No More Lost Backup Tapes: Chain of Custody Security Measures

Sending critical backup tapes to a storage facility isn't as simple as placing a package on a truck. Here are four points to consider when you're securing the chain of custody for your backup data.

Today, however, just 31 percent of CIOs, CSOs and information security directors say encrypting stored data is a priority, according to "The 2004 Global Information Security Survey" by CSO, CIO (a sister publication to CSO) and PricewaterhouseCoopers.

Encryption can be applied in a variety of ways. One solution is to encrypt sensitive data, such as Social Security numbers, automatically when they are entered into a field. "Most of the database systems out there come with built-in encryption schemes. It's fairly simple to do," says Eric Ouellet, vice president in security and privacy research at Gartner. "But if your database doesn't support that, there are third-party toolkits that you can incorporate in your database. Then you can use secure modules to actually do the encryption."

Ouellet, who has seen a tenfold increase in customer calls about encryption technology since January, also sees more companies starting to encrypt entire laptop hard drives or databases to keep information safe from laptop thieves or an inside job. This can free the end user from having to choose what to encrypt. Ouellet says laptop manufacturers such as IBM are beginning to put encryption capabilities right into their systems, and Microsoft is adding encryption to the Longhorn version of its Windows operating system (which is currently set for release by the end of 2006).

Some end user encryption options are now available, such as cryptographic software, appliances and accelerator cards from Decru, Kasten Chase, nCipher, NeoScale and others. What's more, HIPAA and Sarbanes-Oxley rules give companies great latitude in deciding what security tools to deploy based on their own security audits. Hard-drive encryption software ranges in price from $50 for basic encryption to $100 if it supports devices such as USB drives and PDAs.

When it comes to encrypting massive amounts of data on the back end before it goes to backup tapes, there are no elegant or inexpensive solutions yet. Some vendors offer appliances that sit between servers and storage systems that encrypt data as it moves back and forth. These can cost from $150,000 to $500,000 for a large enterprise network.

Ouellet says CSOs should consider encrypting databases before encrypting backup tapes. "If your database is not encrypted, it doesn't protect you in the long run," he adds.

Forget the courier and use a secure Internet link

Strategy no. 3

Shortly after Citigroup's backup tapes went missing, the financial services company announced it would encrypt financial data and transmit it to credit bureaus electronically—a practice that less than 10 percent of companies use today, but the numbers are growing, according to Bud Stoddard, president and CEO of data protection vendor AmeriVault in Waltham, Mass.