Is Your Data Recovery Solution a Data Security Problem? · service providers who can quickly and...

Is Your DataRecovery Solutiona Data Security

Problem?

How to Protect Your CriticalData When Working Witha Data Recovery Vendor

DriveSavers White PaperFebruary 2009

Today’s IT security professionals enforce aggressive enterprise-wide securityprograms to minimize the risk of data leakage and a security breach. Thefacility is protected with locks, alarms, access controls and video cameras.The network is protected with firewalls, content filtering, and 24/7 real-timemonitoring. Drives are protected with full disk encryption, and data files arepassword protected.

But, what happens when a hard drive fails–they all do–and it must leave theconfines of the secure enterprise environment for data recovery? A 2007survey of companies by The Poneman Institute revealed this disturbing fact:40 percent of the data security breaches the companies experienced occurredwhile third-party vendors were in possession of their data.

How much do you know about your data recovery provider? Does yourprovider adhere to industry standards for protecting sensitive data stored onyour company’s failed drives? What are their protocols for securelyshipping/receiving data storage devices? How secure is their network? Arethey trained to manage encryption keys appropriately?

Data breach must be a consideration any where critical data can be accessed.If your data recovery service provider’s network is hacked, and criticalcustomer data is accessed, your company could be liable. Vendors who hold orhandle sensitive information must be able to prove they can adhere to thesame security standards as corporations and government agencies.

This white paper outlines trends and facts behind digital data loss, andexamines the increasing financial costs, regulatory penalties, productivitylosses, and customer loyalty risks associated with a breach in data security. Itsupports the need for IT professionals to engage with qualified data recoveryservice providers who can quickly and cost-effectively restore business criticaldata while protecting that data from unwanted and costly breach.

The document concludes with data security standards and protocols thatshould be adhered to by the data recovery provider. These guidelines will helpIT professionals preserve the integrity of critical data when it must leave theconfines of their own secure environment for recovery.

Introduction


THE SITUATION:

Digital data is the life forceof every company today.The amount of data beingcreated and stored isincreasing exponentially

A study conducted by InternationalData Corporation (IDC) estimatesthat the size of the “digital universe,”the total volume of digitalinformation that is created andreplicated globally, reached 281billion gigabytes (281 exabytes) in2007, which adds up to about 45GB


HARDWARE OR SYSTEM MALFUNCTIONS – 80%Electrical failure. Head/media crash. Controller failure

Symptoms• Error message stating the device is

not recognized• Lose access to data• Scraping, clicking or grinding

sound• Hard drive stops spinning

Tips to Prevent Data Loss• Avoid static electrical charges when

handling media• Use computers in a dry, ventilated,

dust-free area• Connect system to an uninterruptible

power supply (UPS)

HUMAN ERROR – 5%Accidental file deletion. Reformatting of drive. Physical trauma to drive

Symptoms• “File Not Found” message• Data is no longer accessible

Tips to Prevent Data Loss• Never upgrade any system without a

verified backup• Power down before moving computer

SOFTWARE CORRUPTION – 10%Corruption by diagnostic or repair tools. Failed backups. Configuration complexity

Symptoms• System messages relating to memory

errors• Software application won’t load• Error message stating data is

corrupted or inaccessible

Tips to Prevent Data Loss• Back up data regularly• Use diagnostic utilities only when

appropriate

COMPUTER VIRUSES – 2%Boot sector. File infecting. Polymorphic

Symptoms• Blank screen• Strange and unpredictable behavior• “File Not Found” message

Tips to Prevent Data Loss• Use up-to-date software for data

security and virus protection• Scan all incoming data and packaged

software for viruses

NATURAL DISASTERS – 3%Fires. Floods. Power Surges. Brownouts

Symptoms• Severe weather• Natural and man-made catastrophes

Tips to Prevent Data Loss• Invest in redundant backup systems• Establish a structured backup

procedure• Periodically test the backups• Keep at least one verified copy of

backups off-site

MAIN CAUSES OF DATA LOSS(Source DriveSavers, Inc. 2008 Jobs Received)

of digital information for eachperson on earth. As drive densitiesincrease to keep up with storagedemands, a single drive failure couldwipe out a terabyte of data or more.

THE PROBLEM:

All hard drives fail...

It is not a matter of “if”, but “when”.Hard disk drives are mechanicaldevices, vulnerable to damage froma variety of sources, including aphysical head crash, external trauma(dropping or collision), powersurges, temperature extremes, etc.In addition to physical failures, dataloss can also result from virusattacks, system malfunction, orhuman error. Even storagemanufacturers warn users to protecttheir data with frequent backups, andregular diagnostics of the drives.

...and data is still not beingbacked up

Despite the widespread availabilityof stable backup hardware platformsand software tools, many importantfiles continue to be stored in asingle, vulnerable location, and alltoo often backups go unverified.

Symantec sponsored a survey byRubicom Consulting in December of2008 to determine how effectivelybusinesses across the US protecttheir data, and whether their dataprotection practices have kept pacewith data growth.

The survey findings (see page 3)revealed that while the majority ofcompanies listed backup strategy astheir #2 computing priority, manycontinue to rely on manual backupstrategies that leave their datavulnerable to human error, breaches,theft, or natural disasters.


n About 2 percent conduct no serverback up. Among those who do backup their servers, about half back upweekly or less often.

n Most backups are stored on site.These local backups leavecompanies vulnerable to theft ordisaster.

n Even among companies thatperform some sort of backup, only25 percent report always being ableto recover lost data.

n Very small companies had thehighest rate of permanent data loss.15 percent of businesses employingone to four people say they havenever been able to recover lost data.

n Data loss can have a severeimpact. 25 percent of the companiessurveyed report that data loss hascaused severe disruptions to theirbusiness.

n The speed of recovery is critical.Regardless of size, companies mustrecover important informationquickly or face damage to theirbusiness. About one-quarter ofmidsize companies (100-249) reportthat losing access to data for evenone day would cause permanentbusiness loss.

The Rubicom study concluded thatmany companies follow risky backuppractices, ranging from manualbackups to storing critical backupdata in the same location as the hostcomputer, and that half of the SMBssurveyed reported they had lost data.

Even companies that do follow strictbackup procedures, however, are stillat risk of data loss. By some

estimates, more than half of allbackups are unsuccessful in wholeor in part, due to media failure,human error, software failure,hardware failure, or network failure.

Lost data results in lost production.Consider the investment of time andmoney required to recreate customerdatabases, accounting records,source codes, test and measurementdata, graphics and video files, andother intellectual property. The mostcritical data sets could take days,months, or even years to recreate.What would the impact on the

business and the brand be if that datawere lost forever? According toestimates published by the USgovernment, ‘enterprise data loss’cost businesses nearly $105 billionlast year.

THE RISKS:

Incidents of data breach are on the rise, as are thefinancial costs andproductivity losses incurredfrom data leakage

Since January 2005, the PrivacyRights Clearinghouse has identifiedmore than 250 million records ofU.S. residents that have beenexposed due to security breaches.Ask the Federal Bureau ofInvestigation about identity theft,and the numbers will stagger you:

Every year, an estimated 10 millionAmericans have their identitiesstolen. The costly aftermath totalsabout $50 billion annually. (Source:

The Privacy Rights Clearinghouse.)

Failure is inevitable– Richard Sawyer, Director of

Data Center Technology for American Power Conversion

Source: The Ponemon Institute, 2007

“ ”


The cost of data leakage in thebusiness environment is alsoincreasing. According to a studyconducted by Forrester Research in2007, an information security breachmay cost from $90 to $305 per lostrecord, based on a survey of 28companies who suffered some typeof data breach. Costs associated withdata leakage included legal fees, callcenter costs, lost employeeproductivity, regulatory fines, loss ofinvestor confidence and customerlosses.

Another study on the cost of databreach was conducted in 2007 byThe Ponemon Institute andsponsored by PGP Corporation andVontu, Inc. This study examinedcosts incurred by 35 organizationsfrom 15 different industry sectorsthat had experienced a data breach ofrecords ranging from less than 4,000to more than 125,000. Among thestudy’s key findings, the followingwas ascertained:

1. Third-partydata breachesare increasing,and cost more:

Breaches bythird-partyorganizationssuch asoutsourcers,contractors,consultants, andbusiness partnerswere reported by40 percent ofrespondents, upfrom 29 percentin 2006 and 21percent in 2005.Breaches by thirdparties were alsomore costly thanbreaches by the

enterprise itself, averaging $231compared to $171 per record.

2. Cost of lost business isaccelerating:

The cost of lost businesscontinued to increase at morethan 30 percent, averaging $4.1million or $128 per recordcompromised. Lost business nowaccounts for 65 percent of databreach costs compared to 54percent in the 2006 study.

3. Increased customerchurn rates help drive lostbusiness costs higher:

In 2007, the average resultingabnormal customer churn ratewas 2.67 percent, an increasefrom 2.01 percent in 2006.Greater customer turnover leadsto lower revenues and a highercost of new customer acquisitionresulting from increasedmarketing to recover lostcustomer business.

Lost data results in lost production

Consider the investment of time andmoney required to recreate customerdatabases, accounting records, sourcecodes, test and measurement data,graphics and video files, and otherintellectual property. The most critical datasets could take days, months, or evenyears to recreate. What would the impacton the business and the brand be if thatdata were lost forever? According toestimates published by the U.S.government, ‘enterprise data loss’ costbusinesses nearly $105 billion last year.

Considering new governmentregulations that place the blameof data loss squarely on theshoulders of the enterprise, therise in third-party incidents ofdata breach and the increasedfinancial impact on anorganization versus an in-housebreach, data protection policies and systems used with and bythird-party outsourcers orconsultants should be closelyevaluated.

4. Legal defense, publicrelations costs are increasing:

Indicating continued growingdissatisfaction and action over a databreach, the costs organizationsexpended for legal defense andpublic relations grew to 8 percentand 3 percent of total breach costs,respectively.

5. Organizations with highexpectations of trust andprivacy have more to losefrom a data breach:

For example, the cost of a databreach for financial servicesorganizations was $239 percompromised record, or more than21 percent higher than the average.

In spite of an organization’sconcerted efforts to deploy securitycompliance initiatives throughout theenterprise, data breaches continue tooccur, underscoring the need forenterprise IT/IS managers toproactively protect their data, theirbrand reputation, and their business.

“

”

Governments respond withmore regulations on datasecurity compliance

Companies that don’t deal with datasecurity issues proactively could facepotentially significant liability. Allthree branches of the USGovernment, at the state and federallevels, are focused on identity theft,leading ultimately to increasedstatutory, regulatory, and legalpressure on corporations to protectpersonal data, as well as protect theirbusinesses from subsequent financialand productivity losses.

As of 2007, at least 35 states in theUS have passed laws requiringorganizations and governmentagencies to notify customers,employees, and other affectedindividuals when a breach ofprotected personal informationoccurs due to human error,technology problems, or maliciousacts. In addition, both the US Senateand House of Representativescontinue to evaluate federal lawsregarding data privacy and breachnotification.

A new law in Massachusetts,effective May 1, 2009, outlinesstringent requirements for thehandling of their residents' personalinformation with proposed penaltiesof $5,000 to $50,000 per data breachviolation. This law requirescompanies to develop, implement,maintain, and monitor acomprehensive, written programwith heightened procedures in place.Compliance will likely require majorchanges to administrative, technical,and physical policies. Similar to theCalifornia Senate Bill 1386, the lawapplies to any person or businessthat conducts business in the state.

Your company could beheadquartered in Anchorage, Alaska,


but if you handle the personalinformation of one single MAresident you must comply with thenew rules. The rules of this law alsoextend to service providers who willhave to be certified as compliant bythe hiring organizations no later thanJan. 1, 2010. (Source: James Irion,Risk Management Consultant)

Considering new governmentregulations that place the blame ofdata loss squarely on the shouldersof the enterprise, the rise in third-

party incidents of data breach, andthe increased financial impact on anorganization versus an in-housebreach, data protection policies andsystems used with and by third-partyoutsourcers or consultants should beclosely evaluated.

REGULATORY AND DATA LEAKAGE LANDSCAPE(Source: A SANS Whitepaper, April 2008 - Sponsored by Utimaco and Trend Micro)

Regulation

PAYMENT CARD INDUSTRYDATA SECURITY STANDARD(PCI/DSS)(International)

GRAMM-LEACH-BLILEY ACT(GLBA) (United States)

SARBANES-OXLEY ACT (SOX) (United States)

EURO-SOX(European Union)

HEALTH INSURANCEPORTABILITY ANDACCOUNTABILITY ACT (HIPAA) (United States)

CALIFORNIA SENATE BILL1386 (SB 1386) (United States)

DATA PROTECTION ACT(DPA) OF 1984(Amended 1998)(United Kingdom)

Focus

Protection of payment carddata and relatedconsumer/business detailsduring processing,transmission and storage

Protection of consumer non-public personal information(NPPI) data in financialservices industry

Protection of sensitive datarelated to financial reportingin public companies

Protection of sensitive datarelated to financial reportingin public

Protection of electronic patient healthcare data andinformation (Note: Works with HIPAA Privacy)

General protection ofindividual's private information

Handling of personalinformation for all UKindustries and businesses

Data Leakage ProtectionImplications

A widely-adopted set of specific technical and policycontrols around implementation,assessment and audit of systemstransacting financial data

Administrative andcryptographic processes forprotecting data at rest and inmotion, including physicalsafeguards

Provides guidance for publiccompanies in designing andreporting on the controls inplace for protecting financialinformation

Requires mandatory encryptionfor financial reporting data and other related sensitiveinformation at rest, in transit,and during processing

Specific recommendations foraccess control, risk analysis,data disposal, and re-use, dataencryption (addressable), policyand documentation requirements

Foundation data breachlegislation that has promptedsimilar legislation at all levels.Unencrypted electronic, sensitive data is subject to thedisclosure provisions

Deals with proper disclosure,rights of access to information,transmission and processing,and proper protective measures.No specific technical measuresmentioned


1. Confirm that the facility’s information technology controls and processeshave been audited by accounting, auditing and information securityprofessionals, and verified to be operating effectively to providemaximum data security.

Compliance with auditing standards, such as the Statement on Auditing Standards(SAS) 70, assures that every aspect of the facility and network is secure and willprotect personal and confidential data from being compromised. Certified, control-oriented professionals, who have experience in accounting, auditing and informationsecurity, conduct an audit of a service provider’s data hosting control objectives,activities and related processes over a period of time (typically 6-12 months). Theaudit focuses on identifying and validating control standards that are deemed mostcritical to existing and prospective clients of the service provider, and covers allaspects of security in the facility; both network and physical.

Since the introduction of the 2002 Sarbanes Oxley Act (Section 404), following theEnron debacle, the SAS 70 audit has become the Corporate Industry Standard for anoverall control structure. While a SAS 70 Type I audit verifies the “description” ofcontrols and safeguards that a service organization claims to have in place, the SAS70 Type II audit verifies that all data hosting controls and objectives are actually inplace, suitably designed, enforced, and operating effectively to achieve all desiredsecurity control objectives. .

2. Ask for proof that network security testing and monitoring areintegrated into the provider’s security program, and that critical systems,(e.g., firewalls, routers, servers) are configured, maintained, and certifiedto be operating according to the organization’s security policy.

A professional data recovery provider should temporarily archive recovered data ontheir network until the customer has received it, and verified its integrity. The need forstrong, verifiable security measures is necessary to protect network assets, employeeendpoints, and sensitive customer data, such as e-mail servers, databases, andproprietary information.

Every element of the provider’s network should act as a point of defense. It mustfeature innovative behavioral methods that will automatically recognize and adapt tonew types of threats as they arise. Best in breed solutions allow for rapid response toemerging threats such as malware propagation spread by e-mail, SPAM, and botnets;phishing attacks hosted on websites; attacks targeting increasing extensible markuplanguage (XML) traffic; service-oriented architecture (SOA); web services; and zero-day attacks that occur before antivirus companies have developed new virussignatures to combat them. A comprehensive “defense-in-depth” approach to networksecurity should, at minimum, include the following:

n Regular vulnerability assessments, penetration testing, and related reportsn Management of the network firewall, including monitoring, maintaining the

firewall's traffic routing rules, and generating regular traffic and management reports

n Intrusion detection management, either at the network level or at the individual host level, intrusion alerts, keeping up-to-date with new defenses against intrusion, and regular reports on intrusion attempts and activity

n Providing mitigation support after an intrusion has occurred, including emergency response and forensic analysis

n Content filtering services, for electronic mail (i.e. email filtering) and other traffic.n Data archival

(continued on )

THE SOLUTION:

Data security standardsand protocols for thedata recovery facilitythat will protect theintegrity of critical dataduring the data recoveryprocess

The data recovery industry hasgrown in tandem with the datastorage industry. A search todayon Google under the term “datarecovery” will generate over 50million results. Most datarecovery companies appear tooffer the same level of servicesand security. But, data recoveryis a delicate business, andrunning utilities software is notalways an appropriate solution.The first attempt to spin up adrive and perform recoverycould be the last and onlychance to access critical datastored on it. Who among the 50million are truly qualified torecover it successfully? Who canyou trust with your data? Howdo you choose?

The following standards forall data recovery serviceproviders were published tohelp those who have lostcritical data confidently selecta reputable data recoveryfirm. Bottom line? Ask yourservice provider for proof thatthey can meet and upholdthese standards beforereleasing a data storagedevice to their facility.


3. Make sure that the service provider is cleared to offer High SecurityService, and can demonstrate chain-of-custody protocols that meet USGovernment standards.

Government agencies, law enforcement bureaus, and other legal entities in the USand abroad require third-party service providers to comply with the most stringentsecurity standards and chain-of-custody protocols. The data recovery service providershould offer documentation that will demonstrate how their customer’s data will beprotected while in transit, at point of receipt at the facility, and to point of departure.Chain-of-custody protocols should include:

n Use of a government approved courier service n The hardware to be recovered should be packed in a tamper proof/resistant

shipping container n All service providers’ employees have undergone background checks n Scanning of bar code on storage device upon receipt. Serial number is checked

against client information in the database. Date/time and who received the deviceis logged into customer record

n Customer is provided with notification that the device has been received, and data recovery process has begun

n Dates/times/and personnel handling the device are logged into the customer record as the device moves through the data recovery process

Protocols for High Security Service include all of the above protocols, in addition tothe following:

n Non-disclosure agreements are signed and chain-of-custody documentation is provided

n The recovery is performed in a secure area, on a stand-alone system that is not networked, and only running when an authorized engineer is present and monitoring the job

n Only approved personnel with proper access cards are allowed access to the area where the recovery is performed

n Data set is never archived on the network n Data set is always stored in a DOD-approved safe n Secure, encrypted electronic data transfer service is available, if required

4. Ask to see certifications that data recovery engineers are trained toproperly recover data from encrypted files and drives.

Sophisticated networks and device protection won’t keep sensitive business datasecure once it’s on the move. Whether lost or stolen, encrypted data is useless toanyone but an authorized user, even if someone violates access controls. Accordingto a recent study conducted by Forrester Research Inc., 22 percent of respondentssaid they plan to pilot or adopt full disk encryption or file-level encryption in the next12 months.

In June of 2006, a Presidential mandate required all federal agencies anddepartments to encrypt data stored on their mobile computers and devices. The USGeneral Services Administration (GSA) then awarded Data at Rest encryptioncontracts to various software companies. Data at Rest refers to any data residing onhard drives, thumb drives, laptops, etc. The purpose of this mandate was to mitigatethe impact of lost or stolen data that could be used to distinguish or trace anindividual’s identity.

(continued on )

Standards and Protocols, continued


There are hundreds of encryption tools out there and each one is unique. If theintegrity of encrypted data is a concern, make sure your recovery service providerhas technicians who are certified experts in multiple encryption recovery techniquesand processes, and are capable of providing customized data recovery solutions thatwill meet your most stringent data security requirements when handling encryptedfiles and drives:

n Engineers should be familiar with all versions of encryption software and can provide custom security solutions for returning recovered data or handling encryption keys

n Provider can offer encryption recovery options: • Engineers can create sector-by-sector images of the source drive during the

recovery process to protect the original data from being compromised

• Sector-by-sector image can be transferred to a target drive and returned with original encryption still intact

• Data can be restored and decrypted at the service provider’s facility to verify the integrity of data and returned to the customer encrypted or fully decrypted. The encryption username, password and/or key must be provided to the service provider, if this method is chosen

• A secure, encrypted electronic data transfer service should be available upon request

5. Unwanted hard disk drives can be recycled properly, and classified orsensitive data can be erased permanently, when required.

You cannot completely erase files from your computer by deleting them, emptying therecycle bin, or quick formatting your hard drive. These processes just remove theinformation the hard drive needs to find the data, not the data itself, allowing it to berecovered. A study by Simson L. Garfinkel, author of Database Nation, found thatdrives purchased on line routinely contain sensitive or confidential data. To prove hispoint, Garfinkel purchased an old ATM machine hard drive that contained 827unique PIN numbers, and a second drive previously owned by a medical center,which contained 31,000 credit card numbers.

To remove data beyond all practical ability to recover it, a wiping or erasing utilitycan be used to overwrite every sector of the hard drive with a pattern of binary 1’sand 0’s. If you wish to permanently destroy a hard disk drive that contains sensitivedata, however, a degausser is the best method to render the classified or sensitivedata stored on magnetic media completely unusable. Those that meet governmentsecurity standards are ideal tools for compliance with DoD and Federal requirementsor privacy legislation.

Standards and Protocols, continued

With the introduction of the Sarbanes-Oxley Act (SOX), SAS 70 took onincreased importance. SOX heightened the focus placed onunderstanding the controls over financial reporting and identified a TypeII SAS 70 report as the only acceptable method for a third party toassure a service organization's controls. Security “certifications” areexcluded as acceptable substitutes for a Type II SAS 70 audit report.

“

”

Incidents of data breach among third party vendors are onthe rise, and corporate and financial organizations are now demandingdetailed information about their service provider’s ability to meet mandatedsecurity requirements. Professional data recovery service providers must provetheir ability to uphold the same security standards as corporations andgovernment agencies. To avoid the legal and financial ramifications of anunwanted breach in security, choose a data recovery service provider that hasundergone security audits by accounting, auditing and information securityprofessionals, and is verified to provide maximum data security from point ofreceipt to point of departure.

DriveSavers is the worldwide leader in data recovery, with a solid reputation built on outstanding customer service, consistently highsuccess rates, and the fastest standard turnaround time in the business. In2008, DriveSavers invested millions of dollars in cleanroom and networktechnology, as well as training and certification, to provide our customers withthe highest degree of security available in the data recovery industry today.DriveSavers is the premiere provider of fast, reliable andcertified secure data recovery. We are the only data recoveryservice provider in the world that has received SAS Type IIcertification. At the heart of our certified secure environmentis a Cisco® Self-Defending Network, protected by an all-inclusive “defense-in-depth” architecture. All data recoveries areperformed in our ISO 5 certified cleanroom environment, the mosttechnologically advanced data recovery cleanroom in the industry. Our datarecovery engineers have undergone extensive training and are certified by allleading encryption software vendors. You can view all our authorizations andcertifications on our website, at www.drivesavers.com/proof.

Michael Hall is the Chief Information Security Officer forHigh Security Programs and Director of PC Engineering atDriveSavers Data Recovery With over 13 years experience in datarecovery technology, focusing on high-end arrays, he has successfullyrecovered data from over 12,000 failed storage devices. Hall supportscorporate and government accounts with security protocols designed to meettheir specific criteria. He was instrumental in DriveSavers SAS 70 Type IIcertification, the deployment of our Cisco® Self-Defending Network and theinstallation and certification of our ISO 5 (Class 100) cleanroom. Michael alsowas the driving force behind the training of our data recovery engineers, whoreceived encrypted data recovery training and certification from PGP,GuardianEdge, PointSec/Checkpoint, Utimaco and EnCase.

Conclusion

About DriveSavers

About the Author

©2009 DriveSavers, Inc. All Rights Reserved. DriveSavers DataRecovery, the DriveSavers logo, and “We can save it!” areregistered trademarks of DriveSavers, Inc.All other trademarks are the property of their respective owners.


Is Your Data Recovery Solution a Data Security Problem? · service providers who can quickly and...

Documents

Transcript of Is Your Data Recovery Solution a Data Security Problem? · service providers who can quickly and...