This push by certain elements of the records management industry to
push for encryption, to portray the problem as the fault of the client,
to infer that the owner of the tapes was lax in their security because
they failed to encrypt the data is beyond belief.
Not one suggestion has been made in the press about how the tapes in
transit can be better protected from loss or theft! No suggestion as to
a proactive attempt by management's directive to make security of the
tapes and cartridges in transit more fail-safe. This failure to offer
a suggestion on how security can be improved is stirring activity among
potential competitors. The market's desire for vendors who will
protect the client's vital media is inducing the Armored Car companies
into exploring tape movement as something worthy of greater scrutiny.
FEDEX is pushing their Custom Critical Delivery as a viable
alternative. I find it enlightening that with the tens of millions of
packages FEDEX delivers, they have never found it necessary to
criticize their clients for lost deliveries.
The companies losing all the data cartridges have not been able to come
up with one idea about how they can stop losing the data. Future
losses are a given if no serious thought is presented as to how to stop
losing of media. If the only way to avoid liability for the entity
losing the data is to claim the loss is the fault is that of the
client, the concept of the customer is always right is now obsolete.
I believe the argument we are asked to accept here is:
1) We never promised that your data would move from your site to our
site and back again without any losses.
2) We are allowed to lose a certain amount of data. The bigger we are
the more we can lose!
3) Because we have pointed out to your clients, shareholders and the
management team that you are at fault for failing to encrypt, the
problem is now yours and yours alone. If Identity Theft occurs or
foreign competitors steal valuable technology, this is your
responsibility as you failed to perform the only thing that will
protect the data from loss. Encrypt.
But despite this huge public relations push to proclaim encryption the
law of the land, serious problems exist with encryption. The records
management industry is still struggling with E-Records and E-Storage.
IT Management is way off base on what is important in managing
electronic records. The people asked to encrypt are willing to risk
all their records on fragile media for the sole benefit of increased
speed. They will use a cartridge that stores edge trim to edge trim to
gain a little more density. That is all these managers care about:
Speed and Density. Security of their records is very low on their wish
list.
If you present an IT manager a budget surplus of $25,000, they will
spend it on faster and newer equipment not an encryption unit. But
suppose we could change this mentality of speed and density overnight
and they actually cared about the tapes and the records stored on them,
we still have problems.
Until recently the government was fighting encryption because it would
allow companies to hide financial data and it might also pose security
risks by limiting the government's oversight. Now almost overnight we
are to expect that small high tech companies will provide a range of
solutions that will work across the board. We are only just now
achieving Electronic Document Management and look at the time it took.
Encryption is far more complex. Oracle gave an example of the problems
involved and said the worst thing for business continuity is for
companies to rush into encryption without a full understanding of the
problems that new technology presents and the speaker gave an example
of how security officers are demanding more complex passwords and that
the passwords need to be changed on a frequent basis. No thought was
given as to how Hugh Smith was to remember that his password for this
week was hs/*)123blk73 and that next week it would be flk&^71jjf and
next week it will be??????? So after the brainchild of this program
put it in place, they found in a later audit that everyone had their
current password written on a post it note stuck inside their desk
drawer or in some cases on the side of the monitor. No one accounted
for the human factor.
********************
From Peter's RAIN:
> ENCRYPT the Hard(ware) Way
> Byteandswitch.com - New York,NY,USA
> <http://www.byteandswitch.com/document.asp?
> doc_id=82857&WT.svl=column2_1>
Significant quotes in the article
"Encryption appliances are the only effective way of doing it," says
Jim Damoulakis, CTO of storage consultant Glasshouse Technologies.
"Software is too painful to use on a large scale." Appliances have
built-in processors to handle encyrption as well as management of
decryption keys.
Damoulakis says there are two problems with software encryption.
Software uses CPU cycles, and this overhead slows down backups. The
other problem is that backup applications require users to shut off
compression when encrypting. In the case of backup applications, that
means more storage capacity is needed, and backups take significantly
longer.
None of them argue that software encryption is more efficient.
"The advantage of an appliance is it has a processor in it, so you're
shifting that load to the appliance," Symantec director of product
marketing Glenn Groshan admits. "But if you look at cost at some of the
appliances, it's not free." Encryption appliances start at around
$25,000.
*******************
In another RAIN article the person interviewed stated:
Baptist Memorial's Weiss said encryption is a good idea but he isn’t
rushing into it. “We’re planning on it,” Weiss said of encryption. “The
question is, which one do I implement. They all have some kind of
impact on backups and restores. Also, how do you protect the
[decryption] key?”
*******************
No IT Manager will be willing to slow down his system or take his IT
budget and spend it all on $25,000 devices that do nothing for
productivity. In addition, I am told there are complex issues that need
to be resolved or encryption could lead to data loss or the failure to
be able to transfer data quickly in the event of a disaster. A foul up
in the encryption system could be the equivalent of a catastrophic loss
as all the media will be unreadable until someone is able to un-encrypt
the defective code. It will be a long and grueling process to convert
to encryption. This is a new version of migration of data and all its
complexities. Imagine the railroad where everyone has their own width
of track.
No matter how many times one entity in the market claims encryption is
the panacea of all data security, please look at the facts.
One technologist suggests that encryption will lull people into a false
sense of security. Remember when a password would protect a computer.
Oh wait..........hackers broke the password. Well then a fire wall!
Wait, they seem to beat our fire wall consistently. There is NO
encryption that a dedicated IT Whiz can't penetrate given a large
enough value in doing so.
The simple solution is DO NOT LOSE THE TAPES! This works today and
does not require a total revamp of the business world. Whether I ever
encrypt, I still believe the person or company who carries my data out
the door has to be liable for the loss of the media. This whole
argument is simply a kindergarden approach to a disaster. "I didn't do
it!" "I can't be expected to do this, it's too hard!" "If I did it,
it's your fault because you should have known I wasn't capable of doing
what I was told to do."
But for the sake of advancing our knowledge of encryption and this
discussion, talk to your IT Manager and ask what it will take for a
fail safe encryption system to be put in place? Has anyone done it and
tested it for all the different disaster scenarios? What if the
encrypter and de-encrypter device malfunctions? Then what? How often
do we need to test the stored data to see if it is still readable? How
do we allow everyone access to the information and still maintain
security?
So as dedicated records managers one and all, visit with your IT
manager and ask them what problems exist with encryption? Let us have
an informative discussion here on the Listserv about whether this is an
easy task and whether technology is there yet, for all the concerns. A
rush into encryption could be a disaster for American Commerce. Our
largest corporations could lose access to all their digital records.
What if Europe adopts a different standard? Where do we draw the line
on encryption? Will litigation view encryption as hiding information?
Let's be proactive about this and create arguments for or against
before we get it rammed down our throats. No one wants to hear how
smart you are after the millions have been spent. Here is a chance to
be out in front. If a few people on the List talk to their IT people
we could have a great discussion.
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|