security used when transporting tapes to a “secure’ area away from the primary business location for disaster recovery plans. It is during the movement of tapes is where most of the losses in recent times have occurred. Many occasions they have been under the control of specialist companies who say they have a safe and secure storage. It has been found however, that when operators were asked how many times they have had the tapes from another company delivered to them in error, the answer is all too often that this is not a rare occurrence!

It seems to be overlooked by many analysts, but that there is also a major repercussion for the integrity of data restored from an unencrypted backup tape. What could the possible implications be of a restore being run from a set of backup tapes that have been modified? Contrary to the views of some so called specialists, it is not that difficult to modify clear data on a backup tape, and even easier to read and re-write the data so it appears to be the same unaltered tape as before. It needs only a few digits changed to have a major impact on a financial record!

The widening remit for data security is being addressed by various legislations such as Basel II, HIPAA, Sarbanes-Oxley and PHIPA. The fact that many companies are simply flouting these rules with the view that the fines they could face are less that the cost of implementing the solutions, means that only when the fines are increased and the number of prosecutions grows that legislation will have a real impact.

In Japan, where the number of disappearing data tapes is unusually high, the government has brought in legislation that requires a person in each company to be responsible for data security, and he or she will be fined and serve a prison sentence if they fail to comply with legislation. This apparent draconian measure may well be needed in other counties in order to bring companies in line. In Europe, a CEO is already liable for failing to implement an acceptable information security policy and he or she would be liable for a substantial fine or a custodial sentence in extreme cases.

In the past encrypting data has tended to use software running on the host systems, resulting in slow and inefficient data transfer which has led to reluctance to use encryption for security. Today dedicated hardware devices are available to offload the process to inline units designed for the task. Through the use of dedicated compression and encryption engines, encryption hardware is capable of running at the full speed of modern tape drives, with little or no latency and degradation.

It is interesting to note that some companies have used their investment in security devices as a sales tool to show they are taking the best care of their customers’ data, rather than just hoping it doesn’t get lost and compromised. As insurance companies who cover business losses see the advantage of securing data, including backup tapes, we can expect insurance premiums to reflect this.