Protecting your backup
Blog Has Moved
Link to the same post in the new blog: Protecting your backup
One of the things many companies fail to put enough attention is proper protection to their backups.
I recently read an article about large American bank that sent a notification to its customers of losing a backup-tape, with customer's personal information.
I guess the only reason the bank reveal the information about the security breach is because he had to do so, under a federal law - just think about how many companies keep this sort of information to themselves in-order to avoid lawsuits.
Almost every company perform backup of its data. It can be using commercial software, file copy to a remote site, backup to tape, and now it is becoming more and more common to perform backup to disk, into a large storage device.
Usually, when performing backup to tape, most companies use to move the tapes into offsite storage, such as remote site.
While moving the backup to remote site might be considered as a good security practice against site disaster, there are 2 important things to think about.
The first thing is physical protection during the move, and while storing them on a safe at the remote site.
In this case I strongly recommend document the process - document the labels and dates of the tapes, and maybe even have the person transporting the tapes sign a form, so you'll have more confidence that the tapes were actually being transported to their destination.
Another thing you should consider is encryption to the data itself.
You don't want to be in a situation where somebody steals a suitcase full of backup tapes, where all your data is in clear text.
I guess most commercial products allow you to encrypt your backups, but it raises a question about maintaining the encryption.
If you encrypt your backups using the same password or passphrase year after year, and some ex-employee knows the password, it can harm the whole idea behind encryption.
On the other hand, if you change the password from time to time, you need to manage a list of old passwords against list of dates of backup-tape labels, which might become a headache since it is another thing to maintain.
Today more and more companies are moving to backup-to-disk, because the cost of hard disks is very low, and it's a fast media.
While performing backup to a remote site, you need to consider moving the data over secure or encrypted VPN lines in-order to avoid someone intercepting the data and stealing sensitive files.
Another good practice is to store the data on an encrypted file system. This way you don't need to worry about some will be able to review your files, but you will have the overhead of maintaining the encryption key, and the copy to the encrypted file system might become a little bit slower on slow machines or slow storage devices.
Remember, keeping your backup safe and secure, enables you to overcome site disaster while protecting from data breach and law suites.