This document discusses data security risks related to tape backups and archives. It provides examples of data breaches and losses involving tapes from various companies between 2005-2013. These losses involved sensitive personal information and cost the companies millions of dollars. The document also discusses regulations requiring companies to report data losses and the costs of non-compliance. It proposes encryption as a solution to prevent losses of readable data from stolen or lost tapes and outlines options for implementing encryption in tape backups.
2. Information Security in respect
to Backups and Archive
Paul Howard
Managing Director
DISUK Limited
3. Information Security
• Firewalls
• Intrusion Prevention/Detection
• Content Monitoring/Filtering
• VOIP Security
• Wireless/Mobile Security
• Anti Virus
• Biometric access
• Smartcards
• Physical Security
4. Tape!
• Lowest cost for long term data storage.
• A “Green” product.
• LTO6 that is shipping today has 2.6 TBytes uncompressed capacity
• The reports of my death are greatly exaggerated!
6. Risk Assessment
What is at risk
Customers information
Business information
Intellectual Property
Share Price
Reputation
Profit
TRUST
7. • Investigate vulnerabilities
• Balance regulatory risk with Business Risk
• Review possible consequential losses
• Real versus perceived risk!
• Who is responsible for Security?
Risk Assessment
11. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
Jan 6, 2011 Heraeus Incorporated, NewYork Stolen Tapes 10,000
Jan 19, 2011 Abbott Medical Optics, Inc. Stolen Tapes 514
Jan 24, 2011 Grays Harbor Pediatrics, Aberdeen, Washington Stolen Tapes 12,000
Jan 29, 2011 Texas Health Harris Methodist Hospital - Azle Lost Tape 9,922
Feb 12, 2011
Jacobi Medical Center, North Central Bronx Hospital, Tremont Health
Center
Stolen Tapes 1,700,000
Mar 1, 2011 Cord Blood Registry, San Francisco, CA Stolen Tapes 300,000
April 4 ,2012 Phoenix Ireland, Scottish Provident Ireland Lost Tape 62,000
July 29,2011 Belmont Savings Bank Lost Tape 13,000
Oct 7, 2011 Nemours Childrens Clinic, Nemours Foundation Lost Tapes 1,600,000
Sep 28, 2011
Science Applications International Corp (SAIC), Tricare Management
Activity
Stolen Tapes 5,117,799
Oct 28, 2011 ValueOptions, Inc., National Elevator Industry, United Parcel Service Lost Tape 10,600
Nov 25, 2011 Good News Garage – LSS Inc Stolen Tapes Unknown
Dec 14,2011 Welcome Financial Services , Cattles Group, Shopacheck Lost Tapes 1,400,000
Total for 2011 10,235,835
It really is a problem and costs companies millions
Losses on tape in 2011
12. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
March 1, 2012 TD Bank, N.A. Lost Tapes 267,000
March 29, 2012 IBM, California Department of Child Support Services, FedEx Lost Tapes 800,000
August 13, 2012 Kindred Healthcare Inc. Stolen Tape 1,504
October 24, 2012 Vermont State Employee's Credit Union Lost Tapes 85,000
November 5, 2012 Women & Infants Hospital, Rhode Island Lost Tape 14,004
December 5, 2012 IBM, O2 Lost Tape Unknown
December 7,2012 United States Secret Service Lost Tape Unknown
2012 losses to date 1,167,508
It really is a problem and costs companies millions
Losses on tape in 2012
13. Washington (CNN) -- It might remind you of the new smash-hit James Bond movie "Skyfall", in
which the villains steal a device with top secret information on the identities of British agents.
But in this case, sensitive data was left on a subway train.
Law enforcement and congressional sources tell CNN a contractor working for the U.S. Secret
Service accidentally left a pouch containing two computer backup tapes on a train in
Washington's Metrorail subway system.
The tapes contained very sensitive Secret Service personnel and investigative information, and if
accessed could be highly damaging, according to sources.
The contractor was transporting the pouch from Secret Service headquarters in Washington to a
now-closed data facility in Maryland. The sources say the contractor got off a Metro train, and
later realized the pouch had been left behind. The Secret Service and the Metro police were
contacted, and an aggressive search took place.
According to one source, the tapes have not been recovered.
The incident occurred nearly five years ago, in February 2008. It is now the subject of an
investigation by the Department of Homeland Security's Office of Inspector General, according to
a congressional source.
Eric O'Neill, a former FBI counterespionage agent, said, "Some of the information could cause
lives to be at risk, if someone wanted to get at the families of a high-level government worker or
someone they perceived as being someone who could work against, say, a terrorist cell."
Secret Service tapes lost on train under investigation
By Brian Todd, John King and Joe Johns, CNN
December 8, 2012 -- Updated 0107 GMT (0907 HKT)
14. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
1
st
February 2013 First National Bank of Southern California Stolen Tape Unknown
4
th
March 2013 Kindred Healthcare Inc. (Kindred Transitional Care and Rehabilitation Stolen Tape 716
2013 losses to date 716
It really is a problem and costs companies millions
Losses on tape in 2013
15. Date Companies Involved Reason Records
March 2007 Independent Living Fund Stolen Tape 30,000
June 2007 Bank of Scotland Lost media 62,000
July 2007 First Response Finance Ltd Stolen Media Not given
November 2007 HMRC Lost Media 25,000,000
December 2007 HMRC Lost Tapes 6,500
April 2008 HSBC Lost Media 370,000
June 2008 Medisure (Insurance Co.) Stolen Tapes Not given
September 2008 St Paul's surgery in Winchester Stolen Tapes 15,000
August 2009 Zurich Financial Services Lost Tapes 641,000
January 2010 Northern Ireland Electricity Lost Tape 12,799
April 2011 Phoenix Ireland Lost Tape 62,000
January 2012 Cattles Limited Lost Tapes 1,400,000
December 5, 2012 IBM, O2 Lost Tape Unknown
UK Reported Removable Media data losses
Source www.privacyrights.org & www.datalossdb.org
It really is a problem and costs companies millions
16. 0
50
100
150
200
250
2005 2006 2007 2008 2009 2010 2011
$214
$138
$182
$197 $204$202
$194
US figures for average cost per record lost
Figures from the Ponemon Institute LLC
18. • These figures show the number of records lost or compromised but we need to
convert these into financial impact figures to look at the actual costs of a loss.
– According to a study conducted by the Ponemon Institute, an independent information
practices research group, data breaches cost businesses an average of $214 per
customer record in 2010, up from $204 in 2009.
– This equates to the costs of the Bank of New York Mellon loss costing them almost one
billion US Dollars
Is it really a problem we should worry about?
19. How are they getting lost?
All of these couriers have been involved in the loss of data on tape
20. 24 August 2010
Zurich Insurance fined £2.3m over customers' data loss
Zurich Insurance says its loss of customer information was "unacceptable" The
UK operation of Zurich Insurance has been fined £2.27m by the Financial
Services Authority (FSA) for losing personal details of 46,000 customers.
It is the highest fine levied on a single firm for data security failings.
Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let
its customers down badly.“ Stephen Lewis, chief executive of Zurich UK, said: "This
incident was unacceptable."
The data on policyholders, including in some cases bank account and credit card
information, went missing in August 2008. However, Zurich did not become aware of the
loss until a year later, when it then began notifying customers. The information went
missing during a routine transfer to a data storage centre in South Africa.
NEWS Business
21. 30th March 2012
California says IBM, Iron Mountain lost State
Agency data.
International Business Machines Corp. and Iron Mountain Inc. lost track of storage
devices with data from the California Department of Child Support Services involving
more than 800,000 people, the state said.
The information included names, addresses, Social Security numbers, drivers’ license
numbers, heath-insurance providers and other data, California said today in a statement. The
state said it learned of the missing storage devices on March 12.
The loss or theft of computers and storage devices is a common way data breaches happen. Since
2005, there have been 837 breaches affecting almost 169 million records involving lost, discarded
or stolen laptops, smartphones and various portable data-storage devices, according to a
database of publicly disclosed breaches maintained by Privacy Rights Clearinghouse.
22.
23. Cattles apologises for customer data loss 6 January 2012
Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own
former staff.
Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West
Yorkshire, at the end of November 2011.
The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000
but also including date of birth and payment history for 600,000.
The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.
Cattles has issued a statement which said a process was underway to inform affected customers and former
employees.
The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported
that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.
Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been
used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff
extremely seriously and we deeply regret what has happened.
“We have employed a specialist data security firm with extensive experience in financial services, to review
data security across the group and advise on any necessary improvements.”
24. Cattles apologises for customer data loss 6 January 2012
Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own
former staff.
Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West
Yorkshire, at the end of November 2011.
The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000
but also including date of birth and payment history for 600,000.
The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.
Cattles has issued a statement which said a process was underway to inform affected customers and former
employees.
The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported
that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.
Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been
used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff
extremely seriously and we deeply regret what has happened.
“We have employed a specialist data security firm with extensive experience in financial services, to review
data security across the group and advise on any necessary improvements.”
An ICO spokesperson added: “We have recently been informed of a possible data breach
which may involve Welcome Financial Services Limited including its business Shopacheck.
We will be making enquiries into the circumstances of the alleged breach of the Data
Protection Act before deciding what action, if any, needs to be taken.”
25. Regulations.
• Sarbanes-Oxley (SoX ) - standards for all U.S. public company
boards, management, and public accounting firms.
• Gramm-Leach-Bliley Act – for financial institutions
• Health Insurance Portability and Accountability Act (HIPAA) – The
healthcare Industry
• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is
processing, storing, or transmitting payment card data
• Control Objectives for Information and related Technology (COBIT)
• State Security Breach Notification Laws
What forces companies to admit they have lost data and
costs so much money?
26. Regulations.
• Data Protection Act.
• Computer Misuse Act
• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is
processing, storing, or transmitting payment card data
• Privacy and Electronic Communications Regulations
• Regulation of Investigatory Powers Act 2000
• EU Data Protection Directive
• Financial Services Authority - Data Security in Financial Services
What forces companies to admit they have lost data and
costs so much money?
32. Get a press release written and signed off by the incident response team, the board or
senior management giving detailed thought as to the impact and what action you will
take.
Avoid the normal pitfalls,
“industrial strength tape technology would be needed to read the tapes”,
“we are secured by obscurity”,
“thieves would require specialist systems knowledge to understand our data”,
“we have no reason to believe the data has been misused”.
“we believed it was an acceptable risk!”
“We didn’t lose the tapes, it was the courier”.
“We didn’t consider the data was sensitive”.
Avoid turning a breach into a disaster!
33. • We need to ensure that only authorised people can read or restore the
data from tape!
– Internally this is quite straightforward as we control the system and can give
access only to those who need it when they need it.
– Externally these rules have no control at all! A different approach is required
to protect information on tapes removed from site for any reason.
What can we do?
34. • The only acceptable solution is to encrypt
data being written to tape so that it is only
recoverable with the keys it was written with.
• Tapes that contain only encrypted data are
not deemed to be lost as there is no readable
information contained on them.
• Disclosure is not therefore usually required.
What can we do?
36. Available from V6R1 onwards
• Encryption for Any Tape Device, Tape Library or Virtual Tape
– AES Encryption
– Data Encrypted – Not Tape Labels
– Capability to Encrypt Each File Via Different Key
• Requires i5/OS option 44 (Encrypted Backup Enablement)
– Requires Tape Management Application to Enable
Encryption
– Recommend BRMS
• BRMS Advanced Feature Required
– Not Compatible with Hardware Encrypting Tape Devices
Software Encryption Considerations
37. Software Encryption Considerations
• Capacity
– Loss of Compaction May Result in More Tape Cartridges
• CANNOT Encrypt
– Operating system (*SAVSYS, *SAVSYSINF, *SAVSECDTA, *SAVCFG)
– QBRM, QUSRBRM, QSYS2, QGPL and QUSRSYS
– BRMS Will Not Encrypt “Q” Libraries
• Standard Labelled Tapes Only
• Cannot Use with Tape Write Error Recovery Enabled
• If Key Store File Lost – Data is Unrecoverable
• Can be used with existing tape drives and media
38. • V6R1 BRMS offers a software-based encryption function.
• To use this function, customers need the BRMS Advanced Feature (5761-BR1 option 2) and i5/OS
Encrypted Backup Enablement (5761-SS1 option 44 ).
• The encryption offered is software-based and can write saves to any tape drive, not just the encryption-
capable tape drives. If the customer has an encryption-capable tape drive, its encryption features are not
used for the BRMS-based software encryption. Customers should leave the tape drive with encryption
turned-off, otherwise they will double-encrypt their tapes
• BRMS-based software encryption will likely require more tapes (possibly 3 times as much media), since
encrypted data does not compact very well.
• The following objects cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and any libraries
starting with a Q
• IBM does not support encryption on optical or virtual optical devices
• Encryption is specified in the media policy, and can be turned on/off by backup item in the control group
• The customer is responsible for managing the keys via the encryption functions in the operating system.
The keystore is placed in the QUSRBRM library so BRMS can back it up for you. The BRMS screens and
recovery reports will indicate the keystore file and key record label used for each save
• This function is targeted at customers with a small amount of data to encrypt, or customers with a large
backup window, since there is a performance impact. Customers who need encryption but require the
fastest backup speeds should plan to use the encryption-capable tape hardware such as TS1120 and LTO4
instead since it has very minimal performance impact.
Software Encryption Considerations
39. BRMS-based encryption
(Compared with regular tape saves)
Performance
Performance CPU Utilization
Source file saves Minimal impact approximately double
Usermix Saves approximately 30% degradation approximately double
Largefile Saves approximately 50% degradation Approximately 3-5* increase
Source file restores minimal impact Approximately 40% increase
Usermix restores approximately 25% degradation Approximately 40% increase
Largefile restores approximately 4% degradation Approximately 3-5* increase
Performance tests were run on an i570 and an i570 MMA 4-way system with EXP24 disk and
LTO3 tape
Performance details are available in the V6R1 Performance Capabilities Reference, pg 239-240
(PDF, 1.19MB)
40. – Hardware - in the drive
• Allows for high speed operation
• Limited to certain drive types
• Disruptive installation
• Only works on certain media types
• Requires special software to control and manage keys - EKM
• Cannot encrypt all data on the system as a host with an O/S, backup software
and key management must be available to enable encrypted restores
• Restrictive in a shared DR environment
How can we do it?
41.
42. Encryption Key Manager Setup Tasks
• This topic provides the setup tasks required for the Encryption Key Manager.
• Before you can encrypt tapes, the Encryption Key Manager must first be configured and running so that it
can communicate with the encrypting tape drives. The Encryption Key Manager need not be running while
tape drives are being installed, but it must be running in order to perform encryption.
• These are the tasks you must perform before using the Encryption Key Manager. See IBM® Encryption Key
Manager component for the Java™ platform Installation, Planning, and User's Guide for details.
• Decide what system platforms to use as Encryption Key Manager servers.
• Upgrade the server operating system if necessary.
• Upgrade the Java Virtual Machine if necessary.
• Install Java Unrestricted Policy Files.
• Upgrade the Encryption Key Manager JAR. This can be found at the IBM website
http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504 (or visit
http://www.ibm.com/servers/storage/support/tape/ts1120/downloading.html and click downloads and
look for IBM Encryption Key Manager for the Java platform).
• Decide on keystore type.
• Create keys, certificates, and key groups.
• If necessary, import keys and certificates (See previous step).
• Define the configuration properties file.
• Define tape drives to the Encryption Key Manager or set drive.acceptUnknownDrives configuration
property value on.
• Start the Encryption Key Manager server.
• Start the command line interface client.
43. EKM is only to be utilized for older tape generation products.
The IBM Encryption Key Manager for Java platform (EKM) is responsible for assisting in
securing vital data. The EKM works with IBM encryption-enabled tape drives in
generating, protecting, storing and maintaining encryption keys that are used to
encrypt information being written to and decrypt information being read from tape
media. EKM is a part of the IBM Java run time environment and uses IBM Java security
components for the cryptographic capabilities.
Tivoli Key Lifecycle Manager (TKLM) is IBM’s strategic new platform for
storage and delivery of encryption keys to encrypting storage end-point
devices.
44. IBM Tivoli Key Lifecycle Manager V2.0 supports the following:
AIX V5.3, 64-bit, Technology Level 9, Service Pack 2 and AIX 6.1 (A 64 bit AIX
kernel is required for both versions.)
Red Hat Enterprise Linux AS V4.0 on x86, 32-bit
SUSE Linux Enterprise Server V9 on x86, 32-bit, V10, Service Pack 2 on
x86, 32-bit, 64 bit (in 32-bit mode application), and V11 (32-bit and 64-bit in
32 bit mode)
Sun Server Solaris 9 and 10 (SPARC 64-bit) Note: Tivoli Key Lifecycle Manager
runs in a 32-bit JVM.
Microsoft Windows Server 2003 R2, (32-bit Intel and AMD processors)
Microsoft Windows Server 2008 R2 (64 bit for all Intel and AMD processors)
45. – Hardware Appliance – between the server & drive
• Available for all drive types
• Available on all system types
• Non-disruptive installation
• Works with existing media.
• No changes, special software or drivers required
• Keys held securely in appliance
How can we do it?
51. Keys
• Why so much fuss about keys?
• EKM
• TLKM
• KMIP
• Goodbye, proprietary complexity. Given KMIP-compatible
tools, organizations will be able to manage their many encryption keys
from a single point of control—improving security, simplifying complexity
and achieving regulation compliance more quickly and easily. That's a
huge improvement over the current approach of using many different
encryption key management tools for many different business purposes
and IT assets.
52. • Only a few small libraries or small database and plenty of time available for
backup AND restore – Software
• Medium size system with less than 8 tape drives – Appliance
• Large corporate datacentre with large number of modern drives and own
disaster recovery site – Drive encryption with EKM and BRMS
• Multiple sites with just a few drives on each but need to secure all data –
Appliance
• Multiple sites with medium number of drives on each site and good WAN
connections between sites and DR site - Drive encryption with EKM and
BRMS
• Older legacy systems running older technology drives or older OS versions -
Appliance
How can we do it?
53. UK BUSINESS LEADERS’
VERDICT ON IT SECURITY
• 85% state that information security is not
fulfilling business needs
• 88% report an increase in external threats
• 57% report an increase in internal threats
• 61% cite a lack of budget as main hurdle
• 57% of businesses view information security
resources as lacking necessary skills
• 62% do not align information security to
enterprise architecture or business process
• 38% do not align to organisational risk appetite
Source: Ernst & Young
This slide runs on a timer!These are all things that tend to spring to mind when we start to discuss security in the IT world.Many of these are also being used by individuals at home to protect themselves from attack.
When discussing Information Security tape is often overlooked.LTO6 is quoted at 6.25 TBytes but that is based on 2.5:1 compressionTape is fast up to 400 Mbytes/sec on LTO6 – OK you are not likely to be able to feed it that fast!Point is tape is going to stay around in many businesses for many years.Mark Twain quotation after hearing that his obituary had been published in the New York Journal.
There are a number of companies working on next generation products including the LTO.
Most companies hold sensitive information on their customers; it may be personal information if you are dealing with the public or trading information if the case of business to business. Whatever it is then if you lose it you customer will not be please. (next)Much of the information held on your own business will be things you would not want either the public or your competitors to know. (next)You may hold data on intellectual property, design of software used for the business, algorithms used for share dealing etc. (next)Loss of sensitive information will normally have substantial negative impact on the share price of the business and this can have further impact to you. (next)Depending in the business sector you operate in your reputation as a business will be affect to a greater or lesser amount. (next)Putting things right will impact the bottom line. (next)The big loss if the loss of trust in the business, we all naturally trust people and organisations and once lost trust is hard to get back. Hard to put a financial figure on the impact loss of trust causes but it will be substantial. (New Slide)
Different business will have different types and levels of vulnerability and I’m sure you all have people in the company whose job it is to assess these risks. You have a duty of care (next)Sometimes it is easy simply to look at what the regulators suggest are the risks and cover only those risks, you also need to look at the other impacts of any risk, will it damage the business in any way? (next)Once you have looked at the losses possible you can then look at the value or ROI on investments to mitigate those losses. (next)An interesting point that came up on a number of occasions at this years RSA security conference in the US was that amount of time, money and effort that is being put into “risks” that are believed to exist but if fact the chances of the risk are low and the impact is marginal. The view was “don’t spend all the effort securing access through the windows when the front door is being left open!”Up until recently most security thinking tended to be network biased or Laptop security but BYOD has brought attention into the risks associated with removable media in all its forms.Threat LandscapeLooking at threat possible damage against likelihood of the threat occurring.Don’t try to protect against threats that are unlikely and in any case would do little damage.
Risk assessment is an on-going process.
Consider for a minute what information is contained on the tapes used by your business.A backup tape by its very nature will contain things like the Corporate Database – it is easy to understand that needs to be protected.But what about HR records – pay, discipline cases, disputes, staff personal bank account details.Research – designs, future plans etc.
Total of all incidents involving tape is only 2%.The number of records known to have been compromised through tapes being lost or stolen is over 90 million.Many of the lost tapes were reported as the numbers being ‘unknown’.In 2007 26 tapes were reported as lost by the US Internal Revenue Service in Kansas and although recorded as an unknown number it has been suggested to have compromised 26.6 million records.
Records of losses have. been kept since 2005 but even as recently as 2011 we were seeing large numbers of reported breaches involving tape.
2012 looks better but interesting who are the last two reported for the year! And they don’t even know how many records were on the lost tapes!
There is no legislation to force UK companies to disclose losses so these are just those in the public domain.HMRC said it was on two CD’s at 25 million records that is only 85 bytes per record if we take a CD as being 900 Mb. Maybe it was tape then!Boots was one of the affected companies in the Medisure theft from a security van.The Zurich loss was in South Africa but we have added it as it affected 41,000 UK residents and impacted the group as a whole. Outsourcing is a considerable worry, just think how many of you have details held in India!Banks, Utility companies, insurance companies and phone companies are all using call centres based outside the EU and some consider this excuses them from meeting the requirements of the regulators.
Figures from the US showing the average cost of the losses based on a per record cost show a slight decrease in 2011 after a continued growth since the records were kept in 2005. Although the a based on losses in the US you can expect the trends to be similar in Indonesia. One reason the US has these figures is the legal requirement to disclose breaches but as these regulations are brought into law in other countries we see similar trends appearing.
UK Figures for losses. Based on these figures Cattles Loss or 1.4 million records in Jan 2012 would have cost them £110.6M.
Numbers still make headlines but it is the impact on a companies bottom line that really is a direct hit. Loss of consumer confidence is harder to quantify accurately but still has a huge impact on some companies after a reported breach.Fines and legal actions can take these costs much higher though.One presumes there are savings made because of the scale of the breach but whatever the real figures they are very damaging to the bottom line.The Bank of New York Mellon admitted losing 4.5M customer records on unencrypted tapes in April 2007 – this is estimated to have cost them in excess of $100M in legal and other associated costs. Indeed the results for the second quarter of 2008 included a pre-tax charge of $22 million for credit monitoring related to lost tapes. The Ponemon institute estimated the average cost of a record being compromised in 2007 was $197 so from this we get a cost of US$886 million.
So as not to appear biased thought we should point out that all the major carriers have been involved in these data losses.
This is an example where a loss in one country had a major impact on the business in another one.The actual loss was a tape in transit by Zurich South Africa with over 5 million records. £2.3M is around 38,400 Million Rupiah.
This loss in the US affected 800,000 people.They point out that storage device theft is a common way data breaches happen. Why do we know about it, regulations insist that any breaches are notified “in a timely manner” but you will note most of the reported breaches involve a third party. People who think they are the only ones to know about a breach are reluctant to tell anyone about it. Would you want to make it public that you had lost data?IBM have even lost their own staff records when a tape was lost – Notice that everyone involved gets named!
Although they only lost the records of 267,000 customersthey have over 7.4 million customers across the US so you can imagine what loss of business they are exposed to. (next)Any loss can get you name exposed across the world, the old adage that any publicity is good publicity may be disproved by this!Each newspaper made it clear of the impact of the loss to local people.
SoXNamed after its sponsors; Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH),Gramm-Leach-Bliley Act - requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ non-public personal information. PCI very powerful. Section3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures COBIT is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992.
DPA states - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
I’m sure all of you working in companies covered by the FSA regulations will be fully aware of the details of this publication - All 104 pages of it!From the tape side look at section 3.4.6 Data back-up
You may however not be to sure you understand the meaning of it all.
Actually they are not that bad, this is a page from the FSA document.Interesting statement that “If backup data is not transferred or stored securely, all other controls to ensure data security at a firm are undermined”.
OK so what if you haven't got the right security in place and an have a breach – what could you have done ahead of time?Your incident response team will be working on the premise that there will be a breach at some point and will be planning for it so these are some ideas.I consider gliding very safe and was happy to let my daughter start flying solo at the age of 16.
But SH*T happens.When things go wrong we have the press instantly trying to get information and they will print or report anything they get their hands on, mostly totally incorrect and often total rubbish,As a club we have a standard set of press releases that explain all about gliding, the safety features we have and the way we operate to get the operation running smoothly but also safely.Reporters are lazy, give them the information and they will print it!
If senior management won’t agree to a press release maybe this is the time to discuss the security budget with them!A press release written when there is no pressure to respond to a situation is going to be much better than a fast reaction. One companies CEO said straight after a breach that “From this point on no tapes will be moved offsite unless encrypted!” Had they thought it through they would have realised they had thousands of tapes in “secure vaults” at off site locations. How could they get them back as this would breach the statement made.The pressrelease may also be used to explain just why the decision was taken that having this information not encrypted was an acceptable risk.
Encryption – a means of ensuring that either the costs of deciphering the information make it unlikely or that the time taken means that the information is no longer valid or useful. NO ENCRYPTION IS UNBREAKABLE!
Cannot be used for an alternative IPL from tape.
So you now have a keystore that has sensitive information but cannot be encrypted.Need to ensure the keystore is backup up to ensure it is available to restore data from tape.Need keystore to be available at DR site so data can be restored.
Available for LTO4, LTO5 & LTO6 and other high end drives such as the IBM TS1140.Existing media pool cannot be used so as well as buying a full set of new media how are you going to handle the existing pool of unencrypted tapes?It may not be simple to upgrade an existing library to take the new drives, even if it is an LTO library.You may also need to upgrade the operating system to support the new tape drives.For some drives you may need to change to a different interface and hence purchase new Host Bus Adapters to handle them.
696 pages! When you look and see only 47 pages are specific to the iSeries that sounds straightforward – then you realise you need to read much of the rest of the document to understand the iSeries section.
Length of time product / solution is supported? Six years later the auditors demand to see information that is only available on the backups? 12 years or more?
So if you want to only use iSeries then you need to be running the EKM, to use TKLM you will need some other servers.
Hardware appliances offer a more generic and flexible solution that can be used in all situations.
Clearly the main thing is that we need to keep the data confidential so non authorised persons cannot access it.
We also need to ensure the integrity of the information so we know what was written has not been changed in any way.
Another vital thing is to have good availability in the event we need to restore it.
The final requirement is that the solution is simple. This is so it does not delay the recovery of data to those authorised but also that the encryption of data does not have complex requirements so operations staff do not start trying to circumvent it to make their lives easy!
Originally encryption used in communications links, you presumed anyone could be recording so breaches were likely – Changed keys regularlyElectronic Key ManagementTivoli Lifecycle Key ManagementKey Management Interoperability Protocol
You also need to look at the size of your IT team, if you have plenty of people and time then drive encryption may be OK you, if not then consider an appliance based solution.