Backups - Offsite solutions -Security Regulations - LONG, DRAWN OUT REPLY

[George Toft]

I would have responded yesterday, but I was busy trying to break my new 
qmail toaster instead of writing minor dissertations.  Fortunately, it 
did not break - try as I might :)



As the VA incident of May, 2006 demonstrated, storing personal 
information at home is a really BAD idea.  Storing data at home is 
acceptable - see discussion about data vs. information below.


Part I
======

If your business is in the financial industry (about 30% of them are), 
then you need to worry about the following:
* A.R.S. 44-7501 - Notification of breach of security system
* Gramm-Leach-Bliley Financial Modernization Act (GLBA)
* Sarbanes Oxley (if it is publicly traded, which it prolly is not).


A.R.S. 44-7501 says you (company, not Bryan) must notify affected 
individuals if you lose control their personal information through a 
breach in security.  See 
http://www.azleg.gov/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS


GLBA says you have to take reasonable precautions to protect the data. 
(So in one sentence, I summarized a several hour presentation.) 
Reasonable means performing a risk assessment and implementing 
countermeasures to the risks identified (along with a host of other 
stuff).  It means having a security plan.  It means having a person 
responsible for enforcing the plan.  Check out this questionnaire: 
http://myitaz.com/assessment-glba.shtml  (page also links to the FTC's 
web site).  Hint - "Yes" is the only correct answer - any "No" or "Don't 
know" answers are problems.


SOX.  I'm not even going to touch SOX.


You might want to take a look here too: 
http://myitaz.com/assessment-general.shtml



Part II
=======

Now to get to what you really want to know . . .

There is a service based out of Scottsdale called DataPreserve.  Off 
site backup is all they do.  If you have small amounts of data (under 10 
GB), it is fairly cost-effective - about $2/GB/Month.  Their client 
works only on Windows :( .  The data is encrypted at the client, in 
transit and at rest on their servers.  They have been very reliable, 
although being the low-cost leader in that space, they are not 100% 
available.  Fortunately, they communicate outages in advance, and the 
planned outages are always at night so it  does not impact data 
retrieval.  I can recall maybe 4 outages in the last year, so that puts 
them in the 99+% available range.

The backup client is one of the best I've seen - even better than IBM's 
Tivoli backup used in monster corporations.  (Better means easier to use 
and robust in features.)  I have had to retrieve files from a certain 
point in time - how it existed 2 weeks ago, not the previous version - 
and it worked flawlessly.

This demonstrates the data is versioned as it is backed up. 
Fortunately, they backup only the parts of the file that changed so they 
are very frugal in data storage requirements.  Sounds like rsync, huh? 
(There's a reason for that.)

DataPreserve information can be found here: 
https://www.datapreserve.com/BackupToday/Default.aspx?agentcode=60000

DISCLAIMER: My previous company, which I am part owner, is an agent for 
DataPreserve.  My new company, which I am THE owner, is becoming a 
DataPreserve agent.  If you decide to go with DataPreserve, please 
contact me for my new agent code.  If you can't wait, use agent code 
60000 (the old company), and I'll get it transferred over.

</End Sales Speech>

(OK, maybe you didn't really want to know that.)


How does DataPreserve fit into a regulated industry?  (Read this slowly 
and carefully.)  Since the information is encrypted with your key and 
separated from the key, it becomes data.  Data is just a collection of 
bits/bytes without context (see ISO definition of "data" and 
"information" which is referred to by HIPAA legislation).  The 
encryption key brings context to the data, giving it meaning, making it 
information.  Since DataPreserve does not have the key, they do not have 
to sign off on being a service provider with access to your information. 
  They never have access to your information.

This same concept applies to encrypted hard drives.  If an encrypted 
drive containing personal information is stolen, as long as the key is 
not with the drive, a security breach has not occurred (as of today - 
tomorrow when AES256 is real-time crackable, the story will change).

The outsourced (if any) IT professional that represents DataPreserve, on 
the other hand - the person who has access to your information - is 
required by Federal Law to sign a contract with you to protect your 
data.  (Take the GLBA self-assessment above and it will give you the 
references to this statement.)


Part III
========

If you want to slap a cheap box in a colo, I would suggest using RAID1 
and an encrypted filesystem.  Transfer the data using rsync over ssh or 
use a VPN.

Depending on how much data you have should help you decide if the labor 
involved in building the colo box + colo fees is better than 
DataPreserve.  Also consider the job of monitoring your backups and 
alerting if any are missed.  (Yes, I built one of these and still
maintain it.)

DIYBU (Do It Yourself Back Up) and DP (DataPreserve) each have their 
strengths and weaknesses.  I've done both.  I've done both at the same 
time for the ultimate in backup.


Part IV
=======

Feel free to call me.


Regards,

George Toft, CISSP, MSIS
623-203-1760




Bryan O'Neal wrote:
> As always Hans, you're a life saver!~  I will contact him tomorrow and see what we can work out... 
> 
> And by cheep server, I mean slower, older, less expensive since it takes one periodic encrypted stream instead of 50+ people all trying to attach to one or more of 20 or more different apps. Cheep colo to means some who offers a low bandwidth option, not necessarily an insecure, shoddy, or suspiciously low priced establishment...  Part of my whole emphasize what maters and do not over engineer philosophy....  My backup server cost about $2K while the servers it serves cost closer to $20K...
> 
> I remember my static's professors favorite pop quiz was "given the following structure (usually a bridge of some design) find and remove all non essential members and calculate the cost savings based on the following formula..."  Man, I loved engineering...  Up until deformable solids and numerical methods that is... But that is way off topic, I should probably go to sleep soon...
> 
> -----Original Message-----
> From: plug-discuss-bounces at lists.plug.phoenix.az.us [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of der.hans
> Sent: Saturday, March 31, 2007 1:35 AM
> To: Main PLUG discussion list
> Subject: Re: Backups - Offsite solutions -Security Regulations
> 
> Am 30. Mar, 2007 schwätzte Bryan O'Neal so:
> 
> moin moin Bryan,
> 
> 
>>I have a financial broker that needs offsite backups, but as a 
>>financial institution they have more sensitive information then I am 
>>used to dealing with out side the confines of the government and I am 
>>not sure what needs to be done (legal speaking) to protect the data.  
>>I would
> 
> 
> Contact George Toft, www.GeorgeToft.com. He does some consulting in this area. He also recently gave a presentation on compliance at LOPSA's Sysadmin Days.
> 
> 
>>like to slap some cheep server in a cheep colo with an encrypted drive
> 
> 
> Cheap server and cheap colo don't make me think secure.
> 
> 
>>and just pump automated backups over an ssh tunnel using rsync (Like I 
>>do for my companies backups) but I do not know if there are any 
>>specific security (Physical and encryption) rules that I need to meet.  
>>Rite now my companies back up server rotates through the homes of the 
>>key players, but I don't think that is a good idea for a machine that 
>>holds non-public information.
> 
> 
> If you're storing credit card info the credit card corps have requirements as well as what the government requires. Also, in December some new requirements went into effect for .az.us. George covered that in his LOPSA presentation.
> 
> ciao,
> 
> der.hans