Creativity is required

By Guus Leeuw jr. - President & CEO, ITPassion Ltd

Any piece of electronic information needs to be stored somewhere and somehow. This should guarantee access to that piece of information over the years. You want that information backed up, in case a disaster strikes, so that you can restore and access it again. For some information, a need exists to keep it for a long period of time, 3 or 7 years.

Let’s focus on backup and restore for a moment. Often times, a system or its data is backed up for disaster recovery purposes. Tapes are then eventually sent off-site for safe storage. Such tapes must be re-introduced to a restore environment. What happens with the tape while it is in secure storage is often unknown to the Enterprise.

A tape that is sent for off-site storage contains some form of catalogue to identify the tape and the contents thereof. This catalogue, in extreme cases, must hold enough information to retrieve the stored data, even if one had to re-install a new backup environment due to disaster. Backup solutions conforming to the NDMP standard could utilise a pre-described recipe to store the data on the tape, in form of well-quantified storage records. Anybody with a conforming reader application could then retrieve the data off the tape and try to inspect it.

An important security risk is the fraud that we hear about so often in the news lately: Thrown-away computers that get shipped to some far-away location, where the hard disks are inspected for private data such as credit card and other “useful” information. It would be good if a PC had a little program that wipes all data securely off the disk, before people turn it off one last time.

Every piece of data that doesn’t belong to an organization should be protected from inspection by third parties. Like the address of a patient, or a person’s credit card details. This data is needed to do business, for sure, but the data does not belong to the organization. That is a very important, but often overlooked, difference.

For small-ish companies, like ITPassion Ltd, a number of things can be done to make sure this type of data is protected. For one, databases containing third party information can easily be encrypted. This encryption must not be done within the database engine itself, but rather in or with the application that stores the data. This would guarantee that only the application and its users can decrypt the data, but not a database administrator who just logs in to the database management system and starts to inspect records: he should still see gibberish, rather than human readable information.

Another thing that can easily be done, instead of using standard USB keys to transport data from one system to another system, is to use self-encrypting USB keys. These devices are normally password-protected, and should wipe the data if the password is miss-typed three (or five) times in a row. This would make the risk that losing USB devices normally carries a lot less, since not everybody, hopefully, knows the correct password.

For bigger organisations, it shouldn’t be too difficult to make sure that external data storage is secured. For one, and again, CDROMs should only contain encrypted or otherwise anonymous data. For another, in case of external tape storage, these tapes should be encrypted as well.

Most backup solutions provide options to utilise encryption. These options normally cause either everything to be encrypted or nothing. It would be better if you could tell your backup software that the tapes it is marking for export should be encrypted, but not the rest. This would make sure that only external tapes are encrypted, and thus take a little while longer to produce, but the normal in-house stored tapes are not encrypted, and thus do not have this penalty.

It would seem that IT organisations writing software or managing client infrastructure are not always bothered with the security of the data that the application manages, or that is stored on the provided infrastructure. However, more and more, this becomes the major topic for the next 5 to 10 years in terms of IT services. All organisations can make sure that external data is handled with care. It just requires a couple of rules that are strictly followed up. At ITPassion Ltd, we never handle data of our clients, and we provide ways in our software to securely export data for transport or external storage.

-----------------------------------------------------------------------

IT Passion Ltd is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

About Author:
Guus Leeuw jr. studied Software Development on the Polytechnics Highschool of Information & Communication Technology in Enschede, Netherlands. Soon after gaining his degree he was hired by EMC Germany to aid internal software development. Guus subsequently travelled and worked across Europe before, in 2007, setting up his own Software and Storage company ITPassion.