Stop Data Leakage Through E-vaulting

Enterprises today are constantly challenged with security and support issues arising from endpoint users and their carrier services. Data leakage caused by losing backup media or storage devices – and the resulting regulatory compliance issues – are enterprise  top enterprise IT security concerns. Recent large-scale security breaches have endangered corporations with the very real prospect of a single backup media inflicting major change – to the bottom line and an enterprise’s reputation. Federal and State government agencies jointly and independently issued guidelines establishing standards for safeguarding customer information, including Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA), and California SB 1386.

With or without a legal requirement, enterprises still should safeguard sensitive information in transit or in storage facility. Naturally, no single tool can ensure data security. A combination of multiple safeguards and well-designated policies and procedures is the most effective strategy for operating in today’s networked environment. An enterprise has many options for how to protect data including tape backups, data mirroring, data replication, and electronic vaulting (e-vaulting). This article will take a detailed look at e-vaulting option. This option is a powerful alternative to other techniques.  When properly installed and managed, e-vaulting does more than provide data protection; it enables data availability.

Data Safeguarding Solutions

As business become increasingly dependent upon rapid access to information and subsequent less tolerant of failure, an increased focus must be given to continuity of operations. In light of recent large-scale tape security breaches, a great emphasis has been given to e-vaulting services. We all agree that the traditional tape-based backups are time consuming, labor-intensive, and costly. The tape-based backup devices are prone to theft, often contain unencrypted data, and offer no password protection. You need policy-based control over backup media and devices—and e-vaulting can deliver it. E-vaulting removes the human factor errors and provides encryption, system availability, reliability, and security.

Technology industrial experts define e-vaulting as the ability to store and retrieve backups electronically, in a site remote from the primary computer center or operations. Technically, e-vaulting is a secure, online backup service that automates the process of backing up electronic data. E-vaulting can be located at a recovery site, at a reciprocal site, in a third-party location close to the recovery site, or at a commercial hot/cold site. E-vaulting safeguards are as varied as threats and vulnerabilities. Some of the most widely deployed are:

Channel extenders. This technique requires an image copy tape, or large /journal tape, to be transmitted to the vault location through the channel extender (communication network). This method is not desirable and some performance and availability implications need to be addressed.

Host-to-host batch transmission. With this alternative, high-speed file transfer can take place between two host computers, one at the recovery site and the other at the primary computer center. This method offers better data integrity than channel extenders.

Host-to-host real-time transmission. Unlike the channel or batch transmission approaches, the real-time approach makes it possible to recover a database closer to the time of the disaster; the amount of data lost is measured in seconds rather than minutes or hours. For this reason this approach is most reliable.

Finding the right combination of these safeguards is partly a function of business requirements and partly a function of each safeguard’s return on security investment (ROSI). Maintaining continuity of operation can be expensive in terms of time, personnel, raw materials and, above all, money. In order to accurately forecast requirements for e-vaulting safeguard and continuity of operations, a detailed analysis must be conducted in two major areas: threats to operations (threat analysis) and potential for impact (impact analysis).

E-vaulting Operations Requirements

After signing up for an e-vaulting online backup service, the user will download and install the software onto the company’s computer system or servers. Generally speaking, the e-vaulting vendor installs three software components on the client’s system that work seamlessly. They are:

Central Control software. The software is installed on the client’s workstation, and provides system administrators with complete control of backup and recovery process.

Agent software. This software will be installed on each server to be protected to track changes on each protected server and send change files to the e-vaulting vendor.

Director software. This software will be installed on e-vaulting vendor’s server to catalog and archive change files, monitor backups, and rebuild data images to be restored.

Once the user is installed, the user will be prompted to choose a unique 32 string of characters (the encryption key) that will be used to encrypt all of the user’s files. Basically, the encryption key is stored on only on the user’s system and is neither transmitted over the Internet nor stored with the service provider. Thus, only the user has access to the files.

Next, the administrator or client user will set up a backup set. The backup set is the list of files to be backed up and the days and times that backups will run. When a backup starts, the system’s hard drive is first scanned for any files listed in the backup set that are new or have changed since the last backup. Once the e-vaulting vendor identifies a file that need to be backed up, it compresses the file. Compression ensures that not only do backups take a shorter period of time but that the amount of storage space used is minimized. After compression, each file is individually encrypted using the unique 256-bit encryption key.  For added security, each encrypted file is then sent over the Internet via a secure channel using Secure Socket Layer (SSL) technology.  This is the same Internet transmission technology that is used for online banking and online credit card application.  As a result, data is encrypted twice. It is encrypted at all times using the 256-bit encryption, and it is encrypted again while it is being sent over the Internet, to and from the e-vaulting vendor servers.   

All user data is sent to and stored in redundant secure data centers, located hundreds of mile apart from each other. Each data center has 24/7 onsite monitoring, advanced security technology such as biometrics access controls, backup generators and redundant connections to the Internet. In using the e-vaulting vendor’s software, the user simply clicks on the individual files or folders or revisions that he or she wants to retrieve. The file or files will then be downloaded to the user’s computer, decrypted, uncompressed and then restored to their locations or another specified location on the user’s system. A password is required to restore any files, preventing unauthorized restores.

In the event of a complete system failure, a full recovery of the user’s backup data can be initiated in minutes. This recovery can be done on any Windows based computer, and not just the computer from which the files were originally backed up.

Managing E-vaulting Outsourcing Risk

As enterprises outsource more of their mission critical applications, business, and transaction processes, properly management of relationships between corporations and Technology Service Providers (TSP) becomes increasingly important. When outsourcing data backup, a company can place its digital assets (customer and corporate data) into the hand of TSP. One concern is that there are risks associated with information security and privacy. For example, a company might have to provide access to sensitive customer data to an outside firm. Under these arrangements, the TSP assumes the responsibility for building secure environment and managing data motion for the client.

To address some of the security concerns, organizations should require outsourcing firms to sign nondisclosure and confidentiality agreements where appropriate. Furthermore, the outsourcing relationships need to be closely monitored like any other outsourcing arrangements.

Before signing an outsourcing contract, an enterprise may find it beneficial to verify that important performance requirements have been addressed, risks identified, and service level agreement (SLA) requirements defined. SLAs are tools to measure, monitor, and control the operational and financial risks associated with outsourcing technology services. The following four-phase methodology is based on observed industry practices for managing SLAs effectively:

Measure service activity results against defined service levels;

Examine measured results to identify problems and determine causes;

Take appropriate action to correct failed activities, functions, and/or processes; and

Continuously guide service providers through feedback sessions based on objectively measured performance metrics.

A suggested practice is to include periodic review and change provisions in the SLA to ensure that the service level goals and performance measurement can meet the changing business and technology needs of the institution.

E-vaulting Shortcomings and Benefits

Unfortunately, security breaches and incidents keep making headlines. Data backups are a cornerstone of a strong IT program. After all is said and done, data backups still allow a company to recover its business either fully or from established baseline. Most companies have already experienced problems when attempting to restore a backed-up application and finding out that the tape was stolen, corrupted, contained no data, only contained a partial back-up or was infected with malicious software. E-vaulting solutions represent a powerful way to protect a company’s most important data and applications. E-vaulting benefits are numerous and include reduce administrative and infrastructure costs, end-to-end protection of mission critical data, no hardware or media obsolescence, data availability, and meet regulatory or statutory requirements. However, electronic vaulting solutions that do not have a robust security infrastructure are fraught with risks, often resulting in a costly project and low success rate for companies attempting to implement these solutions. The key to successfully implementing an e-vaulting solution is to understand all the risks and eliminate as many as possible. Business continuity and disaster recovery planners should start with identifying risks and defining SLA requirements addressed in this article. Through careful evaluation of approaches, and vendor due diligence processes, organizations can select a solution that matches the best approach for the enterprise.          

Omar Sharkasi, CRP, CFE, CBCP, is a bank examiner with a state regulatory agency. He has 14 years of experience dealing with IT security and business continuity planning issues. Contact him at osharkasi@earthlink.net.