RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Risks to Computers.......and Encryption
From:
Larry Medina <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Wed, 23 Nov 2005 14:28:15 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (107 lines) 
For the most part, I've decided to stay out of this exchange, most of what
has needed to be said, has been said and this is the second time around for
the majority of it.


I agree with all most all of the facts that you lay out but I have
> adifferent focus of worry on the cost.


I must agree with you here, because even the mention of the use of
"encryption appliances" lacks some information and definitely some clarity.
In the example given of the Air Force "data gathering plane" (i hate the use
of the "S" word) , the on-the-fly encryption is of great value and would be
part of the "business practices" in that model.  In most businesses, no
matter HOW MUCH data is processed and WHAT THE VALUE of the data is, this is
not part of the model, unless they are highly risk averse and the cost of
using these appliances can be passed along to the clients or customers.

Backups are generated from source tapes or disk drives in an off-line
routine that doesn't impact regular business.  Encryption is done
post-backup, or in rare cases in-line while making backups, but the risk
there is IF something goes awry WHILE the backup is being generated with the
primary data, what do they use to restore the system???  That said,with
firms that DO employ encryption, it takes place off-line and results in a
tertiary set of data tapes, which is what is normally sent offsite.

Another cost component is the decryption of these tapes if they are required
for use to restore a system.  And cost isn't just a $$$ issue, it's TIME.
Depending on the size of the data repository, it could involve hours to
decrypt the tapes prior to restoring them, which could also take hours.

You make a good case that the chances are slim that the data
> will fall into the wrong hands and be valuable to that thief.


You can bet on this one... most of this data is captured in a stream and
requires the application and file format to reuse CSV delimited data. Unless
someone is intimately familiar with how the data is structured, the ability
to use it is highly limited.

Nevertheless, the disclosure law presents a lop-sided cost to the business
> because now if a tape is permanently lost a business must disclose that
> loss
> and suffer the publicity.


Well, here's one that has bothered me since the beginning... the company who
OWNED THE DATA is required to notify their customers who were potentially
impacted by the losses and publicly make known the loss after that, within a
specified number of hours... UNLESS the DOJ or FBI tells them NOT TO.  And
when this happened in two cases, the vendor who actually lost the tapes took
advantage of that opportunity to go on a publicity campaign urging the
encryption of data tapes.

What REALLY BOTHERS ME, is the business who owned the data DIDN'T DO
ANYTHING WRONG... the service provider they had a contract with DID.  And
they weren't made to shoulder any of the losses, they weren't drubbed
publicly about their errors, they didn't even lose customers because no one
can AFFORD TO LEAVE because of a little clause in the contract about
permanent withdrawal of holdings, which is like charging someone to withdraw
their own money from a bank.

There don't seem to be any follow up studies on
> what the total loss was to the people whose personal data was lost.


And this is an interesting little bit here... "permanently lost"... the Time
Warner case is a real interesting one... tapes were picked up, scanned at
the time, scanned again when they made it to the truck and then "lost"
somewhere in NYC.  NOBODY ever found them?  They weren't misdelivered? They
just disappeared??  In the Bank of America case, some were found
damaged/destroyed in the conveyor equipment and others never turned up, but
that is probably because they were unidentifiable.

I wonder if the publicity came about because of the disclosure law that
> forced these incidents into the news.  Without them I think that it would
> have been easy to assess the liklihood of financial loss as low and
> certainly far lower than the cost of telling everyone what had
> happened.  If
> disclosure brought the publicity then perhaps this has been an unreported
> and unnoticed problem.


I don't think there is any question that this has happened routinely for
years.  It just hasn't hit the papers until the laws were passed.  And keep
in mind, this business of people using 3rd parties to store data tapes isn't
something that has been going on for extended periods of time.  Many
businesses ran their OWN data centers for a lot of years, this is a new
"boutique market" that has sprung up in the past decade or so.

I could go on and on about the need to establish SLAs with your service
providers, to visit sites and ensure they are doing what the contract says
they're supposed to do and to ensure that adequate safety and protection is
being provide to you information assets entrusted to others, but instead...
I think I'll start my long weekend.

Happy Thanksgiving all...

Larry
--
Larry Medina
Danville, CA
RIM Professional since 1972

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2