About Us

Iron Mountain News

Press Releases

A best practice approach for secure data backup
~ Tony Byers, UK Sales Director at Iron Mountain Europe reports ~

In many environments, storage has operated outside of the realm of security officers for some time, as their main focus has been primarily on areas such as perimeter security, intrusion detection/prevention and protection of host systems. As a result, the storage infrastructure - both primary storage and especially copies of primary storage - is likely to be an Achilles' heel when it comes to security.

Policies for data security are a corporate concern and should be a fundamental element of an enterprise security strategy. Strategic security policies can then spawn tactical and operational policies through the joint efforts of the security and storage organisations. To that end, storage must become an integral part of the corporate security strategy.

To achieve these goals, a corporation should build a practice around five fundamental areas:

  • Assign accountability, responsibility and authority
  • Assess risk
  • Develop a data protection process
  • Communicate the process
  • Execute and test the process
  1. Assign accountability, responsibility and authority.

    Make storage security a function of overall information security policies and architecture. Even if companies decide that backup or storage security responsibilities should reside within the storage team, they still must integrate any storage and backup security measures with those that secure the rest of the infrastructure. Integrating storage and backup security measures will help build defense-in-depth protection.

    It is also recommended to divide duties where data is highly sensitive. It is prudent to ensure that the person authorizing access is not the person charged with responsibility for execution.

  2. Assess storage risk as it pertains to information security.

    Managers must examine each step of their backup methodology looking for security vulnerabilities. Could a tape administrator secretly create copies of backup tapes? Are boxes of tapes left out in the open? Is there a tight, end-to-end chain of custody for your backup tapes? If data is backed up and transported in clear text, vulnerabilities like these could make mission-critical data easy prey. If a risk analysis exposes numerous vulnerabilities, organizations should seriously consider whether data encryption is warranted. IRON MOUNTAIN WHITE PAPER

  3. Develop an information protection program that ensures the security of a corporation's information, regardless of where it is at any point in time.

    Adopt a multi-layered approach to data protection by taking best practices that may already exist for the data network and applying them to the storage network, while adding layers unique to the characteristics of data at rest. These include the areas of:

    • Authentication: Apply multi-level authentication and anti-spoofing techniques.
    • Authorisation: Enforce privileges based on roles and responsibilities versus full administrative access.

    Copy your backup tapes. Depending on a single copy of data is never a good idea. While tape media can have a long life, it is susceptible to environmental and physical damage. A common practice is to perform nightly backups, then ship those tapes off-site - with no verification process. The recommended best practice is to copy backup tapes and then send the copy off-site.

    Tape remains the preferred storage method for backup as it is cost-effective and has the capacity to back up a single operating system on one tape. Stored correctly, tapes can have an archival life of over 30 years making it an incredibly reliable storage medium. A 'Low-tech Guide to High-tech Media' is available from Iron Mountain. It includes the types of media best suited to backup requirements, advice and best practice tips on how to handle media tapes post backup, and how to ensure data continuity and compliance for an organisation.

    To obtain a copy of the guide, please visit: www.ironmountain.co.uk/forms/OSDP

  4. Communicate the processes that are to be taken around information protection and security.

    Now that the process has been defined for ensuring that the sensitive data is properly protected and handled, it is important to ensure that the people who are responsible for carrying out its security are informed and trained. Security policies are the most important aspect of assigning accountability, responsibility, and authority. Inform business managers of risks, countermeasures, and costs.

    Data loss and intellectual property theft are a business issue, not an IT issue. As such, the Chief Information Security Officer (CISO) should begin a data security effort by educating business executives on risks, threats, and potential losses from security breaches, plus the cost of various security countermeasure options. In this way, corporate officers can make informed decisions on the cost/benefit profile of data security investments.

  5. Execute and test the information protection security plan. Secure data protection is not about technology; it is about process. That is why it is important to test the process. Additionally, as a company grows, information and data protection needs change, so the information security practices must change as well.

    Once the end-to-end plan has been developed, defined, and communicated to the appropriate people, it is time to begin execution. Ensure that the tools, technologies and methodologies that need to be deployed for information classification are in place. You may need to deploy new technologies that allow information to be classified or tagged with metadata such that, upon backup, the information is backed up using the right rules and processes.

    Test the process once it is in place. Remember, the process to be tested needs to include both backup and recovery. Attempt to inject any conceivable threat into the process including server and tape loss, network issues, device issues, data classification issues and any other scenario that might affect the business. Test with staff who may be less familiar with the process. This testing can help ensure that the process is easy to follow and can be executed if the usual person is unavailable due to illness, vacation, or termination.

    Iron Mountain is exhibiting at Infosecurity Europe 2007, Europe's number one dedicated Information security event. Held on the 24th - 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

 

What We Do | Solutions | Knowledge Centre | About Us | Supplies
Site Map | Website Terms | Privacy | Site Feedback | Contact Us | Support | Global Sites

follow us twitter linked in facebook youtube

© Iron Mountain Incorporated. All rights reserved.
Call Us - 08445 60 70 80