Twitter Updates

    follow me on Twitter

    Wednesday, May 12, 2010

    Online Backups: Evaluate the Risk

    The SANS reading room recently published an article entitled: Online Backup: Worth the Risk?

    Of course I wanted to know what folks at SANS had to say about online backups. The synopsis of this article is that there are many laws and regulatory bodies governing data security and if a business is to trust another organization with sensitive data, how can you ensure that the other organization (the online backup provider) is meeting all of these requirements?

    This is one of the big questions that businesses are dealing with as they evaluate whether to make the leap into "cloud computing". One problem is that cloud computing is such a nebulous term. If we can't define what it means, then how to we speak intelligently about it? For the purposes of this article, I will use the more specific term "cloud storage" and define it as "storing data on a medium owned by a provider and connecting to the provider over the Internet". That's really the essence of what online backup is.

    The article enumerates many of the regulations that data security may fall under and asks the question of how to ensure that your "cloud storage" provider meets these regulations. I'm going to take it one step further and ask "how do you ensure that your cloud storage provider has the same or better security controls in place that you do?" It is understandable to simply concern yourself with regulation, because that's what the auditors will nail you one. But when you get right down to it, you really want to make sure that your data is "safe" and that you won't be reading on the Internet one day how your provider got hacked and your data is now in the hands of the bad guys, because that means lawsuits and lost revenue.

    The clear answer to these valid questions is transparency. We have been trained to think of the cloud as some black box in the sky that no one is allowed visibility into. Where is Amazon keeping your data? What controls do they have around it? Are they monitoring their network for intruders? You don't know because it's just out there in the cloud. These are the questions that we at Data Knoxx tackled when we designed our service offering. How are businesses and consumers going to trust us with their data?

    Moving forward, let's address the questions brought up in the article specifically:

    Where does the online provider store the data?
    150ft underground in Lenexa, Kansas. Come tour the facility if you like.

    Which Jurisdiction Controls Stored Data at the CSP?
    The United States Government and the State of Kansas

    What security controls are in place at the online backup provider?
    Physical Access Control - Perimeter secured by 150ft of limestone, manually verified sign-in process with biometric suite-level access controls.
    Network Design - VLAN-based access controlled by Cisco hardware devices. Principle of least-privilege used when configuring network devices
    Server Configuration - Servers using hardened Linux kernels, host-based intrusion detection on all servers configured to notify operators of unexpected system changes or network traffic, change management policies in force, principles of least-privilege.
    Monitoring - all systems monitored using local and remote monitors
    Vulnerability Scanning - Internal and External vulnerability scans executed on a determined schedule; findings addressed immediately
    Secure Protocols - only secure protocols and authentication in use for all systems

    What encryption is used?
    User has a choice of encryption algorithms. Recommend using AES-256.

    Who has access to the Recovery Key?
    Only the user. Recovery key must be entered whether restoring from the web or the backup client. All restores are logged and auditable.

    Is everything needed for recovery available?
    This is dependent on how the user sets up the backup plans. Data Knoxx is available to assist with backup and recovery planning.

    Is there sufficient bandwidth?
    This is also dependent on the backup plan and the client should consider this when designing their plan. Again, Data Knoxx is available to assist.

    How is Recovery Access Controlled?
    Recovery is controlled by the user-defined key. This key must be stored in a secure location that is available in the event of disaster (i.e. don't store it on the server that's being backed up)

    Is CSP Compliant with Regulatory Frameworks?
    Data Knoxx is compliant with requirements outlined in HIPAA (the other spells this wrong) and SOX. If additional compliance is required, we will certainly work with clients to ensure that compliance is met and will work with the auditors to complete the successful audit.

    Does the Provider have a Liability Agreement?
    These agreements can be agreed upon at the time of signing (hence the term 'agreement').

    Does the Provider have a Service Level Agreement?
    Rather than having a boiler-plate SLA, Data Knoxx prefers to negotiate a mutually-agreeable SLA with any client that requires one. Our SLA to this point: we have never missed a backup because our servers were unavailable.

    Conclusion
    While many may read the article and come away thinking that it raises many questions about whether online backups are safe or not, it reassures us at Data Knoxx that our business plan was the correct one; be open and transparent about our systems and our security.

    I encourage all businesses to ask these hard questions to their online backup provider. After all, it's your data and without it, you're not in business.