Hugh, 

I believe that you take the Hoffman quote out of context and then mis-apply 
it.  You then infer that we should be very worried because EMC, rather than 
Mr. Hoffman, evaluates the rush to encryption as knee-jerk.  I think that 
you generally represent the IT group as risk takers leading a rush to cool 
technology.  So I would like to offer the Storage Magazine quote in full and 
then draw a different conclusion. 

The Hoffman quote and context: 

"Whatever the case, it's important to remember that encrypting backups 
should be only a small part of an organization's security strategy. "A tape 
falling off of an Iron Mountain truck is a 5% problem," says Hoffman. "It's 
far more likely that information will be leaked because of a laptop loss or 
employee theft." Broadly speaking, he sees the rush to encrypt backups as "a 
massive knee-jerk reaction within the storage industry right now. The best 
way to secure your backup is not to put it on tape [and to use disk]." 

Hoffman's argument overall is that disk is a better backup media than tape 
and so tape encryption is mis-guided because a disk-based solution is 
better.  He also doesn't feel that tape loss poses as much of a risk as 
internal threats and laptop loss.  This message that disk is better for 
backups than tape is at least a 10-year-old message from EMC. 

You have used a reference to the quote to imply a worry point that I don't 
think EMC shares.  EMC is selling the encryption appliances as at a brisk 
pace. 

I have tried to argue that if you are worried about data loss through tape 
theft then you should encrpyt your tape data.  Iron Mountain, a leading 
vendor of these off-site services now says that all responsible customers  
should do this.  To a previous suggestion that we focus on SLAs I wonder 
what use that will be if a leading provider of these services now rejects  
the SLA approach as a means of decreasing the risk of data loss. 

Hoffman and others argue that this focus on tape encryption is misdirected 
which is all well and good unless this is what your CIO and corporate board 
is worried about too.  And you can't afford to supplant tape with disk. 

 

Hugh Smith writes: 

> These are some great comments from all participating. I am learning a lot. 
> 
> To those who understand this technology....
> If I have four offices around the country communicating back and forth, 
> how many encryption appliances do I need to keep everyone secure? 
> 
> If I can bribe a guy to give me the keys to his truck, couldn't I also 
> just as easily bribe somebody to give me the encryption key? 
> 
> Also, I have heard no confirmation that these devices are 100% reliable. 
> Losing the encryption code would be the same as destroying the data and 
> under SOX this would be tantamount to spoliation and create problems.  New 
> technologies always show up with bugs and problems.  Tapes and cartridges 
> seemed great until we heard about the digits to dust phenomena. Dropping a 
> cartridge destroys data so they are more fragile than we were aware of. 
> This isn't cutting edge technology it is bleeding edge so there are a lot 
> of issues we have no base of knowledge on. 
> 
> What problems might result from these appliances?  Something this new has 
> not really even passed the beta test phase yet?  Isn't it a little soon to 
> put all our vital records in the care of a technology with no proven track 
> record? 
> 
> IT management makes me nervous because they will put everything at risk 
> for a little more speed and a little more density.  Blade servers are a 
> great example of that.  Fire marshals are going back to demanding water in 
> IT Server rooms rather than clean agent suppression systems because they 
> view the blade server as a bad fire risk.  So now for a little increased 
> speed we will have water over the servers.  These appliances seem to be an 
> extension of that speed at all risk mentality. 
> 
> Is this technology rock solid right now?  If not, why are we being told to 
> risk everything on something that is still in beta mode? 
> 
> Has the appliance been phased to the retention schedule?  Will the key be 
> relevant for the 7 year retention period or the 50 year retention period 
> or did the IT planner think about the period for which the records need to 
> stay safe, secure, readable?  If someone as big and savvy as EMC refers to 
> this as a knee-jerk reaction, shouldn't this worry us? 
> 
> Would you bet your life on the reliability of this technology?  If we are 
> storing health records and an appliance is part of the system, then maybe 
> that is what this new appliance is being asked to do? 
> 
> If I get the answers to these questions I am done, I will know enough to 
> be dangerous. 
> 
> 
> Hugh Smith
> FIRELOCK Fireproof Modular Vaults
> [log in to unmask]
> (610)  756-4440    Fax (610)  756-4134
> WWW.FIRELOCK.COM 
> 
> List archives at http://lists.ufl.edu/archives/recmgmt-l.html
> Contact [log in to unmask] for assistance
 

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance