Feeds

Should we be encrypting backups?

It’s about the restore, stupid

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Workshop We all know that data protection regulations are gaining teeth. As we discussed before, it is becoming more difficult to keep data losses private, and the damage to reputation and other penalties incurred following data breaches are now significant.

Data protection laws in particular are being tightened up, with the potential for large financial penalties to be imposed for the loss or leakage of data. Fines may come not only from general data protection bodies, but also individual industry regulators in verticals such as financial services or healthcare. Data breach notification laws, pioneered very effectively by California, are planned for Europe. These have shown that the real cost of a data loss is the clean-up afterwards. Companies suffer from the loss of reputation and trust in a brand, as well as having to foot the bill for fraud monitoring, credit protection and possible recompense for those people affected.

Now, you may well be thinking: "That's all well and good, but how does it affect me?" Legislation is effectively raising the bar and sending a message that dealing with risks posed by a data breach is important, and that the efforts made to secure the data held will be used to determine the level of penalties should a breach occur. So doing nothing may be an option, but it will probably be a very expensive one. Accepting this, how can you approach what for many is a very murky problem – and can encryption help?

That old chestnut, off-site backup, is the traditional starting point for data protection. However this does involve risk at multiple points: transporting the backups, holding them at a third party, and then being able to recover the data at a future time. Encryption of the backed-up data certainly appears to be part of the solution: it enables safe transport and storage, providing the passwords or keys are kept separate from the data itself, of course.

However, backup is only half of the answer when it comes to data protection and availability - the flip-side is restoration of data if required. At this point, encryption makes things harder, not easier. How many companies have implemented a system to guarantee that encrypted information can be retrieved and restored? To do so requires a comprehensive catalogue of backups, combined with encryption key or password management information. It may be a challenge keeping records, especially as the retention periods for these data sets can extend into years and decades.

As a system of many interacting steps, many of which are complex and temperamental, the whole of the problem may seem like much more than the sum of its parts. Keeping a firm grip on encrypted data will be dependent on process, documentation and management tools. Regular testing of restore capability must also be part of the process, ideally as part of formal Governance, Risk and Compliance (GRC) procedures.

It is tempting to focus efforts on testing restores on fairly recent active data. After all, there are whole libraries of the old stuff! But is this really going to be enough? Indeed, if it can’t be guaranteed that old, encrypted data can be restored at some point in the future, is there really any point in keeping it at all?

Long-term access to backup data has many associated risks. For example, job rotation and rapid technology obsolescence mean that this is often left as a problem for somebody else to solve. The physical condition of the tape may deteriorate. Tape readers may become obsolete (even NASA has this problem). Encryption adds to the complexity of the problem of data restoration, and as with all the other issues this must be tackled to ensure long-term retrieval is viable. Process is as vital in ensuring success as the technology used, perhaps even more so as technology changes frequently but people are slow to change – as, to be fair, is the data.

We're not claiming to have all the answers here. But as encryption once again piques the interest of the media, it is worth considering the practicalities and ramifications when it comes to this fundamental area of data protection – that of backup and restore. Whatever approach is followed to encrypting backups, key management will likely become the over-riding issue to ensure that access to the data is still possible after many years. Tough as it sometimes can be, most organisations would not think of running important systems without backups and recovery plans in place. But neglecting the same with encrypted data and keys, lays a business open to losing access to important data with a very difficult path to recovery.

Have you ever had a data wipe-out from lost keys? Has encryption saved your bacon? Please let us know. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.