No More Lost Backup Tapes: Chain of Custody Security Measures

When Bank of America disclosed in February that its courier service had lost backup tapes containing data on about 1.2 million federal employees--including names and Social Security numbers--consumers, senators and even some industry peers asked how there could have been such a lapse in security. No escort for the air transport? No encryption of the tapes? No documented chain of custody?

So in May, when Time Warner revealed that couriers at its storage management provider, Iron Mountain, had lost a cooler-size container of computer tapes--holding personal, unencrypted data on 600,000 current and former employees--while it was en route to a data storage facility, it served as a chilling reminder that these aren’t isolated incidents and that security processes need to be revised. More proof came on June 6, when United Parcel Service confirmed that it had lost the financial data of nearly 4 million Citigroup customers while computer tapes were being transported to a credit bureau. And on July 5, national media outlets reported that Iron Mountain had lost two backup data tapes with the personal and financial records of an unspecified number of customers of the City National Bank of Los Angeles.

The transportation of backup tapes, the dominant medium for archival data storage because of its low cost compared with other storage options, such as optical disks, has emerged as a very public weak link in the information security custody chain. Moving sensitive data from the office to delivery service to storage provider straddles both IT and physical security roles. And for many companies, there is no real owner of the entire process, no clear means of authenticating the identity of some data handlers and no guaranteed means of getting data from point A to point B.

This summer, the Geneva-based International Organization for Standardization (ISO) is set to release updated standards for IT security guidelines for backup, management and disposal, and for physical media in transit. (The official name is ISO/IEC 17799.) But in the meantime, CEOs and boards of directors are clamoring for safeguards against the bad publicity and threats to customer information that these incidents bring.

Although investigators at the U.S. Secret Service consider the backup tapes from Bank of America, Time Warner and Citigroup to be lost because no fraudulent activity has been traced back to the data so far, security officers can’t rule out future incidents in which the information could be stolen. “Nobody knows what happened to [that data]. Maybe somebody just put it in a closet somewhere, or maybe somebody took it home. But you really don’t lessen your risk” by speculating, says Randy Moulton, chief security officer for the City of Charlotte, N.C. The city contracts with a third-party vendor, which Moulton prefers not to name, to store sensitive data on its 5,000 employees. He says that any transport arrangement carries risks and that “it could totally happen to us.”

For well-meaning couriers, even the most powerful security processes can hide a weak spot. At UPS, cutting-edge technology that tracks every move that every package makes couldn’t prevent the Citigroup tapes from going missing. “It’s so unusual. So rare. We have the technology now that we don’t lose packages,” says UPS spokesman Norman Black. “Citigroup showed that as good as we are, [the system] is subject to human error.”

The backup process is much more complex than simply handing tapes over to a third party, and CSOs need to take charge. A risk assessment starts with a tape’s path from point of origin to storage facility and assigns responsibility for each step, using both physical and IT security resources. There are options at each step of the way. Here are four strategies to consider for mitigating that risk. Have a safe trip.

Strategy no. 1: Send the most sensitive data via secure escorts

Securing sensitive data starts with the high-level security strategy of classifying data into categories, for example, highly sensitive for information such as Social Security numbers, account information and health data tied to a name; confidential for information such as business plans and customer data; and general for information such as correspondence.

At the Secret Service, Dale Pupillo, deputy special agent in charge of its Criminal Investigative Division, suggests that companies classify data similar to the way the federal government classifies information as top secret, secret and confidential (which presidential orders instituted more than a half-century ago). For instance, the government’s test for assigning a top secret classification involves determining whether the information’s “unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to the national security.” Government regulations--such as what data a company is required to safeguard and archive according to Sarbanes-Oxley, Gramm-Leach-Bliley or the Health Insurance Portability and Accountability Act (HIPAA)--and considerations of corporate goals (keeping consumers’ trust, avoiding brand-bashing publicity about a breach or safeguarding shareholder value) could drive judgments about classifying corporate information. Once the most sensitive data has been identified by the IT security staff and transferred to tape, there are several modes of secure transportation to consider. Pupillo says Secret Service guidelines make decisions clear-cut when handling archival sensitive information such as evidence in a criminal case. “If it is really valuable to us, we’ll hand-deliver it,” he says.

Couriers such as FedEx Custom Critical, a subsidiary of FedEx Corp., will transport a sensitive package in its own private climate-controlled van or truck. Two drivers provide constant surveillance of the cargo and never stray more than 25 feet away from the vehicle during the trip, according to the company’s customer service department. The price tag for transporting a 100-pound, cooler-size container one way from Milwaukee to Madison, Wis. (about 80 miles): $688. (There is a 99-mile minimum charge. The regular rate for FedEx Express overnight delivery for the 100-pound intrastate package would cost $159, according to the company’s website.)

Drivers for the Custom Critical service (who are independent contractors) are bonded and have undergone basic background checks for citizenship and criminal history, according to the company. The service can also provide drivers who have security clearances from the federal government. The clearance process can include an investigation of a courier’s place of birth, financial status and residency history, and even interviews with neighbors. But providing this type of high-level security can add hundreds of dollars to the courier fee, according to the Custom Critical service department. An interstate trip can increase ground transportation costs by thousands of dollars. Transporting the same cooler-size container from New York to Dallas via the same courier would cost about $5,300 each way, more than twice the cost of two nonstop airfare tickets.

Bank of America used a third-party courier on a commercial airline to transport the backup tapes that were misplaced, according to Barbara Desoer, the bank’s head of technology and service, who testified at a Senate Banking Committee hearing in March.

That practice is dangerous, says Pupillo of the Secret Service. “I would not consider sending [tapes] like baggage,” he says. “Think about getting on an airplane and handing them your baggage. Then on the other end, even if it’s a direct flight, you get your suitcase off and it’s dented, scratched, or sometimes it’s not there.”

Desoer told the Senate hearing that Bank of America has stopped using airline couriers and is now sending tapes via ground transportation to a new (and unspecified) location.

UPS offers special handling for packages that customers identify as requiring a high level of security. For some companies, the very anonymity of a package is a type of security, says Black of UPS: “An item will be part of 14.1 million deliveries every day.”

Even when these precautions are taken, handing off valuable data to unauthenticated couriers remains a weak point in the security chain, says Carl Herberger, senior director of information security professional services at business continuity vendor SunGard. Couriers must show a driver’s license when dropping off or picking up tapes. “But then we can argue whether a driver’s license is a strong form of identification today,” given the explosion of fraudulent IDs, he adds.

Like FedEx, UPS performs basic background checks on its drivers to verify citizenship and the absence of a criminal record.

Strategy no. 2: Use a courier and encrypt backup data

In May, just days before Time Warner announced its security breach of lost tapes, Iron Mountain issued a press release advising companies to encrypt backup data before it gets into an outsider’s hands, such as itself. “Even Iron Mountain is not immune from human error,” Chairman and CEO Richard Reese said in the statement. (The company declined interview requests.)

Today, however, just 31 percent of CIOs, CSOs and information security directors say encrypting stored data is a priority, according to “The 2004 Global Information Security Survey” by CSO, CIO (a sister publication to CSO) and PricewaterhouseCoopers.

Encryption can be applied in a variety of ways. One solution is to encrypt sensitive data, such as Social Security numbers, automatically when they are entered into a field. “Most of the database systems out there come with built-in encryption schemes. It’s fairly simple to do,” says Eric Ouellet, vice president in security and privacy research at Gartner. “But if your database doesn’t support that, there are third-party toolkits that you can incorporate in your database. Then you can use secure modules to actually do the encryption.”

Ouellet, who has seen a tenfold increase in customer calls about encryption technology since January, also sees more companies starting to encrypt entire laptop hard drives or databases to keep information safe from laptop thieves or an inside job. This can free the end user from having to choose what to encrypt. Ouellet says laptop manufacturers such as IBM are beginning to put encryption capabilities right into their systems, and Microsoft is adding encryption to the Longhorn version of its Windows operating system (which is currently set for release by the end of 2006).

Some end user encryption options are now available, such as cryptographic software, appliances and accelerator cards from Decru, Kasten Chase, nCipher, NeoScale and others. What’s more, HIPAA and Sarbanes-Oxley rules give companies great latitude in deciding what security tools to deploy based on their own security audits. Hard-drive encryption software ranges in price from $50 for basic encryption to $100 if it supports devices such as USB drives and PDAs.

When it comes to encrypting massive amounts of data on the back end before it goes to backup tapes, there are no elegant or inexpensive solutions yet. Some vendors offer appliances that sit between servers and storage systems that encrypt data as it moves back and forth. These can cost from $150,000 to $500,000 for a large enterprise network.

Ouellet says CSOs should consider encrypting databases before encrypting backup tapes. “If your database is not encrypted, it doesn’t protect you in the long run,” he adds.

Strategy no. 3: Forget the courier and use a secure Internet link

Shortly after Citigroup’s backup tapes went missing, the financial services company announced it would encrypt financial data and transmit it to credit bureaus electronically--a practice that less than 10 percent of companies use today, but the numbers are growing, according to Bud Stoddard, president and CEO of data protection vendor AmeriVault in Waltham, Mass.

Data vault companies such as AmeriVault and EVault in Emeryville, Calif., can encrypt your data with, for example, triple-DES encryption technology, then transfer it via the Internet and store the information to disks. Proponents say electronic transfers speed backup and recovery time, ensure that data is saved, and are easily referenced.

But critics say that for most large companies, the amount of data being transmitted via tapes is too much for an Internet connection, and the cost of creating dedicated networks is still too high. Stoddard says limiting such transmissions to highly sensitive information could reduce costs, adding, “We’ve never had a data loss because somebody unencrypted the data.”

That’s not to say there aren’t risks involved. “Ironically, you removed the whole physical security problem” and replaced it with network security issues that require encryption and secure network connections, says SunGard’s Herberger. “Every solution has a downside,” he notes.

Strategy no. 4: Trust no one; establish “courtesy audits”

Companies also can’t rule out the possibility of an inside job at their own facilities, with a courier or at a third-party storage facility.

That means physical and IT security staff need to know who exactly is handling the sensitive data once it arrives at the storage facility. “The notion that [third-party] employees are above suspicion is kind of silly,” says Gary Swindon, chief information security officer at Orlando Regional Healthcare, which has 10,000-plus employees. Companies should perform due diligence on their storage facility to ensure it’s doing background checks on its own people, he says.

On the physical security side, companies should also require third-party storage providers to sign a business associate agreement to ensure that they maintain the same level of security over data as the customer, who, in this case, is the business hiring the company to store data. In certain cases, HIPAA regulations require this type of agreement between health-care institutions and third-party data handlers.

When it comes to internal departments, Swindon carries out what are called routine “courtesy audits,” a nice way of checking up on employees to make sure they are not violating security policies and know proper data-safety procedures. To cover those employees whose jobs require access to sensitive information, Swindon has deputized about 30 privacy and security liaisons at all levels of the company-- from unit nurses to food services employees-- who monitor how private information is handled on a daily basis. “We give them a checklist of 10 questions” to ask the employees, Swindon says. Do they know who the security officer is and how to reach him? Are PC passwords posted on sticky notes on workers’ monitors? Are papers with sensitive data in the trash? They shouldn’t be.

With these controls, Swindon doesn’t get overly concerned when he hears about high-profile breaches. “We’ve done some things to minimize the damage that something like that can cause.” ##

This article was published in CSO Magazine under the title “Precious Cargo”.