RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Discussion on Encryption
From:
Hugh Smith <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Mon, 31 Oct 2005 17:01:02 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (183 lines) 
This push by certain elements of the records management industry to  
push for encryption, to portray the problem as the fault of the client,  
to infer that the owner of the tapes was lax in their security because  
they failed to encrypt the data is beyond belief.

Not one suggestion has been made in the press about how the tapes in  
transit can be better protected from loss or theft! No suggestion as to  
a proactive attempt by management's directive to make security of the  
tapes and cartridges in transit more fail-safe.  This failure to offer  
a suggestion on how security can be improved is stirring activity among  
potential competitors.  The market's desire for vendors who will  
protect the client's vital media is inducing  the Armored Car companies  
into exploring tape movement as something worthy of greater scrutiny.   
FEDEX is pushing their Custom Critical Delivery as a viable  
alternative.  I find it enlightening that with the tens of millions of  
packages FEDEX delivers, they have never found it necessary to  
criticize their clients for lost deliveries.

The companies losing all the data cartridges have not been able to come  
up with one idea about how they can stop losing the data.  Future  
losses are a given if no serious thought is presented as to how to stop  
losing of media. If the  only way to avoid liability for the entity  
losing the data is to claim the loss is the fault is that of the  
client, the concept of the customer is always right is now obsolete.

  I believe the argument we are asked to accept here  is:
1) We never promised that your data would move from your site to our  
site and back again without any losses.
2) We are allowed to lose a certain amount of data. The bigger we are  
the more we can lose!
3) Because we have pointed out to your clients, shareholders and the  
management team that you are at fault for failing to encrypt, the  
problem is now yours and yours alone.  If Identity Theft occurs or  
foreign competitors steal valuable technology, this is your  
responsibility as you failed to perform the only thing that will  
protect the data from loss. Encrypt.

But despite this huge public relations push to proclaim encryption the  
law of the land, serious problems exist with encryption.  The records  
management industry is still struggling with E-Records and E-Storage.  
IT Management is way off base on what is important in managing  
electronic records.  The people asked to encrypt are willing to risk  
all their records on fragile media for the sole benefit of increased  
speed.  They will use a cartridge that stores edge trim to edge trim to  
gain a little more density.  That is all these managers care about:   
Speed and Density.  Security of their records is very low on their wish  
list.

If you present an IT manager a budget surplus of $25,000, they will  
spend it on faster and newer equipment not an encryption unit.  But  
suppose we could change this mentality of speed and density overnight  
and they actually cared about the tapes and the records stored on them,  
we still have problems.

Until recently the government was fighting encryption because it would  
allow companies to hide financial data and it might also pose security  
risks by limiting the government's oversight.  Now almost overnight we  
are to expect that small high tech companies will provide a range of  
solutions that will work across the board.  We are only just now  
achieving Electronic Document Management and look at the time it took.

Encryption is far more complex.  Oracle gave an example of the problems  
involved and said the worst thing for business continuity is for  
companies to rush into encryption without a full understanding of the  
problems that new technology presents and the speaker gave an example  
of how security officers are demanding more complex passwords and that  
the passwords need to be changed on a frequent basis.  No thought was  
given as to how Hugh Smith was to remember that his password for this  
week was hs/*)123blk73  and that next week it would be flk&^71jjf and  
next week it will be???????  So after the brainchild of this program  
put it in place, they found in a later audit that everyone had their  
current password written on a post it note stuck inside their desk  
drawer or in some cases on the side of the monitor. No one accounted  
for the human factor.

********************
 From Peter's RAIN:

> ENCRYPT the Hard(ware) Way
> Byteandswitch.com - New York,NY,USA
> <http://www.byteandswitch.com/document.asp? 
> doc_id=82857&WT.svl=column2_1>

Significant quotes in the article

"Encryption appliances are the only effective way of doing it," says  
Jim Damoulakis, CTO of storage consultant Glasshouse Technologies.  
"Software is too painful to use on a large scale." Appliances have  
built-in processors to handle encyrption as well as management of  
decryption keys.

Damoulakis says there are two problems with software encryption.  
Software uses CPU cycles, and this overhead slows down backups. The  
other problem is that backup applications require users to shut off  
compression when encrypting. In the case of backup applications, that  
means more storage capacity is needed, and backups take significantly  
longer.

None of them argue that software encryption is more efficient.

"The advantage of an appliance is it has a processor in it, so you're  
shifting that load to the appliance," Symantec director of product  
marketing Glenn Groshan admits. "But if you look at cost at some of the  
appliances, it's not free." Encryption appliances start at around  
$25,000.

*******************
In another RAIN article the person interviewed stated:

  Baptist Memorial's Weiss said encryption is a good idea but he isn’t  
rushing into it. “We’re planning on it,” Weiss said of encryption. “The  
question is, which one do I implement. They all have some kind of  
impact on backups and restores. Also, how do you protect the  
[decryption] key?”

*******************



No IT Manager will be willing to slow down his system or take his IT  
budget and spend it all on $25,000 devices that do nothing for  
productivity. In addition, I am told there are complex issues that need  
to be resolved or encryption could lead to data loss or the failure to  
be able to transfer data quickly in the event of a disaster.  A foul up  
in the encryption system could be the equivalent of a catastrophic loss  
as all the media will be unreadable until someone is able to un-encrypt  
the defective code. It will be a long and grueling process to convert  
to encryption. This is a new version of migration of data and all its  
complexities. Imagine the railroad where everyone has their own width  
of track.

No matter how many times one entity in the market claims encryption is  
the panacea of all data security, please look at the facts.

One technologist suggests that encryption will lull people into a false  
sense of security.  Remember when a password would protect a computer.   
Oh wait..........hackers broke the password.  Well then a fire wall!  
Wait, they seem to beat our fire wall consistently.  There is NO  
encryption that a dedicated IT Whiz can't penetrate given a large  
enough value in doing so.

The simple solution is DO NOT LOSE THE TAPES!  This works today and  
does not require a total revamp of the business world.  Whether I ever  
encrypt, I still believe the person or company  who carries my data out  
the door has to be liable for the loss of the media.  This whole  
argument is simply a kindergarden approach to a disaster. "I didn't do  
it!" "I can't be expected to do this, it's too hard!"  "If I did it,  
it's your fault because you should have known I wasn't capable of doing  
what I was told to do."

But for the sake of advancing our knowledge of encryption and this  
discussion, talk to your IT Manager and ask what it will take for a  
fail safe encryption system to be put in place?  Has anyone done it and  
tested it for all the different disaster scenarios?  What if the  
encrypter and de-encrypter device malfunctions?  Then what?  How often  
do we need to test the stored data to see if it is still readable?  How  
do we allow everyone access to the information and still maintain  
security?

So as dedicated records managers one and all, visit with your IT  
manager and ask them what problems exist with encryption?  Let us have  
an informative discussion here on the Listserv about whether this is an  
easy task and whether technology is there yet, for all the concerns. A  
rush into encryption could be a disaster for American Commerce.  Our  
largest corporations could lose access to all their digital records.   
What if Europe adopts a different standard? Where do we draw the line  
on encryption? Will litigation view encryption as hiding information?

Let's be proactive about this and create arguments for or against  
before we get it rammed down our throats.  No one wants to hear how  
smart you are after the millions have been spent.  Here is a chance to  
be out in front.  If a few people on the List talk to their IT people  
we could have a great discussion.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2