Twitter Updates

    follow me on Twitter

    Wednesday, May 12, 2010

    Online Backups: Evaluate the Risk

    The SANS reading room recently published an article entitled: Online Backup: Worth the Risk?

    Of course I wanted to know what folks at SANS had to say about online backups. The synopsis of this article is that there are many laws and regulatory bodies governing data security and if a business is to trust another organization with sensitive data, how can you ensure that the other organization (the online backup provider) is meeting all of these requirements?

    This is one of the big questions that businesses are dealing with as they evaluate whether to make the leap into "cloud computing". One problem is that cloud computing is such a nebulous term. If we can't define what it means, then how to we speak intelligently about it? For the purposes of this article, I will use the more specific term "cloud storage" and define it as "storing data on a medium owned by a provider and connecting to the provider over the Internet". That's really the essence of what online backup is.

    The article enumerates many of the regulations that data security may fall under and asks the question of how to ensure that your "cloud storage" provider meets these regulations. I'm going to take it one step further and ask "how do you ensure that your cloud storage provider has the same or better security controls in place that you do?" It is understandable to simply concern yourself with regulation, because that's what the auditors will nail you one. But when you get right down to it, you really want to make sure that your data is "safe" and that you won't be reading on the Internet one day how your provider got hacked and your data is now in the hands of the bad guys, because that means lawsuits and lost revenue.

    The clear answer to these valid questions is transparency. We have been trained to think of the cloud as some black box in the sky that no one is allowed visibility into. Where is Amazon keeping your data? What controls do they have around it? Are they monitoring their network for intruders? You don't know because it's just out there in the cloud. These are the questions that we at Data Knoxx tackled when we designed our service offering. How are businesses and consumers going to trust us with their data?

    Moving forward, let's address the questions brought up in the article specifically:

    Where does the online provider store the data?
    150ft underground in Lenexa, Kansas. Come tour the facility if you like.

    Which Jurisdiction Controls Stored Data at the CSP?
    The United States Government and the State of Kansas

    What security controls are in place at the online backup provider?
    Physical Access Control - Perimeter secured by 150ft of limestone, manually verified sign-in process with biometric suite-level access controls.
    Network Design - VLAN-based access controlled by Cisco hardware devices. Principle of least-privilege used when configuring network devices
    Server Configuration - Servers using hardened Linux kernels, host-based intrusion detection on all servers configured to notify operators of unexpected system changes or network traffic, change management policies in force, principles of least-privilege.
    Monitoring - all systems monitored using local and remote monitors
    Vulnerability Scanning - Internal and External vulnerability scans executed on a determined schedule; findings addressed immediately
    Secure Protocols - only secure protocols and authentication in use for all systems

    What encryption is used?
    User has a choice of encryption algorithms. Recommend using AES-256.

    Who has access to the Recovery Key?
    Only the user. Recovery key must be entered whether restoring from the web or the backup client. All restores are logged and auditable.

    Is everything needed for recovery available?
    This is dependent on how the user sets up the backup plans. Data Knoxx is available to assist with backup and recovery planning.

    Is there sufficient bandwidth?
    This is also dependent on the backup plan and the client should consider this when designing their plan. Again, Data Knoxx is available to assist.

    How is Recovery Access Controlled?
    Recovery is controlled by the user-defined key. This key must be stored in a secure location that is available in the event of disaster (i.e. don't store it on the server that's being backed up)

    Is CSP Compliant with Regulatory Frameworks?
    Data Knoxx is compliant with requirements outlined in HIPAA (the other spells this wrong) and SOX. If additional compliance is required, we will certainly work with clients to ensure that compliance is met and will work with the auditors to complete the successful audit.

    Does the Provider have a Liability Agreement?
    These agreements can be agreed upon at the time of signing (hence the term 'agreement').

    Does the Provider have a Service Level Agreement?
    Rather than having a boiler-plate SLA, Data Knoxx prefers to negotiate a mutually-agreeable SLA with any client that requires one. Our SLA to this point: we have never missed a backup because our servers were unavailable.

    While many may read the article and come away thinking that it raises many questions about whether online backups are safe or not, it reassures us at Data Knoxx that our business plan was the correct one; be open and transparent about our systems and our security.

    I encourage all businesses to ask these hard questions to their online backup provider. After all, it's your data and without it, you're not in business.

    Wednesday, March 31, 2010

    Security Week

    Last week was a bit of a "security week" for me. I attended "SANS546 Detecting Hackers for System Administrators", listened in on the SANS webcast on the Advanced Persistent Threat (APT), and started work on my GSEC certification.

    A few notes to start out with: I highly recommend the SANS546 course for any Systems Administrator, Network Administrator, IT Manager, or anyone else that needs to know details on how to maintain security in a network. This course gets beyond the basics of setting up a firewall, making sure your systems are patched, and virus scanning installed. It demonstrates first hand why you have to go beyond these basic steps and gets into Defense in Depth, host-based and network-based IDS, network sniffing, baselining, and detecting malware. The best thing I took away from this course: You can't identify the bad stuff if you don't know what the good stuff looks like.

    Second, the webcast on the Advanced Persistent Threat scared the bejesus out of me. For those not familiar with the APT, it is essentially a well-coordinated, continuous effort by professional crackers located in China to break into government and corporate networks in the US. These people are VERY GOOD at what they do! My biggest take-away from this webcast: Treat your network like a garden instead of a fortress. You can't just put up the walls and assume the bad guys will stay out. You need to be continuously looking for the weeds in your garden and removing them promptly.

    The two bold statements above are so important because it does not matter how strong your fortress is, a persistent and knowledgeable "bad guy" will get in. Consider this scenario: through reconnaissance, I determine that your CFO likes to play Farmville on Facebook (cringe). So I send him an email "from Facebook" saying that he has qualified for 500 free points and all he has to do is watch a video. A link is included, which actually goes to my malicious site. When he clicks on the video, a popup comes up saying "You must install this codec to watch the video". He clicks it and my malicious program is installed.

    The malicious program is custom-built, so no AV signatures exist for it yet (i.e. Anti-Virus doesn't have a chance of recognizing it). My program now starts collecting the CFO's email messages and sending them off to my server. No firewall will block this because outbound traffic, especially web traffic, is generally allowed.

    The only way of catching this program is to "know the good stuff" so that your IDS system or log reviews will catch the bad process, files, or network traffic. Even at that, it's very hard. So you have to be diligent. Is one workstation connecting out to other workstations? That's not normal.

    Now I know what you're thinking: Just train your users not to click on stupid stuff.

    Doesn't work. Yes, you should include security awareness training as part of your security plan, but it's not sufficient. People will click on stupid stuff.

    I will definitely be increasing the intrusion detection capabilities of Data Knoxx as a result of my Security Week.

    I would be very interested to hear people's response to these points and discuss them further. Feel free to comment or email me directly.

    Tuesday, December 29, 2009

    Online Backups as a Service

    This post is related to a question that people often ask me and therefore I've spent a lot of time thinking about.

    What makes online backup service x better than y?

    To get the answer to this question, people often Google "Online Backup Reviews" or "Online Backups" and read articles that compare the 5 or so most popular online backup offerings. These reviews compare features like encryption, speed, ease of use, features like Continuous Data Protection, ability to backup network drives etc. Close to the end somewhere is a little blurb about support and if one support desk is better than another or something like that.

    I think most reviews mislead the reader and sometimes miss the mark completely. Yes features such as speed and ease of use are important, and for a service to be considered seriously, it should meet certain criteria in these categories. But as a business person, think about the problem you want to solve with backups: You are protecting your most critical asset against loss. That's what it all comes down to. The rest is semantics.

    When considering different solutions is the difference between 5 and 7 clicks to set up a backup your biggest concern or do you want to know that when you are in your time of greatest need; like when a disaster strikes, that the service you are purchasing is there to help you through it?

    Online Backups are a SERVICE not just a piece of software.

    If you read a few of those reviews and scroll down to the bottom to the paragraph where the reviewing contacted big box provider X, the rating is generally meets expectations down to non-existent. Often you will have to navigate past the front-line support person who is reading to a script to the next level to get any meaningful response. Is this what you want in time of disaster? Was it worth the extra pretty interface or the few dollars less a month to be left out in the cold when disaster strikes?

    When shopping for an online backup service, remember that word: service

    If you are in the market for someone to perform your IT management or even just manage your printers, the first item on the checklist is service. Why is it that online backups have been relegated to a set of features and upload/download speed? Backups are as much or more about service than any other part of your IT environment.

    Here is a checklist that I use when shopping for an online backup service:
    • Will the company help me design a backup solution that is the best for my particular business like a backup solution that ensure all critical data is backed up, and optimize use of bandwidth; taking into consideration usage patterns and current bandwidth usage?

    • Will the company notify me if my backups fail and help me figure out why (as opposed to just sending automated email messages)?

    • Will the company not only provide me with the option of receiving my data on hard drive or DVD in the event of disaster, but also work with me until I'm back in business?

    • Where is my data stored and how long does it take to get it back?

    • When I call support, am I talking to 1-800-INDIA or do I immediately connect to someone who is knowledgeable about the product and isn't reading off of a script?
    By considering these items, you can begin to understand the value of spending a few dollars more on a provider that provides these services than on a provider that may be more well-known but only delivers the most basic services.

    Remember that you are protecting the most critical asset that your business has. Do you really want to base that decision on the lowest price and prettiest bells and whistles?

    Tuesday, November 24, 2009

    The turn of the decade in security

    Perhaps this post was more appropriate around Halloween and I don't mean to scare everyone right before the holidays, but this article really hits the spot on the current state of network and data security.

    For those who don't want to read the whole article, the basic points are:

    1. Security is and will continue to fall behind current technology
    2. Very early in the next decade, online identity theft and banking fraud will replace drug trafficking as the dominant criminal problem worldwide
    3. Mobile devices will become the largest target of exploits
    4. As we move more of our data and identifies online, the face of data security will change

    So, as we look to the future, do we find a hole and hide in it?

    Gosh no!

    The moral of the story is, as with any new technology, tread carefully, ask lots of questions, and understand what you are doing.

    As you make the move to storing more data online, ask the following questions:
    1. Where does my data physically reside?
    2. Is my data encrypted for its lifetime? (i.e. Not just as it resides on the disk, but is it encrypted over the wire, on the disk, and are backup copies of it encrypted)
    3. Even if it is encrypted, what type of encryption is used, who holds the keys, and where are the keys stored?
    4. What is my liability if data is compromised?

    Again, as with any new technology or shift in the way that we do things, there are those that will hold fast to the "old way". There is merit in that. But for most of us, we must eventually embrace it. That's ok, too. In fact, I encourage it. Especially speaking as a business owner in the technology space, some of us MUST not only embrace it, but try to understand it and stay on the fore-front.

    Just be careful and ask lots of questions.

    Happy Thanksgiving

    Wednesday, September 9, 2009

    A Must Read for Small Business Owners

    Here is an excellent article from the New York Times that is a must-read for Small Business Owners. The discussion is important not only from a perspective of making sure that your data is backed up, but rather your Disaster Recovery Plan in general.

    Wednesday, July 29, 2009

    To Tape or Not to Tape

    I'm probably preaching to the choir, but here's a decent article on the pros and cons of online backups vs. tape backups. Really, it's like having to prove why DVD is better than VHS or CDs are better that cassette tapes in that it should be self-evident (that's right Mom!). In the event that it's not self-evident to you, maybe you'll read the article and then it will be.

    After reading the article, proceed promptly to:

    Friday, July 10, 2009

    Facebook security

    I've heard from a number of people that they stay away from Facebook because they don't want "Everyone knowing everything about them" (thanks for the quote Mom). Also, I've heard from people who use Facebook, but don't want their work colleagues to see that incriminating picture from Friday night.

    Well, it turns out that there are ways to address both concerns. In the interest of not reinventing the wheel, I'll refer you to this excellent article that gives some excellent Facebook security tips: