Securing backup media

Everyone knows that you need to make backups and test them, right? But have you considered the security issues of backup media after you've performed your nightly duty?

Backup media requires specialized and focused security controls. Just think about it, a single backup media can easily contain over 100G Bytes of confidential, secret, sensitive, proprietary and/or private data that can be concealed in a jacket pocket or a briefcase. While it may be difficult to near impossible for someone to swipe one of your network servers, it is merely a matter of shoplifting and concealment to walk out of your facilities with a backup media.

Backup media should first and foremost be clearly and distinctly labeled. Not just with labels defining the content stored on them but with the classification level of the data. Once labeled, it should retain that label for the lifetime of the media. Never ever re-use media from a higher classification level to store data at a lower classification level. Remember that it is nearly always possible to recover data even after it has been deleted and overwritten on magnetic storage devices and media. Media should be treated with the same -- or greater -- security precaution warranted by the classification of data it holds.

Once media is classified, it must remain under the proper security controls for its classification for the lifetime of that media. That means from the moment the media is written until it is securely destroyed.

    Requires Free Membership to View

The activities and events of media should be logged: its travels/movements, storage locations and chain of possession should be written down and verified. Media should be transported securely from the onsite backup devices to the offsite secure storage location.

If you can adopt the mindset that backup media are pocket-sized portable versions of your organization's data assets, you'll be able to adequately plan and implement security controls, precautions and deterrents. If you fail to place importance on backup media management and handling, then you are effectively handing your IT infrastructure over to anyone who wants access. Secure media management should be addressed in your security policy and the exact procedures to perform should be defined in your standards, guidelines and procedures documentation.

About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in August 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.