Everyone knows that you need to make backups and test them, right? But have you considered the security issues of backup media after you've performed your nightly duty?
Backup media requires specialized and focused security controls. Just think about it, a single backup media can easily contain over 100G Bytes of confidential, secret, sensitive, proprietary and/or private data that can be concealed in a jacket pocket or a briefcase. While it may be difficult to near impossible for someone to swipe one of your network servers, it is merely a matter of shoplifting and concealment to walk out of your facilities with a backup media.
Backup media should first and foremost be clearly and distinctly labeled. Not just with labels defining the content stored on them but with the classification level of the data. Once labeled, it should retain that label for the lifetime of the media. Never ever re-use media from a higher classification level to store data at a lower classification level. Remember that it is nearly always possible to recover data even after it has been deleted and overwritten on magnetic storage devices and media. Media should be treated with the same -- or greater -- security precaution warranted by the classification of data it holds.
Once media is classified, it must remain under the proper security controls for its classification for the lifetime of that media. That means from the moment the media is written until it is securely destroyed.
If you can adopt the mindset that backup media are pocket-sized portable versions of your organization's data assets, you'll be able to adequately plan and implement security controls, precautions and deterrents. If you fail to place importance on backup media management and handling, then you are effectively handing your IT infrastructure over to anyone who wants access. Secure media management should be addressed in your security policy and the exact procedures to perform should be defined in your standards, guidelines and procedures documentation.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in August 2002