Tale of the tape: Encrypt data now

By Joel Snyder
Network World, July 4, 2005

Original Article on Network World Web Site

Data should be encrypted in transit. All you need to remember are those six words. When your company ships a pile of back-up tapes from Point A to Point B, that's "in transit." The data on those tapes should be encrypted. Period. End of discussion.

Let me put it another way. People connect to your network over the Internet via some kind of VPN that uses encryption, right? You wouldn't think of shutting down your IPSec or SSL VPN and going back to unencrypted Point-to-Point Tunneling Protocol would you? "Of course not," you say. Well, that's data in transit, and it's encrypted. Not because you think that anyone is necessarily trying to listen in. But just in case.

It's the same way with back-up tapes that you plan to ship somewhere. You can probably send tapes out every day, even twice a day, for years and never lose a set. But as good as FedEx may be, chances are it's going to lose a package sooner or later. So just in case, the data should be encrypted. It's inexpensive-there's no excuse for not encrypting. By network standards, tape drives are dog slow. Your average $300 home firewall will encrypt at 70M to 80M bit/sec - nearly twice as fast as your typical digital linear tape drive. And that dual-CPU, 3.2-GHz server you're using to run the tape drives can do it without breaking a sweat.

What bothers me about this issue are the amazingly long rivers of text written by people who don't understand why operations managers who don't encrypt data in transit should be fired. This is not a complex issue; it's a simple one. I feel like Ernest Hemingway here. Encrypt your data.

Of course, I know why the tapes aren't encrypted. It's that status quo thing I wrote about in my last column . Operations managers have been directing backups for 10, maybe 20 years. Back then, we never thought about the security of data on tapes, and many operations managers have never revisited the issue. The security team probably never thought to call up the operations team and ask about this topic.

But when the first lost back-up tape story hit the news months ago , it should have shocked every operations manager in the world into saying, "I need to start encrypting data tomorrow." Those who aren't encrypting their back-up tapes today should be fired tomorrow. There's no excuse for not doing this, other than incompetence.

Once we get these negligent operations managers out of the way, we can start in on the IT people who are passing out corporate laptops without encrypted hard drives and Web designers who aren't using SSL encryption on every page. And a hint to the security team: If you're not reaching into every corner of your company and asking these questions, your services could be "no longer required" shortly.