This document discusses data security risks related to tape backups and archives. It provides examples of data breaches and losses involving tapes from various companies between 2005-2013. These losses involved sensitive personal information and cost the companies millions of dollars. The document also discusses regulations requiring companies to report data losses and the costs of non-compliance. It proposes encryption as a solution to prevent losses of readable data from stolen or lost tapes and outlines options for implementing encryption in tape backups.

2. Information Security in respect
to Backups and Archive
Paul Howard
Managing Director
DISUK Limited

3. Information Security
• Firewalls
• Intrusion Prevention/Detection
• Content Monitoring/Filtering
• VOIP Security
• Wireless/Mobile Security
• Anti Virus
• Biometric access
• Smartcards
• Physical Security

4. Tape!
• Lowest cost for long term data storage.
• A “Green” product.
• LTO6 that is shipping today has 2.6 TBytes uncompressed capacity
• The reports of my death are greatly exaggerated!

5. Tape!

6. Risk Assessment
What is at risk
Customers information
Business information
Intellectual Property
Share Price
Reputation
Profit
TRUST

7. • Investigate vulnerabilities
• Balance regulatory risk with Business Risk
• Review possible consequential losses
• Real versus perceived risk!
• Who is responsible for Security?
Risk Assessment

8. Risk Assessment

9. What is on your humble tape?

11. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
Jan 6, 2011 Heraeus Incorporated, NewYork Stolen Tapes 10,000
Jan 19, 2011 Abbott Medical Optics, Inc. Stolen Tapes 514
Jan 24, 2011 Grays Harbor Pediatrics, Aberdeen, Washington Stolen Tapes 12,000
Jan 29, 2011 Texas Health Harris Methodist Hospital - Azle Lost Tape 9,922
Feb 12, 2011
Jacobi Medical Center, North Central Bronx Hospital, Tremont Health
Center
Stolen Tapes 1,700,000
Mar 1, 2011 Cord Blood Registry, San Francisco, CA Stolen Tapes 300,000
April 4 ,2012 Phoenix Ireland, Scottish Provident Ireland Lost Tape 62,000
July 29,2011 Belmont Savings Bank Lost Tape 13,000
Oct 7, 2011 Nemours Childrens Clinic, Nemours Foundation Lost Tapes 1,600,000
Sep 28, 2011
Science Applications International Corp (SAIC), Tricare Management
Activity
Stolen Tapes 5,117,799
Oct 28, 2011 ValueOptions, Inc., National Elevator Industry, United Parcel Service Lost Tape 10,600
Nov 25, 2011 Good News Garage – LSS Inc Stolen Tapes Unknown
Dec 14,2011 Welcome Financial Services , Cattles Group, Shopacheck Lost Tapes 1,400,000
Total for 2011 10,235,835
It really is a problem and costs companies millions
Losses on tape in 2011

12. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
March 1, 2012 TD Bank, N.A. Lost Tapes 267,000
March 29, 2012 IBM, California Department of Child Support Services, FedEx Lost Tapes 800,000
August 13, 2012 Kindred Healthcare Inc. Stolen Tape 1,504
October 24, 2012 Vermont State Employee's Credit Union Lost Tapes 85,000
November 5, 2012 Women & Infants Hospital, Rhode Island Lost Tape 14,004
December 5, 2012 IBM, O2 Lost Tape Unknown
December 7,2012 United States Secret Service Lost Tape Unknown
2012 losses to date 1,167,508
It really is a problem and costs companies millions
Losses on tape in 2012

13. Washington (CNN) -- It might remind you of the new smash-hit James Bond movie "Skyfall", in
which the villains steal a device with top secret information on the identities of British agents.
But in this case, sensitive data was left on a subway train.
Law enforcement and congressional sources tell CNN a contractor working for the U.S. Secret
Service accidentally left a pouch containing two computer backup tapes on a train in
Washington's Metrorail subway system.
The tapes contained very sensitive Secret Service personnel and investigative information, and if
accessed could be highly damaging, according to sources.
The contractor was transporting the pouch from Secret Service headquarters in Washington to a
now-closed data facility in Maryland. The sources say the contractor got off a Metro train, and
later realized the pouch had been left behind. The Secret Service and the Metro police were
contacted, and an aggressive search took place.
According to one source, the tapes have not been recovered.
The incident occurred nearly five years ago, in February 2008. It is now the subject of an
investigation by the Department of Homeland Security's Office of Inspector General, according to
a congressional source.
Eric O'Neill, a former FBI counterespionage agent, said, "Some of the information could cause
lives to be at risk, if someone wanted to get at the families of a high-level government worker or
someone they perceived as being someone who could work against, say, a terrorist cell."
Secret Service tapes lost on train under investigation
By Brian Todd, John King and Joe Johns, CNN
December 8, 2012 -- Updated 0107 GMT (0907 HKT)

14. Source www.privacyrights.org & www.datalossdb.org
Date Companies Involved Reason Records
1
st
February 2013 First National Bank of Southern California Stolen Tape Unknown
4
th
March 2013 Kindred Healthcare Inc. (Kindred Transitional Care and Rehabilitation Stolen Tape 716
2013 losses to date 716
It really is a problem and costs companies millions
Losses on tape in 2013

15. Date Companies Involved Reason Records
March 2007 Independent Living Fund Stolen Tape 30,000
June 2007 Bank of Scotland Lost media 62,000
July 2007 First Response Finance Ltd Stolen Media Not given
November 2007 HMRC Lost Media 25,000,000
December 2007 HMRC Lost Tapes 6,500
April 2008 HSBC Lost Media 370,000
June 2008 Medisure (Insurance Co.) Stolen Tapes Not given
September 2008 St Paul's surgery in Winchester Stolen Tapes 15,000
August 2009 Zurich Financial Services Lost Tapes 641,000
January 2010 Northern Ireland Electricity Lost Tape 12,799
April 2011 Phoenix Ireland Lost Tape 62,000
January 2012 Cattles Limited Lost Tapes 1,400,000
December 5, 2012 IBM, O2 Lost Tape Unknown
UK Reported Removable Media data losses
Source www.privacyrights.org & www.datalossdb.org
It really is a problem and costs companies millions

16. 0
50
100
150
200
250
2005 2006 2007 2008 2009 2010 2011
$214
$138
$182
$197 $204$202
$194
US figures for average cost per record lost
Figures from the Ponemon Institute LLC

17. £0
£10
£20
£30
£40
£50
£60
£70
£80
2007 2008 2009 2010 2011 2012
£47
£60
£64
£71
£79
UK figures for average cost per record lost
?
Figures from the Ponemon Institute LLC

18. • These figures show the number of records lost or compromised but we need to
convert these into financial impact figures to look at the actual costs of a loss.
– According to a study conducted by the Ponemon Institute, an independent information
practices research group, data breaches cost businesses an average of $214 per
customer record in 2010, up from $204 in 2009.
– This equates to the costs of the Bank of New York Mellon loss costing them almost one
billion US Dollars
Is it really a problem we should worry about?

19. How are they getting lost?
All of these couriers have been involved in the loss of data on tape

20. 24 August 2010
Zurich Insurance fined £2.3m over customers' data loss
Zurich Insurance says its loss of customer information was "unacceptable" The
UK operation of Zurich Insurance has been fined £2.27m by the Financial
Services Authority (FSA) for losing personal details of 46,000 customers.
It is the highest fine levied on a single firm for data security failings.
Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let
its customers down badly.“ Stephen Lewis, chief executive of Zurich UK, said: "This
incident was unacceptable."
The data on policyholders, including in some cases bank account and credit card
information, went missing in August 2008. However, Zurich did not become aware of the
loss until a year later, when it then began notifying customers. The information went
missing during a routine transfer to a data storage centre in South Africa.
NEWS Business

21. 30th March 2012
California says IBM, Iron Mountain lost State
Agency data.
International Business Machines Corp. and Iron Mountain Inc. lost track of storage
devices with data from the California Department of Child Support Services involving
more than 800,000 people, the state said.
The information included names, addresses, Social Security numbers, drivers’ license
numbers, heath-insurance providers and other data, California said today in a statement. The
state said it learned of the missing storage devices on March 12.
The loss or theft of computers and storage devices is a common way data breaches happen. Since
2005, there have been 837 breaches affecting almost 169 million records involving lost, discarded
or stolen laptops, smartphones and various portable data-storage devices, according to a
database of publicly disclosed breaches maintained by Privacy Rights Clearinghouse.

23. Cattles apologises for customer data loss 6 January 2012
Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own
former staff.
Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West
Yorkshire, at the end of November 2011.
The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000
but also including date of birth and payment history for 600,000.
The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.
Cattles has issued a statement which said a process was underway to inform affected customers and former
employees.
The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported
that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.
Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been
used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff
extremely seriously and we deeply regret what has happened.
“We have employed a specialist data security firm with extensive experience in financial services, to review
data security across the group and advise on any necessary improvements.”

24. Cattles apologises for customer data loss 6 January 2012
Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own
former staff.
Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West
Yorkshire, at the end of November 2011.
The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000
but also including date of birth and payment history for 600,000.
The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.
Cattles has issued a statement which said a process was underway to inform affected customers and former
employees.
The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported
that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.
Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been
used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff
extremely seriously and we deeply regret what has happened.
“We have employed a specialist data security firm with extensive experience in financial services, to review
data security across the group and advise on any necessary improvements.”
An ICO spokesperson added: “We have recently been informed of a possible data breach
which may involve Welcome Financial Services Limited including its business Shopacheck.
We will be making enquiries into the circumstances of the alleged breach of the Data
Protection Act before deciding what action, if any, needs to be taken.”

25. Regulations.
• Sarbanes-Oxley (SoX ) - standards for all U.S. public company
boards, management, and public accounting firms.
• Gramm-Leach-Bliley Act – for financial institutions
• Health Insurance Portability and Accountability Act (HIPAA) – The
healthcare Industry
• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is
processing, storing, or transmitting payment card data
• Control Objectives for Information and related Technology (COBIT)
• State Security Breach Notification Laws
What forces companies to admit they have lost data and
costs so much money?

26. Regulations.
• Data Protection Act.
• Computer Misuse Act
• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is
processing, storing, or transmitting payment card data
• Privacy and Electronic Communications Regulations
• Regulation of Investigatory Powers Act 2000
• EU Data Protection Directive
• Financial Services Authority - Data Security in Financial Services
What forces companies to admit they have lost data and
costs so much money?

30. Avoid turning a breach into a disaster!
Press releases

31. Press releases
Avoid turning a breach into a disaster!

32. Get a press release written and signed off by the incident response team, the board or
senior management giving detailed thought as to the impact and what action you will
take.
Avoid the normal pitfalls,
“industrial strength tape technology would be needed to read the tapes”,
“we are secured by obscurity”,
“thieves would require specialist systems knowledge to understand our data”,
“we have no reason to believe the data has been misused”.
“we believed it was an acceptable risk!”
“We didn’t lose the tapes, it was the courier”.
“We didn’t consider the data was sensitive”.
Avoid turning a breach into a disaster!

33. • We need to ensure that only authorised people can read or restore the
data from tape!
– Internally this is quite straightforward as we control the system and can give
access only to those who need it when they need it.
– Externally these rules have no control at all! A different approach is required
to protect information on tapes removed from site for any reason.
What can we do?

34. • The only acceptable solution is to encrypt
data being written to tape so that it is only
recoverable with the keys it was written with.
• Tapes that contain only encrypted data are
not deemed to be lost as there is no readable
information contained on them.
• Disclosure is not therefore usually required.
What can we do?

35. – Software
– Hardware
• In the tape drive
• Between drive and system
How can we do it?

36. Available from V6R1 onwards
• Encryption for Any Tape Device, Tape Library or Virtual Tape
– AES Encryption
– Data Encrypted – Not Tape Labels
– Capability to Encrypt Each File Via Different Key
• Requires i5/OS option 44 (Encrypted Backup Enablement)
– Requires Tape Management Application to Enable
Encryption
– Recommend BRMS
• BRMS Advanced Feature Required
– Not Compatible with Hardware Encrypting Tape Devices
Software Encryption Considerations

37. Software Encryption Considerations
• Capacity
– Loss of Compaction May Result in More Tape Cartridges
• CANNOT Encrypt
– Operating system (*SAVSYS, *SAVSYSINF, *SAVSECDTA, *SAVCFG)
– QBRM, QUSRBRM, QSYS2, QGPL and QUSRSYS
– BRMS Will Not Encrypt “Q” Libraries
• Standard Labelled Tapes Only
• Cannot Use with Tape Write Error Recovery Enabled
• If Key Store File Lost – Data is Unrecoverable
• Can be used with existing tape drives and media

38. • V6R1 BRMS offers a software-based encryption function.
• To use this function, customers need the BRMS Advanced Feature (5761-BR1 option 2) and i5/OS
Encrypted Backup Enablement (5761-SS1 option 44 ).
• The encryption offered is software-based and can write saves to any tape drive, not just the encryption-
capable tape drives. If the customer has an encryption-capable tape drive, its encryption features are not
used for the BRMS-based software encryption. Customers should leave the tape drive with encryption
turned-off, otherwise they will double-encrypt their tapes
• BRMS-based software encryption will likely require more tapes (possibly 3 times as much media), since
encrypted data does not compact very well.
• The following objects cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and any libraries
starting with a Q
• IBM does not support encryption on optical or virtual optical devices
• Encryption is specified in the media policy, and can be turned on/off by backup item in the control group
• The customer is responsible for managing the keys via the encryption functions in the operating system.
The keystore is placed in the QUSRBRM library so BRMS can back it up for you. The BRMS screens and
recovery reports will indicate the keystore file and key record label used for each save
• This function is targeted at customers with a small amount of data to encrypt, or customers with a large
backup window, since there is a performance impact. Customers who need encryption but require the
fastest backup speeds should plan to use the encryption-capable tape hardware such as TS1120 and LTO4
instead since it has very minimal performance impact.
Software Encryption Considerations

39. BRMS-based encryption
(Compared with regular tape saves)
Performance
Performance CPU Utilization
Source file saves Minimal impact approximately double
Usermix Saves approximately 30% degradation approximately double
Largefile Saves approximately 50% degradation Approximately 3-5* increase
Source file restores minimal impact Approximately 40% increase
Usermix restores approximately 25% degradation Approximately 40% increase
Largefile restores approximately 4% degradation Approximately 3-5* increase
Performance tests were run on an i570 and an i570 MMA 4-way system with EXP24 disk and
LTO3 tape
Performance details are available in the V6R1 Performance Capabilities Reference, pg 239-240
(PDF, 1.19MB)

40. – Hardware - in the drive
• Allows for high speed operation
• Limited to certain drive types
• Disruptive installation
• Only works on certain media types
• Requires special software to control and manage keys - EKM
• Cannot encrypt all data on the system as a host with an O/S, backup software
and key management must be available to enable encrypted restores
• Restrictive in a shared DR environment
How can we do it?

42. Encryption Key Manager Setup Tasks
• This topic provides the setup tasks required for the Encryption Key Manager.
• Before you can encrypt tapes, the Encryption Key Manager must first be configured and running so that it
can communicate with the encrypting tape drives. The Encryption Key Manager need not be running while
tape drives are being installed, but it must be running in order to perform encryption.
• These are the tasks you must perform before using the Encryption Key Manager. See IBM® Encryption Key
Manager component for the Java™ platform Installation, Planning, and User's Guide for details.
• Decide what system platforms to use as Encryption Key Manager servers.
• Upgrade the server operating system if necessary.
• Upgrade the Java Virtual Machine if necessary.
• Install Java Unrestricted Policy Files.
• Upgrade the Encryption Key Manager JAR. This can be found at the IBM website
http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504 (or visit
http://www.ibm.com/servers/storage/support/tape/ts1120/downloading.html and click downloads and
look for IBM Encryption Key Manager for the Java platform).
• Decide on keystore type.
• Create keys, certificates, and key groups.
• If necessary, import keys and certificates (See previous step).
• Define the configuration properties file.
• Define tape drives to the Encryption Key Manager or set drive.acceptUnknownDrives configuration
property value on.
• Start the Encryption Key Manager server.
• Start the command line interface client.

43. EKM is only to be utilized for older tape generation products.
The IBM Encryption Key Manager for Java platform (EKM) is responsible for assisting in
securing vital data. The EKM works with IBM encryption-enabled tape drives in
generating, protecting, storing and maintaining encryption keys that are used to
encrypt information being written to and decrypt information being read from tape
media. EKM is a part of the IBM Java run time environment and uses IBM Java security
components for the cryptographic capabilities.
Tivoli Key Lifecycle Manager (TKLM) is IBM’s strategic new platform for
storage and delivery of encryption keys to encrypting storage end-point
devices.

44. IBM Tivoli Key Lifecycle Manager V2.0 supports the following:
AIX V5.3, 64-bit, Technology Level 9, Service Pack 2 and AIX 6.1 (A 64 bit AIX
kernel is required for both versions.)
Red Hat Enterprise Linux AS V4.0 on x86, 32-bit
SUSE Linux Enterprise Server V9 on x86, 32-bit, V10, Service Pack 2 on
x86, 32-bit, 64 bit (in 32-bit mode application), and V11 (32-bit and 64-bit in
32 bit mode)
Sun Server Solaris 9 and 10 (SPARC 64-bit) Note: Tivoli Key Lifecycle Manager
runs in a 32-bit JVM.
Microsoft Windows Server 2003 R2, (32-bit Intel and AMD processors)
Microsoft Windows Server 2008 R2 (64 bit for all Intel and AMD processors)

45. – Hardware Appliance – between the server & drive
• Available for all drive types
• Available on all system types
• Non-disruptive installation
• Works with existing media.
• No changes, special software or drivers required
• Keys held securely in appliance
How can we do it?

46. Removable Storage Security
What is needed?

47. Removable Storage Security
What is needed?

48. Removable Storage Security
What is needed?

49. Removable Storage Security
What is needed?

50. Keep it
Simple
If it is
complex
people will
try to avoid
using it!

51. Keys
• Why so much fuss about keys?
• EKM
• TLKM
• KMIP
• Goodbye, proprietary complexity. Given KMIP-compatible
tools, organizations will be able to manage their many encryption keys
from a single point of control—improving security, simplifying complexity
and achieving regulation compliance more quickly and easily. That's a
huge improvement over the current approach of using many different
encryption key management tools for many different business purposes
and IT assets.

52. • Only a few small libraries or small database and plenty of time available for
backup AND restore – Software
• Medium size system with less than 8 tape drives – Appliance
• Large corporate datacentre with large number of modern drives and own
disaster recovery site – Drive encryption with EKM and BRMS
• Multiple sites with just a few drives on each but need to secure all data –
Appliance
• Multiple sites with medium number of drives on each site and good WAN
connections between sites and DR site - Drive encryption with EKM and
BRMS
• Older legacy systems running older technology drives or older OS versions -
Appliance
How can we do it?

53. UK BUSINESS LEADERS’
VERDICT ON IT SECURITY
• 85% state that information security is not
fulfilling business needs
• 88% report an increase in external threats
• 57% report an increase in internal threats
• 61% cite a lack of budget as main hurdle
• 57% of businesses view information security
resources as lacking necessary skills
• 62% do not align information security to
enterprise architecture or business process
• 38% do not align to organisational risk appetite
Source: Ernst & Young

55. Questions
e-mail: ph@disuk.com
Web: www.disuk.com