In a year that's seen identity theft and data loss skyrocket, some well-known organizations have already served as high-profile examples of the importance of data backup security. In late February, Bank of America admitted to losing a number of backup tapes in route to a backup center; the tapes contained the financial information for 1.2 million government employee credit cards. A little more than two months later, Time Warner made a strikingly similar announcement—it had lost backup tapes containing personal information for 600,000 current and former employees.
Can your company afford to lose its data? The obvious answer is no—no one's going to admit that it's acceptable to lose corporate information. And yet, many companies don't take the necessary precautions to ensure it doesn't happen.
It's a well-known fact that backups are vital to the disaster recovery process. The majority of organizations understand the importance of backing up information as well as testing those backups. (I said they understand the importance of testing—I won't discuss how many actually practice what they preach.)
But if you don't take the necessary security measures, backups can end up causing a disaster rather than preventing one. If your organization's network contains personal or proprietary information, you need to take steps to secure your backups.
Bank of America and Time Warner could have prevented some of the inevitable fallout by implementing some simple risk management actions. Let's look at three ways you can beef up the security of your data backups.
Security begins at home
First of all, your organization must restrict access to its data centers. If anyone has access to your data center, that means anyone can go in and steal—or sabotage—all the information they want. A lock on the server room door and a key control log is a simple start to protecting any backup media that's in rotation.
If your backup hardware includes a locking mechanism, use it. That's the reason tape drives have locks: Not everyone in the data center needs to have physical access to the media. Controlling physical access to wherever your media resides is one way to mitigate insider theft.
After you've removed your media and placed it into a storage container, lock the container. A fresh set of backups sitting out in the open is a tempting target for a disgruntled employee.
Off-site storage needs security too
Many disaster recovery plans include provisions for storing backups at an off-site facility to protect data in the event that something damages or destroys the home office. Remember: Insurance can buy new hardware, but nothing can replace your company's data.
Therefore, it's a good idea to initiate an off-site storage plan, and implement it as soon as possible. When evaluating off-site storage centers, make sure any storage facility you consider using is as secure as your present site.
Due diligence with data shipments
When data leaves your data center, make sure you have an auditable trail for that data. When you think about it, you probably audit everything else—it only makes sense to use a carrier that can provide a secure, auditable method of transporting data.
Use a carrier that you can trust, and don't put any special markings on the boxes holding the backup media. Marking the outside of boxes with phrases such as Confidential Personal Information or Backup Media only makes a potential thief's job all the easier. Don't mark your boxes, but do provide shipping instructions for safeguarding your magnetic media.
No backup protection strategy would be complete without encryption. For security purposes, it's vital that you encrypt all information that leaves your facility. And if your current backup solution doesn't support encryption, then it's time to find a new backup solution.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.