After Data Losses Like Time Warner's, Companies Need To Rethink Tape-Storage Security
Companies are likely to pay closer attention to security measures, but tape storage isn't about to go away.
Recent losses of customer or employee data by Ameritrade, Bank of America, and Time Warner cast light on a fact of business life most people never think about: Companies are still heavily dependent on computer tapes for data storage, and there's a lot of that sensitive information rolling around the streets every day.
The loss of that data in shipment--and new legal requirements forcing disclosure of those losses--will likely cause companies to take more precautions, including encryption. But while the demise of tape storage has been predicted many times, companies aren't likely to abandon cost-effective tape storage.
Time Warner this week revealed that tapes containing data, including names and Social Security numbers, on 600,000 current and former employees disappeared on March 22 while being shipped to an offsite storage center operated by Iron Mountain Inc., which provides data-backup services. An investigation by the U.S. Secret Service failed to turn up evidence that the tapes or their contents were accessed or misused. The information on the tapes is in a form that's not easily accessed, the company says.
Few companies encrypt backup tapes, since it makes searching for and accessing information on them much more difficult. In the wake of the disclosures, however, IT managers are taking another look at encryption. "Maybe it's time we all start to encrypt our tape data," says Jay Wessel, senior director of technology for the Boston Celtics. "It's definitely something I need to look at."
Only 7% of businesses encrypt all backup tapes, estimates Tony Asaro, an analyst at Enterprise Strategy Group. California's requirement that companies notify customers if personal information may have been accessed has made the issue a public one. "This type of thing has probably happened before, but the need for disclosure has made it more important to take precautions, especially encryption of data," Asaro says. The federal government is considering legislation similar to California's.
Iron Mountain is urging companies to embrace encryption. Ten days before the Time Warner incident was disclosed, Iron Mountain issued an advisory to customers to encrypt all tapes as part of the routine backup procedure: "It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."
Iron Mountain this year has had four cases of human error that resulted in the loss of a customer's computer backup tapes; the company performs upwards of 5 million pickups and deliveries of backup tapes each year.
Some companies are replacing tape as their primary backup medium, switching to disk-based backups such as mirroring, in which databases at a primary site are continuously replicated over high-speed telecommunications lines. With the widespread availability of high-speed bandwidth and less-expensive disk storage systems, disk-to-disk backup is emerging as an affordable alternative to tape. AmeriVault Corp., a provider of hosted disk-to-disk backup services, has "consistently" dropped prices by 10% to 15% a year, president and CEO Bud Stoddard says.
Legal Services for New York City, which provides free legal aid for low-income residents, uses Double-Take replication software from NSI Software Inc. to continuously replicate its primary SQL Server database, which is housed at its downtown Manhattan headquarters, to its office in Harlem, which serves as its backup site.
It still uses software from Veritas Software Corp. to create backup tapes for archiving purposes, but the number of tapes has declined since the company switched from creating backup tapes at each of its satellite offices to creating one centralized backup tape. "There are fewer and fewer reasons for tape," chief technology officer John Greiner says.
LSNY is planning to add network-attached storage to provide lawyers with faster access to archived case histories, Greiner says. He's also intrigued by Linux-based systems that perform intelligent disk-based backups, in which data that's new or frequently used is automatically backed up at regular intervals.
While the need for tapes is reduced, they're unlikely to go away soon; tape is still the most cost-effective medium for long-term storage, Asaro says. However, with the spotlight suddenly being cast on losses of tapes, encryption of all tapes prior to shipment is likely to become standard operating procedure.
Wessel, with the Boston Celtics, says the company pays particularly close attention to chain-of-possession when it comes to tape data. Much of its critical data, such as basketball-game statistics, are replicated continuously to disk at an offsite facility. Wessel uses tape for backing up digital media such as photos, audio, and video files, which consume too much bandwidth to be transmitted over a network. Once a week, an Iron Mountain truck delivers a box containing the previous week's backup tapes. Two Celtics employees, under observation by a third employee, open the box, remove the contents, place the new tapes in, seal the box, and return it to the driver. So far, it's worked: Wessel says no tapes have been lost.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?