Few case studies better illustrate the need to secure media than the mishandling of tapes by South Shore Hospital, which in 2010 sold 473 unencrypted backup tapes containing more than 800,000 patient names, Social Security numbers, financial account numbers, and medical diagnoses. The institution, based in South Weymouth, Mass., did not inform the buyer about the private records on the tapes, and only one of three boxes of tapes actually arrived to the recipient. Still, in May the hospital paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information.
To ensure that your enterprise doesn't fumble private data, follow four tape backup security steps.
1. Encrypt data at rest.
Sounds like Security 101, but just 22% of respondents to our InformationWeek State of Storage Survey encrypt all backup tapes.
Encryption is not an absolute protection, but it meets most regulatory best-effort standards. By applying bank-level AES 256-bit encryption to data before committing it to tape, you ensure that your security efforts meet the requirements of state data breach laws, like those in California and Massachusetts, that make the custodial data center or IT department responsible for the loss of personally identifiable information. While 512-bit encryption is available, "using it adds too much time to the encryption and decryption process to be practical," said Matt Brickey, director of storage and data protection at Savvis, an enterprise-oriented cloud services provider.
Encrypting data before sending it to tape enables a faster backup process than encrypting data on the fly during backup.
"We use native--Microsoft SQL, Windows--and third-party--Symantec Backup Exec--tools to encrypt and compress data," said Robert Boorman, IS manager for financial advice firm The Rich Dad. "These tools now support 256-bit encryption, so it's not a complex process."
When saving to disk prior to tape, back up to an encrypted file system like Windows EFS. "We use a separate set of hard drives in each of our disk backup products," said Boorman. And don't drop the ball on key management.
2. Use a consistent, documented backup schedule.
For example, perform full backups weekly, differential backups daily, and monthly backups at the end of the month. After three months, perform a quarterly backup. After 12 months, complete a yearly backup. "At each major step we reuse tapes," said Boorman. "At the yearly backup, we reuse the quarterly backup tapes or destroy them."
3. Handle and store tapes securely.
Purchase new, sealed tapes, and label them properly. Serial and bar coding are better than simple handwritten labels. Use a tape library that supports a pass code, for locking the physical device. "We recommend using this pass code and any software-based security in the backup program as well," Boorman said. "We also audit all security." Once the system writes to a tape, place a sticker over the lock window. If that is torn, someone has tampered with it.
By layering the physical security of the backup tape, it and its attendant data are no longer low-hanging fruit. "Our tapes are physically located within our server rack, locked behind several layers of physical security--badges, eye retina, and other biometric devices," Boorman said.
When sending tapes off site, use a bonded courier. Ship tapes in a lockbox to which only the enterprise and the security officers at the storage facility have access. The courier should not be able to get into the lockboxes.
4. Destroy tapes at the end of the life cycle.
Destroy, do not sell, used tapes in accordance with a documented data disposition policy. Either incinerate tapes using a licensed facility or shred the media using tape shredders.
Shredding is the best way to destroy tapes and meet audit requirements, said Brickey. "People want to see reports that someone shredded the specific tapes, by serial number," he said. "They want to see a signature on a form."
Finally, don't use tape as an archival system. There are better ways to do long-term data preservation, as we discuss in this report.