In a year that’s seen identity theft and data loss
skyrocket, some well-known organizations have already served as high-profile
examples of the importance of data backup security. In late February, Bank of
America admitted to losing a number of
backup tapes in route to a backup center; the tapes
contained the financial information for 1.2 million government employee credit
cards. A little more than two months later, Time Warner made a strikingly similar
announcement—it had lost backup tapes containing personal information for
600,000 current and former employees.
Can your company afford to lose its data? The obvious answer
is no—no one’s going to admit that
it’s acceptable to lose corporate information. And yet, many companies don’t
take the necessary precautions to ensure it doesn’t happen.
It’s a well-known fact that backups are vital to the
disaster recovery process. The majority of organizations understand the
importance of backing up information as well as testing those backups. (I said
they understand the importance of
testing—I won’t discuss how many actually practice what they preach.)
But if you don’t take the necessary security measures,
backups can end up causing a disaster
rather than preventing one. If your organization’s network contains personal or
proprietary information, you need to take steps to secure your backups.
Bank of America and Time Warner could have prevented some of
the inevitable fallout by implementing some simple risk management actions.
Let’s look at three ways you can beef up the security of your data backups.
Security begins at home
First of all, your organization must restrict access to its
data centers. If anyone has access to your data center, that means anyone can
go in and steal—or sabotage—all the information they want. A lock on the server
room door and a key control log is a simple start to protecting any backup
media that’s in rotation.
If your backup hardware includes a locking mechanism, use
it. That’s the reason tape drives have locks: Not everyone in the data center
needs to have physical access to the media. Controlling physical access to
wherever your media resides is one way to mitigate insider theft.
After you’ve removed your media and placed it into a storage
container, lock the container. A fresh set of backups sitting out in the open
is a tempting target for a disgruntled employee.
Off-site storage needs security too
Many disaster recovery plans include provisions for storing
backups at an off-site facility to protect data in the event that something
damages or destroys the home office. Remember: Insurance can buy new hardware, but
nothing can replace your company’s data.
Therefore, it’s a good idea to initiate an off-site storage
plan, and implement it as soon as possible. When evaluating off-site storage
centers, make sure any storage facility you consider using is as secure as your
Due diligence with data shipments
When data leaves your data center, make sure you have an
auditable trail for that data. When you think about it, you probably audit
everything else—it only makes sense to use a carrier that can provide a secure,
auditable method of transporting data.
Use a carrier that you can trust, and don’t put any special
markings on the boxes holding the backup media. Marking the outside of boxes
with phrases such as Confidential Personal
Information or Backup Media only makes
a potential thief’s job all the easier. Don’t mark your boxes, but do provide
shipping instructions for safeguarding your magnetic media.
No backup protection strategy would be complete without
encryption. For security purposes, it’s vital that you encrypt all information
that leaves your facility. And if your current backup solution doesn’t support
encryption, then it’s time to find a new backup solution.
Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security