Source: Robin Pilcher, CNT
Robin Pilcher, European Marketing Director at CNT, argues that storage and security need to be seen as two sides of the same coin to protect data for the length of its lifetime.
So there we were again. Another week, another security breach – makes you wonder if anyone ever learns from these things, doesn’t it? However, the recent news that the Bank of America had managed to ‘lose’ a number of data tapes in transit to its backup centre is somewhat different from the usual leaks and loopholes. And it highlights a worrying yet often overlooked security risk – how secure data is when it is moved off-site for backup, archive, or legislative retention purposes.
According to the Security Institute, 72 per cent of corporations admit to security breaches with significant financial impact… the most common being the compromise or loss of stored data.
Yet many organisations continue to see ‘storage’ as a separate or standalone IT function. This is a short-sighted view of this critical asset that is the cornerstone of business activity. It is also a risky way of approaching the lifecycle management of data over its lifetime and one which underlies many of the security breaches such as that outlined above.
Data security and data storage should not be considered in isolation. Just because data is offsite, sometimes even in a different country, does not release an organisation from its obligation to keep that data secure – and in many cases today, that obligation is backed by regulatory compliance laws that could see the company responsible facing significant fines and jail terms for senior executives.
Nor can a company delegate responsibility to the 3rd party that manages that offsite data for them – if your organisation collected the information, your organisation has to keep it secure regardless of where that data is kept, or on what medium.
While data is stored ‘onsite’ within the walls of the data centre, or at the company’s headquarters, it is usually relatively secure. Viruses, worms, hackers and illegal access can be thwarted by firewalls, access controls, authentication and restricted physical access. Most enterprises will have these controls in place as an integral part of their information security policies, but the data is only secure as long as it resides behind such security measures.
Just as gold bars, payrolls and large sums of cash are safe when on the Bank’s premises, they are vulnerable when transported, even by armoured vehicle, between locations.
What happens when, as with the Bank of America, your company’s back-up and archive tapes are sent off-site and are in transit to the remote vault? No firewall; no restricted access; no protective password system, just data on a tape - or should that be data on tap?
To be fair to the Bank of America, it had ensured the data on the tapes was ‘structured in a highly fragmented way’. So too, is a jigsaw puzzle when you tip the pieces out of the box, but it is still possible to complete the puzzle even without reference to the picture on the box. But how much more difficult is it to complete the jigsaw if all the pieces have previously been coded - or encrypted?
Today, threats against your company’s data are no longer confined to earthquake, fire and flood. Digital terrorism means that storing data on disk and tape media, and even replicating it across remote SANs, are three potential weak links in the security of the data infrastructure unless companies take action.
It is high time to recognise that data can not be forgotten about the moment it leaves the premises, either electronically, or on physical media. No security conscious enterprise would tolerate personal, private or sensitive customer data being emailed out to unknown individuals – information being sent off-site on tapes (or via remote electronic communications) must be treated with as much seriousness. That means sensitive data must be stored and transported in encrypted form at all times, if it is to be safeguarded against malicious use. Anything less is to leave yourself, your company and your customers open to significant risk.
The Bank of America case must be seen as a final warning – this tempting open door to those with criminal tendencies must be slammed shut – or many companies will face the consequences.