Despite the explosion of data and the large numbers data breaches, enterprises are not doing enough to encrypt their backup data, according to a study conducted jointly by security vendor Thales Group and Trust Catalyst.
The results of the study, released yesterday, show that backup tapes are neglected in administrators’ security efforts. Of the 330 respondents from large enterprises worldwide, 35 percent said they do not know whether or not they will encrypt their backup tapes.
“Traditionally, storage has been a domain in and of itself, and IT security has been focusing on front-facing business applications, so they don’t pay that much attention to security,” Kevin Bocek, director of product marketing at Thales, told InternetNews.com.
Not having a backup tape encryption plan could place an organization’s data at risk, leading it into a breach of compliance. Data breaches can cause heavy financial losses, as retail store chain owner TJX discovered.
The storage department is more concerned with the cost and speed of data recovery than with encryption, according to Bocek. Also, enterprises felt they lacked access to technology adequate for enterprise-grade tape encryption.
“Previously, tape encryption technology used to be bolted on or would be an application used for general backup, and some didn’t trust those to encrypt their tapes for backup,” Bocek said.
The situation is changing, as more and more applications come with built-in encryption. However, a new problem then emerges — managing the encryption keys. “If you’re going to use encryption, you must have good key encryption, because if you lose your keys, you lose your data,” Dave Hill, principal at analyst firm Mesabi Group, told InternetNews.com.
Keys should not all be given to one person, he added. “If they do something wrong, either in error or maliciously, that could be a problem.”
For instance, giving control over all means of access to a system can lead to severe consequences, as San Francisco found out when rogue system administrator Terry Childs gained control over all the passwords to its fiber optic wide-area network.
Hill recommends enterprises have keys stored with a trusted third party “so somebody can get them back in case of an emergency.”