Backup Anytime

Stand up laptop thief.

Laptop theft is a serious problem. The guy in this video may come across as being over the top, sanctimonious, threatening, obsessive and well just plain scary. If every laptop theft victim had his attitude it is likely that the incidence of stolen laptops would drop quite significantly. I wouldn’t like to be the target in the class.

The speakers failures however would appear to be in the areas of encryption and data backup. If these two issues were addressed correctly his data would not get in the wrong hands and would be available to him.

Conclusion?

Having the attitude, diction and power of a lecturer and having your target trapped in the room just doesn’t compare in effectiveness with having your data encrypted and backed up.

If he had an account with Backupanytime, not alone would he have his data, we could assist in retrieving his laptop. How can an online backup service provide a stolen laptop retrieval service? See here, http://www.backupanytime.com/blog/2008/10/21/backupanytime-stolen-laptop-retrieval-service/

Keep passwords safe wcith password safe.

From an end user viewpoint, the key to any secure system is indeed managing the key. As an online backup provider, a major concern for us is that clients retain their encryption details and do so in a safe manner and on a different system (and also in paper format) to the online backup source computer.

These same clients will have numerous other non online backup passwords and authentication details which they will also need to retain. Singular password usage for multiple applications is not good practice and therefore even occasional computer users will likely have a considerable number of passwords to retain. These will range from critical passwords to the seemingly mundane. If a password is required the associated application is likely to be confidential in nature.  This can be online banking, system logon, email, forum membership, host management and a wide variety of other applications.

if you need guidance on choosing passwords you should read the Bruce Schneier penned guide in the Guardian.

The crux of this post however is keeping passwords safe after you have chosen them.
An excellent application to assist with this is Password Safe. (supervision by Bruce Schneier) Bruce is a world renowned expert in data security. Password Safe is actually a free application. PasswordSafe uses TwoFish (block cipher by Counterpane Labs) technology.

You can download Password safe from Sourceforge. The very short faq list for this app is testament to the simplicity which has been successfully applied to the user experience inherent with this far from simple technology.

Great app. No strings. No cost. No adds. No compromise.

Bank of Ireland stolen USB key

Subscribers and regular readers will recall the Bank Of Ireland stolen laptops story. Whatever preventative measures were put in place at the time appear to have had limited effect on protecting USB keys. The use of USB keys in itself is questionable practice outside of circumstances in which data in encrypted and the key is for convenience only and not a singular or critical copy.

Even small enterprises are moving away from the use of micro devices for unencrypted data. The affordability and convenience offered by USB keys did for a time make them a data storage solution for individuals. The extent and obviousness of the risks coupled with the scale of reported incidents have removed USB key usage from the allowed list of many responsible companies.

This particular incident relates to account numbers, names and addresses (not full address but if the wrong people have a name and a partial address they can surly work out the rest in many cases) for just under 900 clients. Financial information was not breached but this will offer little comfort to the victims (customers) of this breach.

The bank have said they have no reason to believe the information has fallen in to the wrong hands. Given that the device is lost, it could fall in to anyone’s hands. Additionally, given that USB keys have a physical value (despite this being nominal) it is likely therefore that it will not be ignored when spotted.

Given the absence of adamant and repeated claims of the data being encrypted it would appear it is possible that it was not. We do not know for sure yet. If it was not encrypted this will not instill great general confidence given previous incidents and opportunities to resolve the basic but essential tenet of encrypting confidential client and third party information. If it was encrypted, there is little to worry about from the viewpoint of data privacy and  the focus can move to asset protection.

So, the question remaining is; was the data encrypted. If so, Bank Of Ireland should speak up as they have protected their clients from inevitable circumstances as device loss or theft will take place even if security and individual responsibility is managed well.

If the data was not ensrypted, B.O.I. have much explaining to do this time round.

10 Online storage traps.

Data retention period.
Any data retention period or version number limits will apply regardless of how much space is offered. Ensure you check these stats. Space as a singular variable can do little to save you from retention limit traps.

Third party software.
The focus here is industry specific or custom software which you use in your business. Often, programmes from smaller software houses with limited Beta participants can present difficulties from a backup point of view. One of these is version and patch history. The net effect of this cam be that a disaster recovery leaves you in a scenario in which you have the backup files as required by the software vendor but there are potential difficulties or delays regarding which versions, patches, updates or installation types match your environment at the time of the backup or incident. For these reasons it may be prudent to demand a test restore without use of the existing software load. In this type of restore you would simulate a disaster recovery. All the vendor would have is what he or she said they needed. Only this type of test can verify that the culmination of software, backups and software vendor instructions add up to adequate protection.

Hidden charges.
Charges can apply to installation, licensing, support, transfer, restore, disaster recover, agreed limit excess and many more service components which you may believe to be included. Any comparison between any two providers will be of limited possible accuracy if these details are not clarified from the outset.

Supplier dependability.
Absolutely no assumptions can be made here. Insist on references appropriate to your business and check them.

Supplier autonomy.
Any dependence to third party companies which your chosen online backup company must work under bring potential future difficulties and risk to your data. Your providers ability to maintain these relationships may depend on technical, marketing or financial commitments about which you have no control. If possible, identify a provider who offers multiple solution types and is not dependent on any outside entity. If there is an outside entity then you need to establish communication with them or even consider going direct.

Automated billing.
Beware of automated billing. Your systems may suddenly start backing up exceptionally large quantities of data without any intention on your behalf to make this happen. This (in an automated billing environment) could result in non communicated charges to your credit card or bank account and leave you uninformed regarding inaccuracies in your backup set. Fair billing on the other hand works by charging an agreed amount per month. Should your data quantities exceed a crucial point you will be alerted to this and can decide if you want the excess data included or assistance with removing it.

Auto select dangers.
Correct use of auto select features in online storage systems assists with ensuring important file types are included. Inappropriate auto select usage or failure to revisit and check auto-select settings can result in new file types or extensions for critical applications being overlooked. As with many very helpful technology functions, auto select is a double edged sword and requires attention to detail to ensure it works with the organisation.

Encryption code data lockout.
No matter how uninvolved or hands off your providers are you should have received much in the way or communications and warnings from them regarding the retention, storage and management of encryption information. If this is not the case, you should consider moving to a new supplier as a matter of urgency. Your encryption details are specific to you and should be know only by you. The level of encryption used needs by default to be strong enough to protect your data and as a consequence is likely strong enough to lock you out should you not manage your encryption and encryption details correctly. Your provider has a respnsibility to ensure you are aware of this. If your providers ensures you are aware of this then they are offered some protection from any charge of you being locked out of your data through neglecting your encryption responsibilities about which you have been informed and subsequently reminded. If this is the first you have heard of encryption responsibilities then you should move to another remote backup provider as a matter of urgency.

Data in transit security.
Remote storage companies in the main like to speak of the level of encryption they offer for data in storage. You will hear less specific information regarding the encryption provided fro data in transit. This is predictably enough because the encryption provided for data in transit is generally less that offered for data in storage. This is common among providers but needs to be looked at if you want a like with like comparison and more importantly want to ensure your data in transit is safe.

Database support.
Don’t allow any provider to convince you that you will not need data base support. Databases are more than common. The level of pervasiveness of database application even at home user level is leading to databases becoming likely to be considered ubiquitous from a backup viewpoint. Ensure your chosen company gives you SQL, Exchange and open file management as standard. Any charges for these components could make what seems like good value today a very expensive proposition in time to come. Also, the inclusion of support for these data types reduces the likelihood of an attempt to apply improper backup f these data types as integrated support often in itself highlights these data types and makes correct backup procedure not just more likely but somewhat more difficult to get wrong.

Many small business owners consider encryption as a panacea for data leak and the devastating consequences of a data outage becoming public. Encryption can indeed offer a level of protection but with all technology implementations come increased responsibility and paradoxically a new type of risk.

If you are new to encryption and know little beyond the fact that it exists to make data readable only by those privileged to hold a key, it may be advisable for you to start of with our encryption for dummies post. If you have previously read that post or independently of it have a basic grounding in encryption, please read on.

When you introduce encryption to your organisation you will need to allow for the following.

Availability of information to authorised persons.Encryption will not work from a business perspective as a total lock-down. Some local users will need immediate, temporary or permanent access to information on a basis of merit. Total lock-down reduces this availability, increases the time frame to availability and can result in a requirement to issue decryption keys to large numbers of people therefore negating some of the intended benefits of encryption.

Encryption key management. Assuming you avail of a quality encryption system, the loss of your encryption key will mean that access t your data will be up to a point as difficult to achieve as you intended it to be for cyber criminals. One of your primary responsibilities will be to manage your encryption keys.

Key system security. This area is often missed and is of paramount importance. The concern here is that if the key management system itself is not secure, outside concerns (namely cyber criminals) could amend your code and literally hold you to ransom with regard to being able to get access to your own data.  This amounts to a denial of service attack on your own data and is not the type of reward you want for employing encryption in your organisation.

User key life-cycle. Should someone leave your organisation, you want to disable their access and decryption key capability. This requires at least some user level management and is somewhat removed from a single store, single code, multi user environment. Your provider needs to be aware of this requirement.

Encryption as a service. There are many encryption products available. Ultimately you want someone available to hold your hand should the encryption literally turn against you. This is non recursive. Remember, subscription rather than once off payments are a fairly good indicator as to the level of service you can expect.

Technology moves fast. Your encryption needs to move at a similar pace. An encryption system which is secure and impressive today may be hacked to instruction web post level tomorrow. You need to employ a system which is updated by the provider on an ongoing basis.

Keep the purpose genuine. If your main concern when getting encryption is o be able to say you have it, you will likely end up with a well marketed system which suits your marketing mindset. If however you approach encryption with the mindset of offering genuine protection to client data and ensuring that your encryption system brings compliance benefits (and requirements of course) to your organisation then you will end up with a system worth having.

Revisit your decision. Nothing as serious as as encryption can be considered a fire and forget purchase. Revisit it. Discuss encryption with your peers and be aware of what the key companies in your industry use to protect data.

Absolute negative effect. With any new technology you need to know the absolute negative effect. This is the worst case scenario appropriate to the installation, management or abuse of the technology proposed. Without having a clear understanding of this you can not put protection systems in place.

For example, with regard t encryption generally a worst case scenario may be considered as follows.

You no longer have access to your data. An outside source has access and is requiring ransom and proving the level of malicious intent by distributing sample information damaging to third parties for whom you are responsible. Bad. Yes, it could possibly even be worse but this is bad enough to show us a worse case scenario possibility.

With this knowledge you can now work with your intended provider or an accredited partner of you intended provider in configuring your local system and introducing or amending procedures to reduce risk. In most cases (practically all) risk can not  be totally removed but can be reduced to a level which put the addressed concern on a lower level of need than other co-existing issues.

Source : Backupanytime original content. Date 7 October 2008. Update status : Never - Quarterly. Redistribution : With credits and no amendments, no permission required. With amendments, written permission required from backupanytime.

Backupanytime provide secure online backup services. While our encryption  offers bank level security for you online backup, we only provide encryption as a compnent part of our online backup system. Using online backup with a quality provider should include the use of encryption but it is important to understand that your online backup specific encryption does not include any level of active data, local store or mobile user encryption and the services of a cryptology expert should be saught to ensure general protection and compliance. Backupanytime regularly interview cryptology experts and these interviewees may be an excellent starting point in your moves to bring encryption more generally in to your business.