RE: Securing Backups via Encryption

From: Ken Buchanan (ken.buchanan_at_gmail.com)
Date: 06/16/05

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Windows XP Internet Connection Firewall"
    Date: Thu, 16 Jun 2005 11:09:25 -0400
    To: jbeauford@EightInOnePet.com, dnardoni@firstresponseconsulting.com, security-basics@securityfocus.com
    
    

    This discussion was had last week on the Cryptography mailing list.

    http://www.mail-archive.com/cryptography@metzdowd.com/index.html#04003
    (the discussion is scattered across a couple of threads due to thread branching)

    Perry Metzger suggested he had helped customers encrypt tapes using
    naive solutions that avoid the key management problem (eg. use one key
    for all your tapes for six months). This doesn't scale, but is a
    probably a perfectly good solution if you have limited encryption
    requirements -- say, you just don't want the information exposed in
    plaintext when the tapes are out of your hands.

    Another problem with simple solutions is that if you encrypt before
    writing data to tape in a storage infrastructure then you lose all the
    benefits of compression.

    There is not really anything from the tape vendors -- *yet* -- but
    there are small vendors that offer storage encryption products. One
    of them, Decru, has just been bought by Network Appliance (announced
    this morning).

    A network computing article on the current state of storage security:
    http://www.networkcomputing.com/showitem.jhtml?docid=1607f2

    -----Original Message-----
    From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
    Sent: Wednesday, June 15, 2005 6:12 PM
    To: dnardoni@firstresponseconsulting.com;
    security-basics@securityfocus.com
    Subject: RE: Securing Backups via Encryption

    Good question. Here I am not encrypting the data as it is archived to
    the tape. I am using Veritas BackupExec with LTO-2 as my archive
    solution. With the recent rash of data theft and lost backups (Citibank
    and Motorola), I too have become very interested in this topic. As of
    now I have an open case with Veritas (waiting for a call back) and I am
    hoping they can steer me in the right direction. Although I doubt it is
    an integrated feature.

    -JMB

    -----Original Message-----
    From: Dave Nardoni [mailto:dnardoni@firstresponseconsulting.com]
    Sent: Wednesday, June 15, 2005 11:50 AM
    To: security-basics@securityfocus.com
    Subject: Securing Backups via Encryption

    I am interested in how many of you are securing your backups via
    encryption.

    If you would not mind sharing some of your solutions.

    What are you using to encrypt data that goes to tape?
    What are you using to encrypt data that goes to disk?
    What are you using to encrypt data that goes to an offsite storage
    facility via web (ie. Xdrive or similar service offsite service)? What
    services do you employ to handle secure backups offsite?

    Any other ideas around this would be helpful.

    Thank you in advance for sharing your comments,

    David Nardoni CISSP, EnCE
    dnardoni@firstresponseconsulting.com
    PGP Signature: 9CE4 C240 BBC7 2945 BDD6 C97A 0E3D 2547 DB0A 104C


  • Next message: Ansgar -59cobalt- Wiechers: "Re: Windows XP Internet Connection Firewall"

    Relevant Pages

    • Re: VMS Encrypt key handling
      ...  The media goes offsite for up to 8 weeks after ... be used for daily and weekly backups. ... The first question to consider is "Do you really *need* to encrypt your ... Current tape storage consists of 60 archived DAT 12/24 tapes, ...
      (comp.os.vms)
    • Re: Securing Backups via Encryption
      ... We use Gnupg and a public/private key pair on each server to encrypt the ... We don't use tapes, but hard ... > I am interested in how many of you are securing your backups via encryption. ... > What are you using to encrypt data that goes to tape? ...
      (Security-Basics)
    • RE: Encrypt data - SQL Server 2000
      ... would you want to encrypt data inside a database?. ... Encrypt data - SQL Server 2000 ...
      (Focus-Microsoft)
    • Re: Encrypted backup
      ... >1) My goal is to upload daily some backups of my most important files ... >(Debian too, with ssh access). ... > As I'm not the administrator of the remote server, I'd like to encrypt ...
      (Debian-User)
    • Re: re : offsite data encryption
      ... with but all PII that is move offsite. ... because management has weighed the risks of sending the unencrypted backups ... Management knows best. ... I have learned how to encrypt my backups. ...
      (bit.listserv.ibm-main)