Feeds

Should we be encrypting backups?

It’s about the restore, stupid

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Workshop We all know that data protection regulations are gaining teeth. As we discussed before, it is becoming more difficult to keep data losses private, and the damage to reputation and other penalties incurred following data breaches are now significant.

Data protection laws in particular are being tightened up, with the potential for large financial penalties to be imposed for the loss or leakage of data. Fines may come not only from general data protection bodies, but also individual industry regulators in verticals such as financial services or healthcare. Data breach notification laws, pioneered very effectively by California, are planned for Europe. These have shown that the real cost of a data loss is the clean-up afterwards. Companies suffer from the loss of reputation and trust in a brand, as well as having to foot the bill for fraud monitoring, credit protection and possible recompense for those people affected.

Now, you may well be thinking: "That's all well and good, but how does it affect me?" Legislation is effectively raising the bar and sending a message that dealing with risks posed by a data breach is important, and that the efforts made to secure the data held will be used to determine the level of penalties should a breach occur. So doing nothing may be an option, but it will probably be a very expensive one. Accepting this, how can you approach what for many is a very murky problem – and can encryption help?

That old chestnut, off-site backup, is the traditional starting point for data protection. However this does involve risk at multiple points: transporting the backups, holding them at a third party, and then being able to recover the data at a future time. Encryption of the backed-up data certainly appears to be part of the solution: it enables safe transport and storage, providing the passwords or keys are kept separate from the data itself, of course.

However, backup is only half of the answer when it comes to data protection and availability - the flip-side is restoration of data if required. At this point, encryption makes things harder, not easier. How many companies have implemented a system to guarantee that encrypted information can be retrieved and restored? To do so requires a comprehensive catalogue of backups, combined with encryption key or password management information. It may be a challenge keeping records, especially as the retention periods for these data sets can extend into years and decades.

As a system of many interacting steps, many of which are complex and temperamental, the whole of the problem may seem like much more than the sum of its parts. Keeping a firm grip on encrypted data will be dependent on process, documentation and management tools. Regular testing of restore capability must also be part of the process, ideally as part of formal Governance, Risk and Compliance (GRC) procedures.

It is tempting to focus efforts on testing restores on fairly recent active data. After all, there are whole libraries of the old stuff! But is this really going to be enough? Indeed, if it can’t be guaranteed that old, encrypted data can be restored at some point in the future, is there really any point in keeping it at all?

Long-term access to backup data has many associated risks. For example, job rotation and rapid technology obsolescence mean that this is often left as a problem for somebody else to solve. The physical condition of the tape may deteriorate. Tape readers may become obsolete (even NASA has this problem). Encryption adds to the complexity of the problem of data restoration, and as with all the other issues this must be tackled to ensure long-term retrieval is viable. Process is as vital in ensuring success as the technology used, perhaps even more so as technology changes frequently but people are slow to change – as, to be fair, is the data.

We're not claiming to have all the answers here. But as encryption once again piques the interest of the media, it is worth considering the practicalities and ramifications when it comes to this fundamental area of data protection – that of backup and restore. Whatever approach is followed to encrypting backups, key management will likely become the over-riding issue to ensure that access to the data is still possible after many years. Tough as it sometimes can be, most organisations would not think of running important systems without backups and recovery plans in place. But neglecting the same with encrypted data and keys, lays a business open to losing access to important data with a very difficult path to recovery.

Have you ever had a data wipe-out from lost keys? Has encryption saved your bacon? Please let us know. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.