LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Risks to Computers.......and Encryption
From:	Norman Owens <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Sun, 20 Nov 2005 01:19:50 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (98 lines)

I will limit my comments to why, from an IT perspective, tape encryption is 
important.  Hacking has different solutions and the higher salaries paid to 
employees who are likely to be good hackers makes them less of a security 
threat than the average person and pay involved in the offsite transfer of 
tapes. 

The problem of data loss through tapes has been solved from an IT 
perspective. 

Encryption will not slow backups if you purchase an encryption appliance.  
It will if you use software, CPUs on backup servers, or any other 
non-chipped-based solution. The appliance hardware on the market will allow 
you to transmit the encryption keys in an encrypted format to a remote 
location.  Thus if you lose your site then the tape vault can send tapes to 
the alternate remote location where access to the keys can be securely 
granted. 

Encryption of tapes is the only way to ensure that you won't lose data that 
you ship, via tape, somewhere else. 

If you aren't convinced that this solves the problem consider this:  The 
sorts of military surveillance planes that lost so much data when one was 
forced to land in China are now equipped with the same sort of encryption 
appliances.  Now if the plane goes down the crew pushes a button to destroy 
the encryption keys.  This is how the military expects to protect data from 
all of the computing power and resources of any foreign government. 

Now consider the alternative proposed by Gerald:  Put money into a strong 
contract with an SLA.  IronMountian is a good vendor and reports out a 
99.995% SLA for securing tapes.  Not bad except they transport millions of 
tapes a year.  Do you think you could find a vendor with a better SLA?  And 
if you did will it help you if your tape is the 1 in 100,000 lost with a 
99.999% SLA and then your company is in the news in California because it 
legally has to report the loss?  Would the SLA penalty cover your loss 
through adverse publicity. 

There is another risk to consider:  How much do you think the folks who man 
the vendor's tape transport trucks are paid?  How hard do you think it would 
be to bribe one of them to leave a key in the truck so that it could be 
stolen on a bathroom break.  How much value would there be in a few dozen 
tapes holding a couple of terabytes of data and, potentially, information 
worth millions of dollars to competitors or thieves. 

In the cases like those alluded to, where tapes were left on a curbside or 
at an airport, if the tapes are encrypted you really can forget about it, if 
they aren't then California law likely requires that you report it and 
prepare your CIO for the bad press in the morning papers.  In the latter 
case telling him/her that you had worked out a great SLA probably won't help 
with your job retention.  Teh California law specifically exempts encrypted 
data from the reporting requirement. 

Gerard J. Nicol writes: 

> Hugh/Jay, 
> 
> I am not sure if encryption does slow backups. Encryption is a CPU intensive
> operation. CPU speed increases significantly each year. It is IO and Network
> speeds that increase at a slower rate than data growth. 
> 
> What needs to be understood here is the obvious disconnect between how IT
> people think, and how most other people think. 
> 
> In IT, theoretically nothing is impossible. In practice IT is about
> trade-offs. 
> 
> Trade-offs are the basis of the SLA (Service Level Agreement). 
> 
> For instance, does it annoy you that Windows takes 60 seconds to start? We
> can fix that for a price. Oh, you are too stingy to pay that price, so let's
> agree that 60 seconds is OK. 
> 
> If we are talking about tapes here, I think people are missing the point if
> they think it is about encryption. 
> 
> Although privacy is now a critical part of our society, the ability of
> society to continue to function is more important. 
> 
> If your offsite vendor is leaving your tapes on the curb, or sending them to
> an airfield never to be seen again forget encryption, use the money to put
> in place a strong contract and SLA with a competent vendor. 
> 
> That way, in the event that you need your tapes for a true disaster you are
> not left pondering how the company might now be out of business but at least
> if the tapes turn up in the hands of someone who has a spare 3490 tape drive
> at home people's privacy might be protected. 
> 
> If you are interested in discussing what you should be putting in an SLA, I
> would be more than happy to assist. 
> 
> Gerard 
> 
> List archives at http://lists.ufl.edu/archives/recmgmt-l.html
> Contact [log in to unmask] for assistance

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2

LISTSERV.IGGURU.US