Despite all the attention paid last year to data on backup tapes being lost in transit, storage experts say that the loss of 206,000 customers' sensitive personal data reported by the timeshare unit of Marriott International Inc. last week shows that many companies aren't protecting themselves as well from internal threats.
The tapes, according to reports, "disappeared" from the company's Orlando, Fla., offices and a spokesperson confirmed they were not lost in transit.
That leaves two possibilities: internal loss or internal theft. Either possibility carries with it the same penalty -- the public relations nightmare of reporting data missing, and the potential exposure of customers to identity theft -- as a tape being lost by a courier, but according to analysts, hasn't been given as much attention in the past year.
According to Jon Oltsik, security analyst with the Enterprise Strategy Group, the Marriott case is "a classic example of a sophisticated IT shop burned by the most obvious of risks." He predicted that the coming year will see security "focused on insiders as well as outsiders."
In this case, experts say, it's all about the process. "Most [companies] have faulty processes even if they encrypt -- it's just less noticeable," said Steve Duplessie, founder of the Enterprise Strategy Group.
For companies concerned about internal security, the experts recommend monitoring and, if necessary, revising their internal handling of data and access controls. "Stealing tapes is not the most elegant, but one of the most effective attack factors," Oltsik said. "Many companies think about hacking in terms of getting root access to servers, but if they have weak physical security, someone can just walk out the door with a box of tapes."
Some companies, say the analysts, can be appalling when it comes to transporting tapes. "Cartridges can sometimes be left in unmarked boxes on a loading dock next to somebody's eBay package," Oltsik said. "Often the most important data goes through the least sophisticated processes."
"Some organizations move tapes, whether internally or externally, in sealed metal containers with tamperproof locks," said analyst Greg Schulz. "Others use Tupperware. Some protect them with a person at all times, and some just leave them in the lobby. In some ways it amazes me. Would you leave your wallet out in a lobby? Why leave tapes lying around?"
In general, the analysts noted, a good starting point for keeping tapes secure in-house is to evaluate the end-to-end process for handling the media. Who accesses it? How is it marked? How is it moved? Is there a tracking system? Do tapes have to be signed in and out?
It may seem an extraordinary measure, but as Oltsik points out, the risk, though underappreciated, is real. "In a survey we did last year, 23% to 25% of respondents said they'd had at least one internal security breach. That's not suspecting -- that's at least one internal breach they say they can prove. That's pretty scary."
It's not enough just to evaluate the way sensitive data is handled in-house. Companies have to follow through by changing risky practices. Keeping a log of who had access to a tape is fine, but it must be monitored for irregularities and if irregularities occur, they must be responded to.
"Keep track of the patterns," Schulz said. "This won't stop just one instance of data loss -- this is for recognizing ongoing issues with your security."
One example of such a process at work, according to the experts, is for bar codes to be attached to tapes and read by tape libraries both coming and going. The bar codes could be set to be read by each machine on a set schedule, and if that schedule isn't followed, it could set off a security alert.
Further more, backup expert W. Curtis Preston of Glasshouse Technologies Inc. suggests a separation of powers -- a dual key concept like those used in missile silos so that no one person can circumvent the system. "In this kind of system, the person making backups is not the person who moves tapes, and the person who moves tapes can't make copies or write to tapes."
In other words, employ what Preston calls a "media relocation engineer." Designating such a person could prove a problem for smaller organizations, but moving backup tapes around could be a secondary job for someone else in the company, Preston noted.
As for tapes left on a loading dock, "that just falls under stupid," Preston said. "Tapes must be handled by a person at all times and by a person who knows that what they're holding on to is the family jewels."
He added, "Someone who's still giving backup tapes with sensitive data in clear text to a common courier should just be fired."
Tape as a canary in the mine
"Stealing tapes is the most cumbersome and obvious way to take data," Oltsik noted. "If someone has gotten away with that, you have to look at what else they may have been doing -- reconfiguring Fibre Channel switches, switching out disks or getting root access to a server, which are much less obvious."
"In the end [the above suggestions] limit the ability of a person to get data out of an organization by using backup tapes but it doesn't prevent the same black hat from copying data and FTP
ing or e-mailing it to themselves somewhere," Preston said. "All they need to do is open up two Windows -- they can even use encryption so you can't read who was in the system in the first place."
Oltsik and Preston suggested several further measures that can be taken to protect data inside an organization. Companies can make it so that e-mailing and FTPing from certain servers sets off a security alert, or remove the mail command from certain servers altogether.
Companies, the analysts said, can also set policies that personal e-mail accounts can't be used in the workplace by those handling sensitive data, monitor Exchange attachments, reserve the right to examine anything sent to FTP and consider whether or not to disable Secure Shell (SSH
) access to their servers. As with monitoring internal controls for tape media, watch for trends in how data is handled, and then watch for aberrations from those trends.
"Security is a frustrating business," Preston said. "And the hardest thing to do is stop an internal black hat. The risk can't ever totally be eliminated -- it can only be minimized."