efolder White Paper: The Truth about Data Integrity: 5 Questions to ask your Online Backup Provider



Similar documents
An Introduction to Cryptography as Applied to the Smart Grid

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Certification Report

Cryptography & Digital Signatures

Analyzing the Security Schemes of Various Cloud Storage Services

SecureCom Mobile s mission is to help people keep their private communication private.

Authentication requirement Authentication function MAC Hash function Security of

DRAFT Standard Statement Encryption

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Acano solution. Security Considerations. August E

Message Authentication Codes

Crypho Security Whitepaper

CPSC 467: Cryptography and Computer Security

Message Authentication

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

White Paper: Librestream Security Overview

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

SENSE Security overview 2014

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Guide to Data Field Encryption

SSL A discussion of the Secure Socket Layer

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE

EMC VMAX3 DATA AT REST ENCRYPTION

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Certification Report

HIPAA Privacy & Security White Paper

Ciphire Mail. Abstract

SkyRecon Cryptographic Module (SCM)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Key Management Basics

SecureDoc Disk Encryption Cryptographic Engine

Certification Report

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Security Policy Revision Date: 23 April 2009

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

EMC Symmetrix Data at Rest Encryption

Ensuring Data Integrity in Storage: Techniques and Applications

Is Your SSL Website and Mobile App Really Secure?

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

M-Shield mobile security technology

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Healthcare Compliance Solutions

Secure Network Communications FIPS Non Proprietary Security Policy

efolder White Paper: How to Choose the Best Cloud Backup Service for Google Apps

Network Security Part II: Standards

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

How To Evaluate Watchguard And Fireware V11.5.1

FIPS Security Policy LogRhythm Log Manager

Healthcare Compliance Solutions

efolder White Paper: How to Choose the Best Cloud Backup Service

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Trends in Enterprise Backup Deduplication

Security Policy. Security Policy.

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Client Server Registration Protocol

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Principles of Computer Security. Dr George Danezis

The Misuse of RC4 in Microsoft Word and Excel

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Data Integrity Means and Practices

Data Management and Retention for Standards Consortia

IronKey Data Encryption Methods

Government of Ontario IT Standard (GO-ITS) Number Security Requirements for the Use of Cryptography

Establishing a Mechanism for Maintaining File Integrity within the Data Archive

SECURITY IN NETWORKS

IT Networks & Security CERT Luncheon Series: Cryptography

Project: Simulated Encrypted File System (SEFS)

NXP & Security Innovation Encryption for ARM MCUs

Künftige Cyber-Attacken: Risiken und Techniken. Future Cyber attacks: Risks and techniques. Prof. Dr. T. Nouri sd&m

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Big Data, Big Security:

Certification Report

External Supplier Control Requirements

Tamper protection with Bankgirot HMAC Technical Specification

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

FIPS Security Policy LogRhythm or Windows System Monitor Agent

SSL BEST PRACTICES OVERVIEW

Using BroadSAFE TM Technology 07/18/05

Freescale Security Backgrounder Page 1

Implementation Vulnerabilities in SSL/TLS

GE Measurement & Control. Cyber Security for NEI 08-09

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

HIPAA Security Matrix

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

What users should know about Full Disk Encryption based on LUKS

Savitribai Phule Pune University

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Transcription:

efolder White Paper: The Truth about Data Integrity: 5 Questions to ask your Online Backup Provider January 2015

Introduction Competition is fierce in the exploding online backup industry. With so many providers, whom can you trust with your customers data? As a managed service provider, your customers are trusting you to employ solutions that will get them back their data when they come asking for it. Fewer issues are more sensitive than lost or corrupt data. Finding a place to back up data is easy these days, but discerning which provider can get back the verifiably correct data all the time every time is much harder. Slick websites and smooth-talking salespeople are no help here. This questionnaire will help you discover the empirical facts you need to determine whether or not to entrust your customers data with an online backup provider. Q1: Which established standards do you follow for your cryptography? In the complex world of cryptography, following well-established standards is the only sure path to safety. An excellent example is the proprietary GSM A5/1 cell phone encryption algorithm, which was subsequently broken. Another risk is that even if the encryption algorithm itself is standardized (such as AES), if the use of that algorithm (called cipher mode) does not follow standards, it is subject to serious flaws. For example, one provider used AES in CTR mode, but chose to deviate from the NIST 800-38A standard and re-used the IV, causing their solution to become vulnerable to known-plaintext attacks. Ask about standards with respect to the following: encryption, hashing, and MAC algorithms, cipher modes, and pass phrase key generation. Q2: Is your cryptography implementation well-known and open-source? Cryptography is hard to implement correctly and securely, especially if it needs to be fast. Improper implementations are vulnerable to timing attacks. Bugs can also cause data corruption. Another danger is the presence of back-doors in an implementation that would allow access to the data without the encryption key. If a provider is using an established open-source cryptography library, the community has scrutinized the source code to make sure that it is correct, secure, and fast. 2

Q3: Which cryptographic primitives are used to protect the integrity of the data? Many providers focus so much on using cryptography to protect the confidentiality of your data that they do not consider another important aspect: data integrity. Encryption only provides secrecy but not data integrity. This is why cryptographic message authentication codes (MACs) must be used in addition to encryption. A MAC provides a cryptographic fingerprint that detects malicious tampering and accidental or silent corruption. Ask which MAC algorithm is used, whether MAC fingerprints are stored on disk, and whether the fingerprints are verified upon restore. Q4: Which mechanisms and processes are used to protect against silent data corruption? Silent data corruption is caused by physical failures, corrupted or buggy firmware, misdirected writes, driver bugs, filesystem bugs, and human error. A recent study by CERN found that in a sample size of 8.7TB with 33700 files, 1 in 1500 files had some corruption, with an overall bit error ratio (BER) of 1^10-7. Any hardware-only solution, including RAID, will not provide end-to-end coverage of all issues. Ask what technology is used to detect and repair silent data corruption, length of block checksums, where those checksums are verified and repaired, how much data redundancy is employed for repair, and whether the cipher mode is sensitive to single-bit errors. Be wary of providers that say integrity is provided through mirrored data centers without mechanisms specifically for silent data corruption without detection mechanisms any data corruption will be silently mirrored to the other data center as well. Q5: How often is the integrity of actively changing and archived data actively verified? Frequently verifying data integrity mitigates risk through early detection and repair. Also, while systems should have a defensein-depth solution so that silent data corruption never occurs, responsible solutions will have an open reporting policy, which is especially important for regulatory compliance. Ask how often the integrity of actively changing is verified, how often the integrity of archived data (historical and non-changing data) is verified, and who is notified if corruption ever occurs. 3

Conclusion No matter who you choose for online backup, make sure it s one that provides the highest level of data integrity protection. Finding a solid technical solution now will give you the confidence to sell to your customers without reservations or doubts. For questions or feedback, contact our team at support@efolder.net or by phone at (678) 888-0700. 4

The Truth about Data Integrity Online Backup Provider Questionnaire Worksheet efolder Provider 2 Provider3 Q1: Which established standards do you follow for your cryptography? Standards for encryption algorithms? AES-256 bit FIPS-197 Standards for cipher modes? CTR, NIST 800-38A, RFC 3686 Standards for MAC algorithms? HMAC-SHA-256, RFC 2404 Standards for hashing algorithms? SHA-256, RFC 2104 Standards for pass phrase key generation? PBKDF2, RFC 2898 Standards for asymmetric cryptography? RSA-3072 bit Q2: Is your cryptography implementation well-known and open source? Name of cryptography library? OpenSSL Is cryptography library open source? Q3: Which cryptographic primitives are used to protect the integrity of the data? MAC sent/verified during transmission? Network MAC algorithm? HMAC-SHA-1 MAC stored on-disk with data? On-disk MAC verified during restore? MAC mismatches reported during restore? On-disk MAC algorithm? HMAC-SHA-256 On-disk MAC based on strong cryptography? Q4: Which mechanisms and processes are used to protect against silent-data corruption? Technology to detect silent-data corruption? 256-bit error-correcting software checksums, End2End hardware ECC Use of software-based checksums? Length of checksum? 256-bit Level of data redundancy for repair? Close to Triple Mirror Estimated BER of detect/repair technology? 10-45 Cipher mode sensitive to single-bit errors? No Q5: How often is the integrity of actively changing and archived data actively verified? How often is actively changing data verified? Every Backup How often is archived data verified? 1-2 Times Monthly Is all redundant data verified as well? Corruption notification policy? Reseller immediately contacted with file name and block # Refusal of a provider to disclose high-level information because of security concerns is in opposition to a well-known principle in cryptography called Kerckhoff s Law, and may be a sign of insecure design choices or lack of confidence in the security of the cryptographic primitives employed by their solution. Corporate Headquarters 2340 Perimeter Park Drive, Suite 100, Atlanta, GA 30341 n 678-888-0700 n www.efolder.net 2015 efolder, Inc. All rights reserved. efolder is a trademark of efolder, Inc. efolder MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, IN THIS DOCUMENT. 01/15 EF248

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information