Subject: | |
From: | |
Reply To: | |
Date: | Mon, 21 Nov 2005 20:19:00 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hugh,
I believe that you take the Hoffman quote out of context and then mis-apply
it. You then infer that we should be very worried because EMC, rather than
Mr. Hoffman, evaluates the rush to encryption as knee-jerk. I think that
you generally represent the IT group as risk takers leading a rush to cool
technology. So I would like to offer the Storage Magazine quote in full and
then draw a different conclusion.
The Hoffman quote and context:
"Whatever the case, it's important to remember that encrypting backups
should be only a small part of an organization's security strategy. "A tape
falling off of an Iron Mountain truck is a 5% problem," says Hoffman. "It's
far more likely that information will be leaked because of a laptop loss or
employee theft." Broadly speaking, he sees the rush to encrypt backups as "a
massive knee-jerk reaction within the storage industry right now. The best
way to secure your backup is not to put it on tape [and to use disk]."
Hoffman's argument overall is that disk is a better backup media than tape
and so tape encryption is mis-guided because a disk-based solution is
better. He also doesn't feel that tape loss poses as much of a risk as
internal threats and laptop loss. This message that disk is better for
backups than tape is at least a 10-year-old message from EMC.
You have used a reference to the quote to imply a worry point that I don't
think EMC shares. EMC is selling the encryption appliances as at a brisk
pace.
I have tried to argue that if you are worried about data loss through tape
theft then you should encrpyt your tape data. Iron Mountain, a leading
vendor of these off-site services now says that all responsible customers
should do this. To a previous suggestion that we focus on SLAs I wonder
what use that will be if a leading provider of these services now rejects
the SLA approach as a means of decreasing the risk of data loss.
Hoffman and others argue that this focus on tape encryption is misdirected
which is all well and good unless this is what your CIO and corporate board
is worried about too. And you can't afford to supplant tape with disk.
Hugh Smith writes:
> These are some great comments from all participating. I am learning a lot.
>
> To those who understand this technology....
> If I have four offices around the country communicating back and forth,
> how many encryption appliances do I need to keep everyone secure?
>
> If I can bribe a guy to give me the keys to his truck, couldn't I also
> just as easily bribe somebody to give me the encryption key?
>
> Also, I have heard no confirmation that these devices are 100% reliable.
> Losing the encryption code would be the same as destroying the data and
> under SOX this would be tantamount to spoliation and create problems. New
> technologies always show up with bugs and problems. Tapes and cartridges
> seemed great until we heard about the digits to dust phenomena. Dropping a
> cartridge destroys data so they are more fragile than we were aware of.
> This isn't cutting edge technology it is bleeding edge so there are a lot
> of issues we have no base of knowledge on.
>
> What problems might result from these appliances? Something this new has
> not really even passed the beta test phase yet? Isn't it a little soon to
> put all our vital records in the care of a technology with no proven track
> record?
>
> IT management makes me nervous because they will put everything at risk
> for a little more speed and a little more density. Blade servers are a
> great example of that. Fire marshals are going back to demanding water in
> IT Server rooms rather than clean agent suppression systems because they
> view the blade server as a bad fire risk. So now for a little increased
> speed we will have water over the servers. These appliances seem to be an
> extension of that speed at all risk mentality.
>
> Is this technology rock solid right now? If not, why are we being told to
> risk everything on something that is still in beta mode?
>
> Has the appliance been phased to the retention schedule? Will the key be
> relevant for the 7 year retention period or the 50 year retention period
> or did the IT planner think about the period for which the records need to
> stay safe, secure, readable? If someone as big and savvy as EMC refers to
> this as a knee-jerk reaction, shouldn't this worry us?
>
> Would you bet your life on the reliability of this technology? If we are
> storing health records and an appliance is part of the system, then maybe
> that is what this new appliance is being asked to do?
>
> If I get the answers to these questions I am done, I will know enough to
> be dangerous.
>
>
> Hugh Smith
> FIRELOCK Fireproof Modular Vaults
> [log in to unmask]
> (610) 756-4440 Fax (610) 756-4134
> WWW.FIRELOCK.COM
>
> List archives at http://lists.ufl.edu/archives/recmgmt-l.html
> Contact [log in to unmask] for assistance
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
|
|