Re: Backups - Offsite solutions -Security Regulations - LONG…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
To: Main PLUG discussion list
Old-Topics: RE: Backups - Offsite solutions -Security Regulations
Subject: Re: Backups - Offsite solutions -Security Regulations - LONG, DRAWN OUT REPLY
I would have responded yesterday, but I was busy trying to break my new
qmail toaster instead of writing minor dissertations. Fortunately, it
did not break - try as I might :)



As the VA incident of May, 2006 demonstrated, storing personal
information at home is a really BAD idea. Storing data at home is
acceptable - see discussion about data vs. information below.


Part I
======

If your business is in the financial industry (about 30% of them are),
then you need to worry about the following:
* A.R.S. 44-7501 - Notification of breach of security system
* Gramm-Leach-Bliley Financial Modernization Act (GLBA)
* Sarbanes Oxley (if it is publicly traded, which it prolly is not).


A.R.S. 44-7501 says you (company, not Bryan) must notify affected
individuals if you lose control their personal information through a
breach in security. See
http://www.azleg.gov/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS


GLBA says you have to take reasonable precautions to protect the data.
(So in one sentence, I summarized a several hour presentation.)
Reasonable means performing a risk assessment and implementing
countermeasures to the risks identified (along with a host of other
stuff). It means having a security plan. It means having a person
responsible for enforcing the plan. Check out this questionnaire:
http://myitaz.com/assessment-glba.shtml (page also links to the FTC's
web site). Hint - "Yes" is the only correct answer - any "No" or "Don't
know" answers are problems.


SOX. I'm not even going to touch SOX.


You might want to take a look here too:
http://myitaz.com/assessment-general.shtml



Part II
=======

Now to get to what you really want to know . . .

There is a service based out of Scottsdale called DataPreserve. Off
site backup is all they do. If you have small amounts of data (under 10
GB), it is fairly cost-effective - about $2/GB/Month. Their client
works only on Windows :( . The data is encrypted at the client, in
transit and at rest on their servers. They have been very reliable,
although being the low-cost leader in that space, they are not 100%
available. Fortunately, they communicate outages in advance, and the
planned outages are always at night so it does not impact data
retrieval. I can recall maybe 4 outages in the last year, so that puts
them in the 99+% available range.

The backup client is one of the best I've seen - even better than IBM's
Tivoli backup used in monster corporations. (Better means easier to use
and robust in features.) I have had to retrieve files from a certain
point in time - how it existed 2 weeks ago, not the previous version -
and it worked flawlessly.

This demonstrates the data is versioned as it is backed up.
Fortunately, they backup only the parts of the file that changed so they
are very frugal in data storage requirements. Sounds like rsync, huh?
(There's a reason for that.)

DataPreserve information can be found here:
https://www.datapreserve.com/BackupToday/Default.aspx?agentcode=60000

DISCLAIMER: My previous company, which I am part owner, is an agent for
DataPreserve. My new company, which I am THE owner, is becoming a
DataPreserve agent. If you decide to go with DataPreserve, please
contact me for my new agent code. If you can't wait, use agent code
60000 (the old company), and I'll get it transferred over.

</End Sales Speech>

(OK, maybe you didn't really want to know that.)


How does DataPreserve fit into a regulated industry? (Read this slowly
and carefully.) Since the information is encrypted with your key and
separated from the key, it becomes data. Data is just a collection of
bits/bytes without context (see ISO definition of "data" and
"information" which is referred to by HIPAA legislation). The
encryption key brings context to the data, giving it meaning, making it
information. Since DataPreserve does not have the key, they do not have
to sign off on being a service provider with access to your information.
They never have access to your information.

This same concept applies to encrypted hard drives. If an encrypted
drive containing personal information is stolen, as long as the key is
not with the drive, a security breach has not occurred (as of today -
tomorrow when AES256 is real-time crackable, the story will change).

The outsourced (if any) IT professional that represents DataPreserve, on
the other hand - the person who has access to your information - is
required by Federal Law to sign a contract with you to protect your
data. (Take the GLBA self-assessment above and it will give you the
references to this statement.)


Part III
========

If you want to slap a cheap box in a colo, I would suggest using RAID1
and an encrypted filesystem. Transfer the data using rsync over ssh or
use a VPN.

Depending on how much data you have should help you decide if the labor
involved in building the colo box + colo fees is better than
DataPreserve. Also consider the job of monitoring your backups and
alerting if any are missed. (Yes, I built one of these and still
maintain it.)

DIYBU (Do It Yourself Back Up) and DP (DataPreserve) each have their
strengths and weaknesses. I've done both. I've done both at the same
time for the ultimate in backup.


Part IV
=======

Feel free to call me.


Regards,

George Toft, CISSP, MSIS
623-203-1760




Bryan O'Neal wrote:
> As always Hans, you're a life saver!~ I will contact him tomorrow and see what we can work out...
>
> And by cheep server, I mean slower, older, less expensive since it takes one periodic encrypted stream instead of 50+ people all trying to attach to one or more of 20 or more different apps. Cheep colo to means some who offers a low bandwidth option, not necessarily an insecure, shoddy, or suspiciously low priced establishment... Part of my whole emphasize what maters and do not over engineer philosophy.... My backup server cost about $2K while the servers it serves cost closer to $20K...
>
> I remember my static's professors favorite pop quiz was "given the following structure (usually a bridge of some design) find and remove all non essential members and calculate the cost savings based on the following formula..." Man, I loved engineering... Up until deformable solids and numerical methods that is... But that is way off topic, I should probably go to sleep soon...
>
> -----Original Message-----
> From: [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of der.hans
> Sent: Saturday, March 31, 2007 1:35 AM
> To: Main PLUG discussion list
> Subject: Re: Backups - Offsite solutions -Security Regulations
>
> Am 30. Mar, 2007 schwätzte Bryan O'Neal so:
>
> moin moin Bryan,
>
>
>>I have a financial broker that needs offsite backups, but as a
>>financial institution they have more sensitive information then I am
>>used to dealing with out side the confines of the government and I am
>>not sure what needs to be done (legal speaking) to protect the data.
>>I would
>
>
> Contact George Toft, www.GeorgeToft.com. He does some consulting in this area. He also recently gave a presentation on compliance at LOPSA's Sysadmin Days.
>
>
>>like to slap some cheep server in a cheep colo with an encrypted drive
>
>
> Cheap server and cheap colo don't make me think secure.
>
>
>>and just pump automated backups over an ssh tunnel using rsync (Like I
>>do for my companies backups) but I do not know if there are any
>>specific security (Physical and encryption) rules that I need to meet.
>>Rite now my companies back up server rotates through the homes of the
>>key players, but I don't think that is a good idea for a machine that
>>holds non-public information.
>
>
> If you're storing credit card info the credit card corps have requirements as well as what the government requires. Also, in December some new requirements went into effect for .az.us. George covered that in his LOPSA presentation.
>
> ciao,
>
> der.hans

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss