My next class:

Where do your backup tapes go to die?

Published: 2012-12-04. Last Updated: 2012-12-04 04:43:49 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

The trade press is filled with stories about companies getting into big regulatory trouble over lost backup tapes [1][2]. The tricky part is that usually, one reason companies use backup tapes is the ability to archive backup tapes offsite for extended periods of time. Terabytes by Terabytes, rotating cheap SATA disks usually is cheaper and faster, but hard drives don't have the offline persistence of backup tapes.

But with offsite storage comes loss of physical control. You hire a reputable, but not too expensive, records company to pickup the tapes, and store them at what you hope to be a secure facility. So I was a bit surprised to find a drum full of backup tapes dumped into an alley close to my house. The drum was filled with LTO data tapes commonly used in backups. The tapes looked in good shape, but a bit wet due to being exposed to rain. I don't have a sacrificial reader to try them out (given that they are wet, I don't want to put them in a "good" reader that is still in use). There are no markings showing the owner of the tapes either on the drum or the tapes themselves, but a couple have pencil markings (like a letter and a number) indicating that they may be used.

At this point I can only speculate what the tapes contain. There are a number of hospitals in the immediate area (couple miles), and I have found medical supplies and lost/discarded patients before. But so far no records. The same pile of trash also includes a similar drum with an address label, and I have yet to be able to contact that company. 

 

drum with backups tapes 

 

So do you audit whoever stores, and discards, your tapes? Would it make sense to identify the owner in case they are found? Or is this just increasing the risk? Do you encrypt backup tapes before sending them offsite?

[1] http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20121110/NEWS/211100330
[2] http://www.darkreading.com/database-security/167901020/security/news/240142846/10-top-government-data-breaches-of-2012.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

13 comment(s)
My next class:

Comments

I personally take the tapes/HDs to a shredding company and watch as they dump them all into a shredder. The shredded waste then goes to an incinerator. Nothing like personally verifying the destruction process.
I have been using encryption on all backup media since around 2004. Encryption should be as good as destruction, unless you need to make the data inaccessible to even those that have the decryption credentials, which is not the case in my situation. There was a good paper a decade or so ago on using encryption to erase data remotely: just encrypt the key and keep the key media handy. destroying the key can make petabytes of data instantly inaccessible, even when the data is not locally at hand.
I watch our tapes get destroyed but we are moving to a SAN backup method with encryption. We are moving away from tapes for the most part.
"Encryption should be as good as destruction" is only true if you have robust and proven key management. It's been my experience that getting ahold of the keys is not nearly as difficult as one would think. Encrypted data simply means that it's encrypted, not that it's secure, and should be treated just as delicately as unencrypted data. Defense in Depth!
My company implemented IBM TKLM http://www-01.ibm.com/software/tivoli/products/key-lifecycle-mgr/
when we upgraded to LTO-3 drives. A "Set it, and Forget it" solution.
You should also have disposal concerns with tax forms and medical records. Both 1040's and medical records have been found in dumpsters, unshredded.
"Encryption is as good as destruction". This is not necessarily true. Tapes can have a lifetime of decades. How long will it be before what is encrypted today can be easily cracked?
How long is the data sensitive? If the sensitivity is longer that the time-to-crack then you have to destroy the tapes. SSNs are the classic example.
But that data's value diminishes the longer the person wanting to exploit the information has to wait. If they have to wait a month that is some risk but if they have to wait 3 years for it to be crackable that seriously drops the value. Magnify that if it takes more realistically 10 years to go from improbable to easy to crack and the value is really lost. Remember, those records are still large enough that it takes a fair amount of time to extract and sift through the information in them. If you get SSNs you still will have quite a few that are of people whose identity isn't going to get you very far, only some who could make the entire process worthwhile. I just don't see any typical criminal organization going to this amount of time and effort to get your company's data unless you are talking CIA/DoD or similar high value targets. Perhaps I am wrong, but that is a lot of waiting for a very uncertain payout.

Of course if your keys are not well secure then that makes the above a mute point. And given the places such keys must be present just to encrypt and manage the data that is your most likely spot to be compromised to make the tapes of value.
@BGC, actually, I'd have to disagree. Your assumption is based on the value that YOU see the data having, from what YOU can think to do with it. By that argument, I don't need to encrypt anything, ever, and I can just dump them in a blue barrel out in an alley. The assumption demands that all the Big Data fears and concerns are completely without merit, since none of that junk has any value to me, since I cannot figure out how to monetize THAT, either.

MattC's statement is exactly spot-on. Sensitivity Window vs Time-To-Crack. It IS that simple. You forget that if I can crack an old tape, I may have just found the key for your current tapes, perhaps.

Cheers all,
Two more things:

1 - Bad Actors don't need to hang on to tapes for 10 years. They can read them now! It will be encrypted, but if you're identified as a target with value, they can hang onto data as long as necessary. And the cost of hanging onto the data gets cheaper over time.

2 - Time-to-Crack has such a high uncertainty that I don't see how anyone can be sure they have as much as 10 years. Is there an unknown flaw in the algorithm? Does the NSA already have a quantum decryptor?

The cost to shred a tape compared to the cost to buy a tape is so low (1%?), that it should really be done for any data that isn't strictly public.

FYI, we had 5 tons of tapes shredded last year.

Diary Archives