Every few months, there's another horror story about lost tapes or stolen laptops, and we're left wondering if the information stored on the missing media will be put to some nefarious use, thereby adding personal injury to a public relations insult.
The importance of protecting these media has become a no-brainer. But managers are often hampered in their efforts because they buy into one or more of the following six myths of movable media:
Myth 1: Tapes are obsolete.
The humble magnetic tape, a seeming relic of the mainframe and batch-processing era, has given way in some instances to disk-to-disk backups to remote sites over networks. But for rapid and efficient backup, archiving and restoration of large quantities of data, there's no beating tape.
Iron Mountain offers both data backup over a network connection and tape storage at its sites. "In a disaster scenario, when time is of the essence, there is nothing more efficient than putting a collection of tapes in a vehicle and driving it to a recovery site," says Ken Rubin, a senior vice president at the information protection and storage company. "And the bandwidth limitations on transporting terabytes or petabytes of data over the line make that impractical."
Still, some users want to move on. "We are trying to get out of the tape business because of the threat of physical loss," says Christopher Leach, chief information security officer at Affiliated Computer Services Inc. He says ACS is setting up a service to send encrypted data backups to clients via a Web browser if the files aren't too big.
Myth 2: Protecting tapes and laptops is a job for technical people.
The protection of information technology is, of course, a job for IT. But there is a big and often overlooked role for others in the organization as well.
New York state CIO Melodie Mayberry-Stewart draws on a 12-person legal team to research best security practices, especially in the financial industry. Some of those people specialize in areas such as encryption and telecommunications, she says. In addition, she has a separate team of technologists who specialize in security and risk management. Mayberry-Stewart says the lawyers negotiate "painstakingly detailed" contracts and "memoranda of understanding on service levels" with companies such as Iron Mountain that transport and store the state's tapes -- some 4,000 per month -- from four mainframe data centers.
At Sun Microsystems, tapes are created at seven datacenters around the world. While each center manages its own data-retention processes, "they don't get to make up all their own rules," says Leslie Lambert, Sun's chief information security officer. So where do the rules, policies and procedures come from? "We have a very vigilant legal team, a privacy team, a business conduct team, internal auditors, external auditors, and an information protection law group -- all working together," she says.
Leach says keeping up with state and federal regulations on data protection and retention demands human expertise, but it's such a daunting task that he gets automated help via risk and compliance management software from Relational Security.
Myth 3: Losing a tape is primarily a security problem.
It can be a security disaster, to be sure, and it will certainly be a PR nightmare if the public finds out. But there are other equally harmful, if less dramatic, possibilities.
"I don't think so much about losing employee information [such as Social Security numbers], although that is certainly important," says Brian Lurie, IT vice president at medical products maker Stryker Corp. "What keeps me up nights is the possibility of losing a tape and then having to produce data for the FDA for a lawsuit. I worry about liability to the company from losing information that we, by law, must retain."
While the law requires that some information be kept for seven years, Stryker must retain data on customers who have Stryker products in their bodies for as long as they live, Lurie says. Although the company mirrors its disks at a remote disaster recovery center, after a certain amount of time, some data will exist only on tape transported and stored remotely by Iron Mountain.
Lurie periodically sends auditors to Iron Mountain's facility to inventory Stryker's tapes. He says regular audits are part of a three-part tape-protection program that also includes carefully crafted contracts and working with a reputable tape-storage vendor.
Experts say thefts of tapes followed by illegal usage are so rare as to be almost a nonissue. Loss of tapes through simple human error, causing processing disruptions down the line, is by far the most common problem.
Myth 4: There are no technology solutions; it's all about tight controls.
Procedures and controls that are well thought out, automated where possible and tested are the best way to limit losses from wayward tapes and laptops, experts say. But technology can be a big help.
The primary tool remains data encryption. While the technology doesn't address Lurie's concerns about lawsuits over unrecoverable data, it's nice to be able to tell lawyers, reporters and the police that the bad guys can't do much with that laptop because the hard disk is encrypted, or with those tapes because they are unreadable.
All employee desktops and laptops at ACS are required to be "whole-disk encrypted," Leach says. "Once the disk is encrypted, we monitor it and track it, and if you try to decrypt your hard drive, we know it and we notify your manager."
ACS has more than 1 million tapes at its tape library in Dallas, and its standard practice is to encrypt their content. But, Leach says, some clients don't want to incur the cost and effort of decrypting the backup tapes they receive from ACS, so they request that the content be kept in the clear. "For those tapes, we have very strict packaging, signing and tracking at every step, almost like a chain of custody in a legal case," he says. "Tapes go into turtle boxes that are locked and unlocked at each end."
In addition, he says, "we insure them for a high amount, not because the tapes or CDs are worth a lot of money, but because that triggers tighter processes and closer scrutiny by the shipper."
Users report that they are studying new technologies to supplement or substitute for encryption. The state of New York is looking at thumbprint scans to protect laptops and tape cases. And ACS is examining prototypes of three magnetic devices that will erase the contents of tapes inside a locked case if it is broken open.
Iron Mountain says the best automated help of all may come from a tape inventory-control system to help eliminate the No. 1 cause of lost tapes -- human error inside the company.
Myth 5: Encryption is a silver bullet.
While encryption is often considered the best technical solution, it has drawbacks. For example, if you retrieve a tape but have lost the keys to decrypt it, you might be out of luck. Also, encrypting data before writing it to tape, a laptop hard drive or removable media can take copious computer resources. Finally, at many companies, encryption is optional or a requirement that can be circumvented.
For these reasons, Stryker doesn't encrypt laptop hard drives unless there's sensitive data on them. Sensitive information that remote users may need stays on protected servers, where it is accessed only when needed and not retained locally. Lurie acknowledges that this isn't perfect because it requires voluntary user compliance.
Lurie says his chores will be eased when Stryker moves to Windows Vista, because the operating system offers options for automatically encrypting data. "But it's a burden -- you need additional memory, and it slows down the machine," he adds.
Myth 6: If you protect your tapes and laptops, you can feel secure.
News stories have focused attention on lost tapes and laptops, but there are a number of other devices walking out your company's door every night. Lurie says mobile devices such as BlackBerrys are protected at Stryker. "I have the ability to remotely wipe them out," he explains. "If lost, we send a signal to it immediately to clear the memory."
But flash drives, CDs, and DVDs are more problematic, he says. Lurie's solution: "If it's not encrypted, we just discourage the downloading of sensitive information to them."
Lurie says he even worries about the humble cell phone. "We don't allow cameras in our building, but there are lots of people who have them on their phones," he says. "If someone takes a photo of someone or something and posts it on the Internet, we've got a potential liability. I'm not sure how to deal with that yet, but I've been giving it a lot of thought."
Computerworld is an InfoWorld affiliate.
This story, "Six myths about movable media storage" was originally published by Computerworld .