Don't Neglect Important Backup Server Protection, Expert Says

Many drug and device companies neglect a gaping hole in their edata protection network because they don’t guard their “back door,” said W. Curtis Preston, vice president of data protection for Glasshouse Technologies.

“This is some really scary stuff,” Preston, author of “The Storage Security Handbook,” “Using SANs and NAS” and “Unix Backup and Recovery,” told a webinar conference sponsored by SearchSecurity.com last month. For many companies, the backup server is one of hackers’ “big attack points,” he said.

The human factor may present the biggest solution challenge, Preston advised. The problem? Security and storage personnel often don’t speak the same language.

“Storage people don’t get enough security training to learn the security issues to look out for,” Preston said, while security people often lack training to understand how networked storage and backup systems affect security.

If the two groups aren’t working together, it makes it much easier for a hacker or other “black hat” to get inside your system and wreak havoc with your proprietary edata, he said. In addition to the obvious threats to your business, regulatory compliance rules are tough in this area, starting with 21 CFR Part 11 and other FDA predicate rules. At least 10 states, including New York and California, have laws that require companies to publicly notify people when their edata may have been breached.

Know Your Weak Points

To protect your company against backup server hacks, you must first understand the basic attack points favored by hackers.

A compromised or rogue backup server is a “big, big problem,” Preston said. If a hacker gets to your system in this way, he can change your edata, hide his work and install other “back doors” to make it easier for him to return.

While getting your storage and security teams to put their heads together more often is important, you should also explore different authentication methods to keep bad guys out of your system and to detect whether edata has been altered. Preston recommended “port binding” because it combines the strongest aspects of worldwide names (WWNs)-based zones and is only authenticated if the user is on the right port. It is the “only authorization method that offers any meaningful authorization,” Preston said. He advocated using encryption authentication sessions and data transfer sessions to stop enumeration.

“A good encryption system should allow you to have multiple access keys and one encryption key,” he said. Users should not know the actual encryption key, and anyone’s access key should be able to be changed or deleted at any time, he added.

“Good key management systems allow replication to a key escrow service,” Preston said. If you have a single-key system, you should separate the key from your media and require users to gain access to the key. Finally, set up a system through which no single person can “defeat” the key management system.

Remember the People

Don’t forget the human factor, Preston stressed. For starters, consider separating duties among your team whenever possible. “People will fight this concept” but it is critical, he said. Consider assigning one person or team to handle media and another person or team to make backups.

You should also secure stand-alone drives, stackers, libraries and silos. “Backup people will hate this,” he warned, but it is also necessary. Finally, minimize the number of people who handle media, including off-site usage.

Treat the backup server as “the most sensitive server you have,” Preston said. As you minimize the number of people with full access to it, remove all plain-text access.

Finally, be vigilant when you “take out the trash.” Discarding used media is vitally important, he said. Put pressure on vendors to show they understand this, Preston said. Used media that has not been completely and thoroughly erased can be a goldmine to black hats if they get their hands on it, he noted. “Scavenging is an important method of computer crime,” he added.

Before throwing out backup media containing unencrypted sensitive information, your operations and security staff should check to make sure it is truly unreadable. “The only reasonable protection against data theft is to make the garbage unreadable,” he said. — Michael Causey