Content Copyright © 2005 Bloor. All Rights Reserved.
IT has a substantial history. Alas, as in many areas of everyday life, the computing industry frequently fails to learn from the experience of others. This is most likely to be the case in functions that quickly become routine. The protection of information through the process of backup is one such area; it has become so routine as to be almost invisible and the methods used by most organisations are so routed in history that they often fail to provide the protection desired and, perhaps even more importantly, can expose organisations and individuals to considerable risk.
The only point of backing up data is to enable said information to be recovered if anything causes the original data to become unavailable or corrupt. Unfortunately, in many organisations, the backup process itself has become more of a habit, rather than a process subject to review and monitoring. Too often the only focus on the process concerns the time available to perform backups instead of looking at the ability to recover information within the necessary timescales required by the business. There are few Operations that have not suffered the experience of being unable to retrieve information stored in backup systems when asked so to do.
Thankfully, this is now changing, albeit rather slowly. Organisations are now much more demanding when it comes to recovering information. This, coupled with an increasingly sophisticated range of data protection solutions that are relatively straightforward to implement, is helping to make the process of information recovery more effective than in the past. In particular, the increasing use of disk to disk backups coupled with effective tape solutions is speeding data recovery times and finally bringing them in line with business requirements.
Of course, the need to ensure that all data receives the appropriate protection still exists. This is an area much more dependent on people: firstly to understand what information exists and, secondly, to ensure that appropriate backup and recovery service requirements are established. However, whilst attention is finally being paid to the recovery side of data protection, it is still apparent that little thought goes into the need to secure information held in backup systems.
Whilst it is true that too little effort goes into securing some data sources, most notably the information held on laptops, PDAs and, increasingly, on mobile phones, few organisations actively consider securing data stored in backup systems. Recent information published by Privacy Rights Clearinghouse, a US based consumer research company, shows that in the last six months the personal information of over 50 million US individuals may have been “compromised”. The most common causes of information compromise cited were hacking, dishonest employees, stolen computers and, crucially, lost backup tapes.
Privately, some organisations are concerned that the theft of backup tapes represents a relatively risk free and almost invisible means of obtaining sensitive and commercially valuable information. In compliance-driven America, even the genuine loss or misplacing of backup tapes holds the potential to seriously undermine the confidence of auditors.
Information published by DISUK, a specialist in the design and manufacture of data storage encryption systems, found that of 80 incidents reported in the US, no fewer than 6 involved the loss of backup tapes. Today, few backup tapes are routinely encrypted to protect this vulnerable and highly mobile source of valuable information. It is clear that backup tapes hold vital information. Indeed much of it is subject to stringent legislative requirements covering its storage and disclosure. More importantly, they hold company information which is its lifeblood.
With backup and recovery systems becoming easier to implement and administer, it is now time for attention to be paid to securing data at rest. Not all information needs to be encrypted either on its live platforms or on backup media. However, it is clear that at present certain sensitive and valuable data is still being kept unsecured that should, and indeed must, be better protected and encrypted.