Even encrypted data can be read if it is stolen and the thieves have enough time, but all too often data is not encrypted in transit, and that increases risks, warned Paul Howard of tape encryption specialist DISUK.

by Alex Goldman ISP-Planet Managing Editor [February 20, 2009]

The story of the founding of Silverstone, UK-based tape encryption specialist DISUK is told on the company's website. The team that founded the company were selling tape backup when a Swiss bank said they had a concern: a truck carrying tapes had been involved in an accident. The bank wanted all tapes to be automatically encrypted before they were moved, but could find no automated system that would enable this.

So DISUK was founded in 1996 and soon built the first generation of its Paranoia series of tape encryption products (the company is now branching out into key management and related products). The Paranoia series is entering its third generation.

Paul Howard, DISUK managing director, told attendees of the Wall Street Technology Association's risk management seminar that companies pay a great deal of attention to protecting their live data but often fail to consider the risks to what he called "data at rest" until the point is driven home to them (as it was to the Swiss bankers by an accident on a road).

"Some of you use Iron Mountain. Some of you hire couriers. Most people we talk to say, 'we've never lost tape data,' but are you sure? How would you know if it happened?"

"Others say, 'we don't use tape,' but if you take a look," he said, "you'll find that even data in virtual tape libraries eventually goes to tape."

"So they say, 'that's old data' but my data of birth doesn't change. Your social security number doesn't change."

Budget constraints
Howard acknowledged that management is not in a spending mood at the moment. All too often requests to add a piece of hardware to the budget are denied.

"I say this," said Howard. "Ask management to write up and sign a press release to be used in the event of loss of data."

Data loss costs money, and it costs financial institutions a lot of money. When you're making the case for security to management, management will want numbers. Howard pointed out that the Ponemon Institute regularly produces data on the cost of data loss. The institute's mission statement says it is "dedicated to advancing responsible information and privacy management practices in business and government."

The cost of a breach could be a million dollars and the cost of encrypting all your tapes could be a single $18,000 device, Howard said.

Technology
"Security has to be simple because human being are lazy," Howard said. "Human beings will try to find a way around complex security."

There's always the risk of an insider taking a tape. "Tapes fit in a jacket pocket quite nicely," said Howard. He explained that he had run a "Red Team" exercise in which he talked his way into a data center and walked out with a tape, emphasizing that management knew what he was doing at every step.

Q&A
Attendees were interested in the subject. Among the questions were two that will be interesting to readers of ISP-Planet.

One attendee asked what happens if the company loses the keys to their own tapes. Howard said that DISUK knows of one case of this happening and the tape vendor was able to help the company copy the data onto disks to which the company had the keys.

Another attendee asked about unreadable blocks on encrypted tape. Some encryption schemes are incremental, so if you lose a piece of the data, you cannot read anything after the part you have lost. All Howard would say is, "we have a method to get beyond a dead area."

—End