Credit union addresses tape security

By Heidi Biggar

Recent reports of missing data tapes out of Bank of America, CitiGroup, and Time Warner highlight a growing concern in the industry about the potential security risks of saving data in clear-text format to tape media during backup, disaster recovery, and archival procedures.

But for many organizations, the idea of encrypting data before it is saved to tape is not a top priority-if it’s on the “to-do” list at all.

“Tape encryption is not at the forefront of CEOs’ minds,” says Dan Chow, systems engineer, IT systems and security, at BECU credit union, one of the nation’s top-10 financial cooperatives and Washington State’s largest credit union and an early adopter of tape encryption technology.

Chow says that while identity theft and fraud are real and are daily threats to organizations-in particular, financial institutions such as BECU-and that IT departments go to great lengths to secure servers and networks against attacks, comparatively few companies have taken the necessary steps to ensure that data written to tapes during the backup process and transported off-site for storage is secure, a point evidenced by the recent breaches at Bank of America and CitiGroup, for example.

In both cases, because the data written to tape was unencrypted (i.e., it was written in clear-text format), significant personal employee and customer data was at risk of falling into the wrong hands. Had the data been encrypted, loss of the tapes, although still serious, would have had far fewer potential consequences.

When it comes to compliance with Sarbanes-Oxley (SOX) and other state and federal privacy regulations, such as Gramm-Leach-Bliley Act, etc., Chow says all eyes are on tiered storage, not tape encryption. Chow believes that while tiered storage and disk-based backup will play a key role in IT environments going forward (BECU is currently staging some data to disk), tape will continue to be the primary target of long-term archival and disaster-recovery data for the foreseeable future.

“Long-term archival is always going to be tape, and that is because it is more secure,” says Chow. “There is no way to get access to the tape unless you have physical access to the vault. The idea of [moving away from tape to disk] is insane. Unless you have the ability to replicate to multiple disparate storage arrays across multiple sites, and have hundreds of millions of dollars to do that, tape is a very cost-effective solution to mitigate a disaster.”

The decision to implement a tape encryption product was made by BECU about a year and a half ago during an annual “vulnerability” audit of the organization’s IT infrastructure. Chow says one of the red flags raised during the audit process centered on the backup process. “We were concerned about the fact that our members’ data was in clear-text format during the backup process, [and so we talked about encrypting the data].”

At the time of the BECU audit, tape encryption was a brand-new concept and was available from only a few vendors. Upon the recommendation of a consultant employed by the credit union, BECU looked at Decru’s DataFort encryption appliance, as well as software options from EMC Legato (for its NetWorker product) and its applications vendors (e.g., Oracle). Neither the EMC Legato nor the application vendor path panned out. Oracle wasn’t an option, and although it was capable of encrypting data in transit, NetWorker still wrote data to tape in clear-text format, says Chow.

Click here to enlarge image

BECU ultimately implemented eight Decru DataFort T-Series encryption appliances; the appliances sit in front of four tape libraries at multiple site locations (see figure). The credit union currently backs up 3TB to 4TB of data daily to tape but hopes to lessen the backup load by adopting an incremental/differential backup schedule in the future.

BECU is not encrypting any data written to disk, although the option to do so exists with the DataFort appliance. Chow believes the level of protection built into the storage environment (i.e., physical security parameters), the complexity of the disk storage environment (due to virtualization, etc.), and upcoming technologies, such as biometrics, obviate the need for disk encryption. “Disk encryption is not really protecting anything,” says Chow. “It’s encrypting just for the sake of encrypting.” Overall, Chow says that data inside the server/network environment is pretty secure; it is data that leaves the site (e.g., data that is backed up to tape and taken off-site for storage) that is the concern.

BECU was able to get the DataFort appliances up and running in one day, and there has been little, if any, performance impact in the form of additional latency. The biggest pain point, says Chow, has been interoperability issues between the Hewlett-Packard hardware and software and the DataFort, which HP reportedly does not recognize. EMC, in comparison, has been quick to certify the product, says Chow. (BECU is primarily an HP shop with some EMC gear.)

“We still don’t have full end-to-end support from HP,” says Chow. “So, our biggest pain point is how to get HP to help us out [when issues arise] between the Decru and HP products.”

BECU estimates the total cost of its Decru installation at about $25,000. The appliances are plug-and-play and can be added to IT environments non-disruptively.

This article was originally published on August 01, 2005