Backup Anytime

Data loss is only one component of data breach.

In years gone by, the main (even sole) concern which business had regarding data was the direct consequences to themselves of losing data. The questions they asked themselves centred around an inward looking theme.

What data do we need to retain to ensure survival?
How will data loss affect us?
How long will it take us to get backup and running should we lose data which is backed up?
Will we be able to get back up and running if we lose data which is not backed up?

These are all valid questions but every one of them miss the main concern which has always existed but has come to the fore in the past few years.

How will if affect other people and organisations?

Just to bring some clarity to inward looking people, the above question also equates to the following.

Will we be sued, prosecuted or shown in the media to have compromised client data?

This changes the perspective and adds a whole new required functionality to the issue. We are now moving up from basic backup to actual data protection.

So, a manual drag and drop of files to an external pen drive or hard drive which is bandied about in a directors car at night may to a small degree offer an element of simple backup. It does on the other hand however very likely significantly increase the risk of data loss. This is not recognised by companies and individuals who are only interested in retaining a copy of data for themselves. If they look beyond this blinkeed and recklessly narrow focus they will see that the net effect is to place copies of client data in dangerous situations.

Ask yourself this.
Would I be satisfied if every company I have ever dealt with had personal and identifiable information pertaining to me being driven about in staff cars overnight?

Absolutely not. All this does is increase the number of potentially available copies of this information for the companies involved and also increase the risk of breach to those about whom the data relates.

So, simple backup is too narrow a focus. Offsite only helps if it does not as a consequence of being offsite increase data protection risk factors.

The next time you consider the importance of a file, don’t just consider how much you need that file. Also consider how much others need that file (and any other versions of it applicable to you) protected from public release.

Keep passwords safe wcith password safe.

From an end user viewpoint, the key to any secure system is indeed managing the key. As an online backup provider, a major concern for us is that clients retain their encryption details and do so in a safe manner and on a different system (and also in paper format) to the online backup source computer.

These same clients will have numerous other non online backup passwords and authentication details which they will also need to retain. Singular password usage for multiple applications is not good practice and therefore even occasional computer users will likely have a considerable number of passwords to retain. These will range from critical passwords to the seemingly mundane. If a password is required the associated application is likely to be confidential in nature.  This can be online banking, system logon, email, forum membership, host management and a wide variety of other applications.

if you need guidance on choosing passwords you should read the Bruce Schneier penned guide in the Guardian.

The crux of this post however is keeping passwords safe after you have chosen them.
An excellent application to assist with this is Password Safe. (supervision by Bruce Schneier) Bruce is a world renowned expert in data security. Password Safe is actually a free application. PasswordSafe uses TwoFish (block cipher by Counterpane Labs) technology.

You can download Password safe from Sourceforge. The very short faq list for this app is testament to the simplicity which has been successfully applied to the user experience inherent with this far from simple technology.

Great app. No strings. No cost. No adds. No compromise.

Data security for dummies

There is much misunderstanding of data data security. This applies not just at end user level but also quite generally at overall small business level. Much of this is attributable to an ever growing and widely misused information technology vocabulary. Much of this vocabulary is brought about by intended use of trade and company names by interested parties  when producing instructions, guides and white papers.

For this reason, an understanding of data security may only be obtained by reducing the factors affecting and important to information security to micro or atom level. This has been approached by many. Here we are interested in the work of third party academics and not interested business parties.

Three classic data security components are Confidentiality, integrity and availability.
They are known as the CIA triad. CIA being the combined first letters of the three terms and triad being linguistically synonymous with the number three. The CIA triad was later added to in what is now known as the Parkerian hexad. Parkerian because it was proposed by Donn B. Parker and hexad because the number of elements was increased to six.

The six elements of information security (in our case, data security) according to the Parkerian hexad are as follows.

1. Confidentiality
2. Possession or Control
3. Integrity
4. Authenticity
5. Availability
6. Utility

A list can serve to prompt incorrect assumptions so lets take a closer look at these data security principles. You may not want to get in to the academics but someone in or representing your organisation needs to have  a clear insight so you can actively avoid data breach as against simply protect against data loss.

First off, why these six elements? Surely there are thousands of terms applicable to information. These six elements are widely agreed among data academics as being at micro or atomic level. They are considered to be essential and non overlapping from the point of view of information security.
Confidentiality deals with the who in data. Information which is available to nobody is essentially useless and it is therefore agreed that no matter the level of confidentiality required that there must be a default exception list with at least one entry. The confidentiality of data is therefore measured by comparing the required access with the actual access allowed.

Possession and control may seem to an extent to represent an overlap with confidentiality but it is agreed to be a component in it’s own right. An example would be a letter addressed to you arriving to someone else. They may not open it but regardless possession and control have been breached.

Integrity of data deals with state of data and the effect on it of any modification intended or otherwise. Integrity therefore not only applies with point in time condition but potential modifications by users, software and incidents.

 
Data authenticity is not only different to integrity but has a broader focus. Authenticity deals with labeling data. This applies not only to intended managed data store but data introduced to the organisation through communications. An example would be a communication which is received from party claiming to be from an origin different from the actual one. If this is ignored, the recipient may not be the victim of any intended crime but in real terms, just not knowing of the intention regardless of the failure or the perpetrator is in itself a breach. Another more innocent example would be a form filled out incorrectly in which an applicant or respondent accidentally places an email address in a name input box. Any failure to validate this is a data authenticity issue. 
Data availability deals not only with the possibility of accessing required information but any time lag in availing of information in normal and data outage circumstances. Nanosecond delays in normal circumstances may be a technical availability issue but not a concern such as that brought about by an hours delay, a full day delay or total outage scenario. 

Utility of data deals with the practical area of the benefits of data stored. How useful is the data? This applies also to the ability to read the data in so far as to the format it is stored in and any conversions applied or required to read. Even encryption can be said to affect the utility of data due to any time required to decrypt before reading. This is not to say that encryption is not recommended. Encryption is absolutely necessary in most business environments. Utility can be confused with availability. It is however quite distinct from availability. An example highlighting this would be data converted to generate a graphic display. Despite how well matched mathematically and helpful from a human viewpoint a visual display may be, this represents a utility modification.

In summary

Data security represents a process not a task. Data security is never 100% certain. Innocent  parties may suffer a breach despite the best will of the data administrator concerned. All this said, risk reduction is a clear responsibility for which clear steps must be taken. The consequences for everyone should business not make acceptable efforts are also clear as is the distinction between those who tool action to protect data and those who did not.

xdrive stop charging customers

There has been much talk and speculation about X-Drive for some time now. As of one week ago they stopped charging clients and those same clients have until January 12th to remove their data.

The biggest question is: What happens to clients who do not know about or react in time to the closure?
The official xdrive answer is this.
“After January 12, 2009, you will no longer be able to access your Xdrive account. All files and data will be permanently deleted and you will no longer be able to retrieve your files.”

This is unbelievable. Need it from the horses mouth? Here, see question 3 on xdrive will delete client data.

This is hardly the level of data protection one would expect. This is not the level of data availability which would have been considered acceptable at sign-up. As for data loss, well this looks to be a future data loss story for some. Having an online store (Thinking you have an online data store) could cause recklessness at the client end and while this may be questionable from the clients responsibility viewpoint they can hardly be responsible all on their own.

An obvious and far from well though out response to the horror of this would be to say that a closing entity can not and should not keep client data. A little more client concern would surely result in at the very least a far longer zero charge period. Notice during the paying period does not equate to giving something to those clients who are inconveniencedand may be ruined by the closure. Realistically, any inability to directly communicate the details of the intended closure with verified response from every single client should be seen as of absolute importance. Logs of verified client end account closure could provide a list of accounts which have not been closed. A good communications campaign should result in a short list of accounts pertaining to uninformed or unresponsive clients. These accounts could then be kept open or at least the data retained for a far greater non billing period than two months.
After all, many providers will give a two month trial. If this can be offered to potential clients, many of whom will never pay, surely a far greater period could be given to actual clients.
This all blows smoke in the face of the real question. Why close xdrive?
The answer has obviously to do with financials but the proximatecause of this type of result generally has more to do with aggressive client acquisition through weak cost benefit analysis.

This is common in the data storage industry. You the end user are offered much space and limited functionality and support on the basis of economies of scale and guesstimates about data transport cost.

If the provider gets it wrong, ie the other clients don’t join and behave as anticipated this makes your online storage “data non gratis” and at risk of suffering the plight of the xdrive client.

The moral of the story is that you get what you pay for. If this was lucrative for AOL this would not be happening. If it was considered viable by outside entities (and this does not require it to be lucrative) it would be bought. There will however be no buyout or merger honeymoon for xdrive clients. For most it is provider divorce. For some it may be data divorce.