Is Your Data Recovery Solutio a Data Security Problem? How to Protect Your Critical Data Whe Workig With a Data Recovery Vedor
Itroductio Today s IT security professioals eforce aggressive eterprise-wide security programs to miimize the risk of data leakage ad a security breach. The facility is protected with locks, alarms, access cotrols ad video cameras. The etwork is protected with firewalls, cotet filterig, ad 24/7 real-time moitorig. Drives are protected with full disk ecryptio, ad data files are password protected. But, what happes whe a hard drive fails they all do ad it must leave the cofies of the secure eterprise eviromet for data recovery? A 2007 survey of compaies by The Poema Istitute revealed this disturbig fact: 40 percet of the data security breaches the compaies experieced occurred while third-party vedors were i possessio of their data. How much do you kow about your data recovery provider? Does your provider adhere to idustry stadards for protectig sesitive data stored o your compay s failed drives? What are their protocols for securely shippig/receivig data storage devices? How secure is their etwork? Are they traied to maage ecryptio keys appropriately? Data breach must be a cosideratio ay where critical data ca be accessed. If your data recovery service provider s etwork is hacked, ad critical customer data is accessed, your compay could be liable. Vedors who hold or hadle sesitive iformatio must be able to prove they ca adhere to the same security stadards as corporatios ad govermet agecies. This white paper outlies treds ad facts behid digital data loss, ad examies the icreasig fiacial costs, regulatory pealties, productivity losses, ad customer loyalty risks associated with a breach i data security. It supports the eed for IT professioals to egage with qualified data recovery service providers who ca quickly ad cost-effectively restore busiess critical data while protectig that data from uwated ad costly breach. The documet cocludes with data security stadards ad protocols that should be adhered to by the data recovery provider. These guidelies will help IT professioals preserve the itegrity of critical data whe it must leave the cofies of their ow secure eviromet for recovery. 1
THE SITUATION: Digital data is the life force of every compay today. The amout of data beig created ad stored is icreasig expoetially A study coducted by Iteratioal Data Corporatio (IDC) estimates that the size of the digital uiverse, the total volume of digital iformatio that is created ad replicated globally, reached 281 billio gigabytes (281 exabytes) i 2007, which adds up to about 45GB of digital iformatio for each perso o earth. As drive desities icrease to keep up with storage demads, a sigle drive failure could wipe out a terabyte of data or more. THE PROBLEM: All hard drives fail... 2 Symptoms HARDWARE OR SYSTEM MALFUNCTIONS 80% Electrical failure. Head/media crash. Cotroller failure Error message statig the device is ot recogized Lose access to data Scrapig, clickig or gridig soud Hard drive stops spiig Symptoms Tips to Prevet Data Loss Avoid static electrical charges whe hadlig media Use computers i a dry, vetilated, dust-free area Coect system to a uiterruptible power supply (UPS) HUMAN ERROR 5% Accidetal file deletio. Reformattig of drive. Physical trauma to drive File Not Foud message Data is o loger accessible Tips to Prevet Data Loss Never upgrade ay system without a verified backup Power dow before movig computer SOFTWARE CORRUPTION 10% Corruptio by diagostic or repair tools. Failed backups. Cofiguratio complexity Symptoms System messages relatig to memory errors Software applicatio wo t load Error message statig data is corrupted or iaccessible Symptoms Blak scree Strage ad upredictable behavior File Not Foud message Symptoms MAIN CAUSES OF DATA LOSS (Source DriveSavers, Ic. 2008 Jobs Received) Severe weather Natural ad ma-made catastrophes Tips to Prevet Data Loss COMPUTER VIRUSES 2% Boot sector. File ifectig. Polymorphic Back up data regularly Use diagostic utilities oly whe appropriate Tips to Prevet Data Loss NATURAL DISASTERS 3% Fires. Floods. Power Surges. Browouts Use up-to-date software for data security ad virus protectio Sca all icomig data ad packaged software for viruses Tips to Prevet Data Loss Ivest i redudat backup systems Establish a structured backup procedure Periodically test the backups Keep at least oe verified copy of backups off-site It is ot a matter of if, but whe. Hard disk drives are mechaical devices, vulerable to damage from a variety of sources, icludig a physical head crash, exteral trauma (droppig or collisio), power surges, temperature extremes, etc. I additio to physical failures, data loss ca also result from virus attacks, system malfuctio, or huma error. Eve storage maufacturers war users to protect their data with frequet backups, ad regular diagostics of the drives....ad data is still ot beig backed up Despite the widespread availability of stable backup hardware platforms ad software tools, may importat files cotiue to be stored i a sigle, vulerable locatio, ad all too ofte backups go uverified. Symatec sposored a survey by Rubicom Cosultig i December of 2008 to determie how effectively busiesses across the US protect their data, ad whether their data protectio practices have kept pace with data growth. The survey fidigs (see page 3) revealed that while the majority of compaies listed backup strategy as their #2 computig priority, may cotiue to rely o maual backup strategies that leave their data vulerable to huma error, breaches, theft, or atural disasters.
Failure is ievitable About 2 percet coduct o server back up. Amog those who do back up their servers, about half back up weekly or less ofte. Most backups are stored o site. These local backups leave compaies vulerable to theft or disaster. Eve amog compaies that perform some sort of backup, oly 25 percet report always beig able to recover lost data. Very small compaies had the highest rate of permaet data loss. 15 percet of busiesses employig oe to four people say they have ever bee able to recover lost data. Data loss ca have a severe impact. 25 percet of the compaies surveyed report that data loss has caused severe disruptios to their busiess. The speed of recovery is critical. Regardless of size, compaies must recover importat iformatio quickly or face damage to their busiess. About oe-quarter of midsize compaies (100-249) report that losig access to data for eve oe day would cause permaet busiess loss. The Rubicom study cocluded that may compaies follow risky backup practices, ragig from maual backups to storig critical backup data i the same locatio as the host computer, ad that half of the SMBs surveyed reported they had lost data. Eve compaies that do follow strict backup procedures, however, are still at risk of data loss. By some 3 Richard Sawyer, Director of Data Ceter Techology for America Power Coversio estimates, more tha half of all backups are usuccessful i whole or i part, due to media failure, huma error, software failure, hardware failure, or etwork failure. Lost data results i lost productio. Cosider the ivestmet of time ad moey required to recreate customer databases, accoutig records, source codes, test ad measuremet data, graphics ad video files, ad other itellectual property. The most critical data sets could take days, moths, or eve years to recreate. What would the impact o the busiess ad the brad be if that data were lost forever? Accordig to estimates published by the US govermet, eterprise data loss cost busiesses early $105 billio last year. THE RISKS: Icidets of data breach are o the rise, as are the fiacial costs ad productivity losses icurred from data leakage Sice Jauary 2005, the Privacy Rights Clearighouse has idetified more tha 250 millio records of U.S. residets that have bee exposed due to security breaches. Ask the Federal Bureau of Ivestigatio about idetity theft, ad the umbers will stagger you: Source: The Poemo Istitute, 2007 Every year, a estimated 10 millio Americas have their idetities stole. The costly aftermath totals about $50 billio aually. (Source: The Privacy Rights Clearighouse.)
Lost data results i lost productio Cosider the ivestmet of time ad moey required to recreate customer databases, accoutig records, source codes, test ad measuremet data, graphics ad video files, ad other itellectual property. The most critical data sets could take days, moths, or eve years to recreate. What would the impact o the busiess ad the brad be if that data were lost forever? Accordig to estimates published by the U.S. govermet, eterprise data loss cost busiesses early $105 billio last year. The cost of data leakage i the busiess eviromet is also icreasig. Accordig to a study coducted by Forrester Research i 2007, a iformatio security breach may cost from $90 to $305 per lost record, based o a survey of 28 compaies who suffered some type of data breach. Costs associated with data leakage icluded legal fees, call ceter costs, lost employee productivity, regulatory fies, loss of ivestor cofidece ad customer losses. Aother study o the cost of data breach was coducted i 2007 by The Poemo Istitute ad sposored by PGP Corporatio ad Votu, Ic. This study examied costs icurred by 35 orgaizatios from 15 differet idustry sectors that had experieced a data breach of records ragig from less tha 4,000 to more tha 125,000. Amog the study s key fidigs, the followig was ascertaied: 1. Third-party data breaches are icreasig, ad cost more: Breaches by third-party orgaizatios such as outsourcers, cotractors, cosultats, ad busiess parters were reported by 40 percet of respodets, up from 29 percet i 2006 ad 21 percet i 2005. Breaches by third parties were also more costly tha breaches by the eterprise itself, averagig $231 compared to $171 per record. 2. Cost of lost busiess is acceleratig: The cost of lost busiess cotiued to icrease at more tha 30 percet, averagig $4.1 millio or $128 per record compromised. Lost busiess ow accouts for 65 percet of data breach costs compared to 54 percet i the 2006 study. 3. Icreased customer chur rates help drive lost busiess costs higher: I 2007, the average resultig abormal customer chur rate was 2.67 percet, a icrease from 2.01 percet i 2006. Greater customer turover leads to lower reveues ad a higher cost of ew customer acquisitio resultig from icreased marketig to recover lost customer busiess. 4. Legal defese, public relatios costs are icreasig: Idicatig cotiued growig dissatisfactio ad actio over a data breach, the costs orgaizatios expeded for legal defese ad public relatios grew to 8 percet ad 3 percet of total breach costs, respectively. 5. Orgaizatios with high expectatios of trust ad privacy have more to lose from a data breach: For example, the cost of a data breach for fiacial services orgaizatios was $239 per compromised record, or more tha 21 percet higher tha the average. I spite of a orgaizatio s cocerted efforts to deploy security compliace iitiatives throughout the eterprise, data breaches cotiue to occur, uderscorig the eed for eterprise IT/IS maagers to proactively protect their data, their brad reputatio, ad their busiess. Cosiderig ew govermet regulatios that place the blame of data loss squarely o the shoulders of the eterprise, the rise i third-party icidets of data breach ad the icreased fiacial impact o a orgaizatio versus a i-house breach, data protectio policies ad systems used with ad by third-party outsourcers or cosultats should be closely evaluated. 4
Govermets respod with more regulatios o data security compliace Compaies that do t deal with data security issues proactively could face potetially sigificat liability. All three braches of the US Govermet, at the state ad federal levels, are focused o idetity theft, leadig ultimately to icreased statutory, regulatory, ad legal pressure o corporatios to protect persoal data, as well as protect their busiesses from subsequet fiacial ad productivity losses. As of 2007, at least 35 states i the US have passed laws requirig orgaizatios ad govermet agecies to otify customers, employees, ad other affected idividuals whe a breach of protected persoal iformatio occurs due to huma error, techology problems, or malicious acts. I additio, both the US Seate ad House of Represetatives cotiue to evaluate federal laws regardig data privacy ad breach otificatio. A ew law i Massachusetts, effective May 1, 2009, outlies striget requiremets for the hadlig of their residets' persoal iformatio with proposed pealties of $5,000 to $50,000 per data breach violatio. This law requires compaies to develop, implemet, maitai, ad moitor a comprehesive, writte program with heighteed procedures i place. Compliace will likely require major chages to admiistrative, techical, ad physical policies. Similar to the Califoria Seate Bill 1386, the law applies to ay perso or busiess that coducts busiess i the state. Your compay could be headquartered i Achorage, Alaska, 5 REGULATORY AND DATA LEAKAGE LANDSCAPE (Source: A SANS Whitepaper, April 2008 - Sposored by Utimaco ad Tred Micro) Regulatio PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI/DSS) (Iteratioal) GRAMM-LEACH-BLILEY ACT (GLBA) (Uited States) SARBANES-OXLEY ACT (SOX) (Uited States) EURO-SOX (Europea Uio) HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) (Uited States) CALIFORNIA SENATE BILL 1386 (SB 1386) (Uited States) DATA PROTECTION ACT (DPA) OF 1984 (Ameded 1998) (Uited Kigdom) Focus but if you hadle the persoal iformatio of oe sigle MA residet you must comply with the ew rules. The rules of this law also exted to service providers who will have to be certified as compliat by the hirig orgaizatios o later tha Ja. 1, 2010. (Source: James Irio, Risk Maagemet Cosultat) Protectio of paymet card data ad related cosumer/busiess details durig processig, trasmissio ad storage Protectio of cosumer opublic persoal iformatio (NPPI) data i fiacial services idustry Protectio of sesitive data related to fiacial reportig i public compaies Protectio of sesitive data related to fiacial reportig i public Protectio of electroic patiet healthcare data ad iformatio (Note: Works with HIPAA Privacy) Geeral protectio of idividual's private iformatio Hadlig of persoal iformatio for all UK idustries ad busiesses Data Leakage Protectio Implicatios A widely-adopted set of specific techical ad policy cotrols aroud implemetatio, assessmet ad audit of systems trasactig fiacial data Admiistrative ad cryptographic processes for protectig data at rest ad i motio, icludig physical safeguards Provides guidace for public compaies i desigig ad reportig o the cotrols i place for protectig fiacial iformatio Requires madatory ecryptio for fiacial reportig data ad other related sesitive iformatio at rest, i trasit, ad durig processig Specific recommedatios for access cotrol, risk aalysis, data disposal, ad re-use, data ecryptio (addressable), policy ad documetatio requiremets Foudatio data breach legislatio that has prompted similar legislatio at all levels. Uecrypted electroic, sesitive data is subject to the disclosure provisios Deals with proper disclosure, rights of access to iformatio, trasmissio ad processig, ad proper protective measures. No specific techical measures metioed Cosiderig ew govermet regulatios that place the blame of data loss squarely o the shoulders of the eterprise, the rise i thirdparty icidets of data breach, ad the icreased fiacial impact o a orgaizatio versus a i-house breach, data protectio policies ad systems used with ad by third-party outsourcers or cosultats should be closely evaluated.
THE SOLUTION: Data security stadards ad protocols for the data recovery facility that will protect the itegrity of critical data durig the data recovery process The data recovery idustry has grow i tadem with the data storage idustry. A search today o Google uder the term data recovery will geerate over 50 millio results. Most data recovery compaies appear to offer the same level of services ad security. But, data recovery is a delicate busiess, ad ruig utilities software is ot always a appropriate solutio. The first attempt to spi up a drive ad perform recovery could be the last ad oly chace to access critical data stored o it. Who amog the 50 millio are truly qualified to recover it successfully? Who ca you trust with your data? How do you choose? The followig stadards for all data recovery service providers were published to help those who have lost critical data cofidetly select a reputable data recovery firm. Bottom lie? Ask your service provider for proof that they ca meet ad uphold these stadards before releasig a data storage device to their facility. 1. Cofirm that the facility s iformatio techology cotrols ad processes have bee audited by accoutig, auditig ad iformatio security professioals, ad verified to be operatig effectively to provide maximum data security. Compliace with auditig stadards, such as the Statemet o Auditig Stadards (SAS) 70, assures that every aspect of the facility ad etwork is secure ad will protect persoal ad cofidetial data from beig compromised. Certified, cotrolorieted professioals, who have experiece i accoutig, auditig ad iformatio security, coduct a audit of a service provider s data hostig cotrol objectives, activities ad related processes over a period of time (typically 6-12 moths). The audit focuses o idetifyig ad validatig cotrol stadards that are deemed most critical to existig ad prospective cliets of the service provider, ad covers all aspects of security i the facility; both etwork ad physical. Sice the itroductio of the 2002 Sarbaes Oxley Act (Sectio 404), followig the Ero debacle, the SAS 70 audit has become the Corporate Idustry Stadard for a overall cotrol structure. While a SAS 70 Type I audit verifies the descriptio of cotrols ad safeguards that a service orgaizatio claims to have i place, the SAS 70 Type II audit verifies that all data hostig cotrols ad objectives are actually i place, suitably desiged, eforced, ad operatig effectively to achieve all desired security cotrol objectives.. 2. Ask for proof that etwork security testig ad moitorig are itegrated ito the provider s security program, ad that critical systems, (e.g., firewalls, routers, servers) are cofigured, maitaied, ad certified to be operatig accordig to the orgaizatio s security policy. A professioal data recovery provider should temporarily archive recovered data o their etwork util the customer has received it, ad verified its itegrity. The eed for strog, verifiable security measures is ecessary to protect etwork assets, employee edpoits, ad sesitive customer data, such as e-mail servers, databases, ad proprietary iformatio. Every elemet of the provider s etwork should act as a poit of defese. It must feature iovative behavioral methods that will automatically recogize ad adapt to ew types of threats as they arise. Best i breed solutios allow for rapid respose to emergig threats such as malware propagatio spread by e-mail, SPAM, ad botets; phishig attacks hosted o websites; attacks targetig icreasig extesible markup laguage (XML) traffic; service-orieted architecture (SOA); web services; ad zeroday attacks that occur before ativirus compaies have developed ew virus sigatures to combat them. A comprehesive defese-i-depth approach to etwork security should, at miimum, iclude the followig: Regular vulerability assessmets, peetratio testig, ad related reports Maagemet of the etwork firewall, icludig moitorig, maitaiig the firewall's traffic routig rules, ad geeratig regular traffic ad maagemet reports Itrusio detectio maagemet, either at the etwork level or at the idividual host level, itrusio alerts, keepig up-to-date with ew defeses agaist itrusio, ad regular reports o itrusio attempts ad activity Providig mitigatio support after a itrusio has occurred, icludig emergecy respose ad foresic aalysis Cotet filterig services, for electroic mail (i.e. email filterig) ad other traffic. Data archival 6 (cotiued o Page 7)
Stadards ad Protocols, cotiued 3. Make sure that the service provider is cleared to offer High Security Service, ad ca demostrate chai-of-custody protocols that meet US Govermet stadards. Govermet agecies, law eforcemet bureaus, ad other legal etities i the US ad abroad require third-party service providers to comply with the most striget security stadards ad chai-of-custody protocols. The data recovery service provider should offer documetatio that will demostrate how their customer s data will be protected while i trasit, at poit of receipt at the facility, ad to poit of departure. Chai-of-custody protocols should iclude: Use of a govermet approved courier service The hardware to be recovered should be packed i a tamper proof/resistat shippig cotaier All service providers employees have udergoe backgroud checks Scaig of bar code o storage device upo receipt. Serial umber is checked agaist cliet iformatio i the database. Date/time ad who received the device is logged ito customer record Customer is provided with otificatio that the device has bee received, ad data recovery process has begu Dates/times/ad persoel hadlig the device are logged ito the customer record as the device moves through the data recovery process Protocols for High Security Service iclude all of the above protocols, i additio to the followig: No-disclosure agreemets are siged ad chai-of-custody documetatio is provided The recovery is performed i a secure area, o a stad-aloe system that is ot etworked, ad oly ruig whe a authorized egieer is preset ad moitorig the job Oly approved persoel with proper access cards are allowed access to the area where the recovery is performed Data set is ever archived o the etwork Data set is always stored i a DOD-approved safe Secure, ecrypted electroic data trasfer service is available, if required 4. Ask to see certificatios that data recovery egieers are traied to properly recover data from ecrypted files ad drives. Sophisticated etworks ad device protectio wo t keep sesitive busiess data secure oce it s o the move. Whether lost or stole, ecrypted data is useless to ayoe but a authorized user, eve if someoe violates access cotrols. Accordig to a recet study coducted by Forrester Research Ic., 22 percet of respodets said they pla to pilot or adopt full disk ecryptio or file-level ecryptio i the ext 12 moths. I Jue of 2006, a Presidetial madate required all federal agecies ad departmets to ecrypt data stored o their mobile computers ad devices. The US Geeral Services Admiistratio (GSA) the awarded Data at Rest ecryptio cotracts to various software compaies. Data at Rest refers to ay data residig o hard drives, thumb drives, laptops, etc. The purpose of this madate was to mitigate the impact of lost or stole data that could be used to distiguish or trace a idividual s idetity. 7 (cotiued o Page 8)
Stadards ad Protocols, cotiued There are hudreds of ecryptio tools out there ad each oe is uique. If the itegrity of ecrypted data is a cocer, make sure your recovery service provider has techicias who are certified experts i multiple ecryptio recovery techiques ad processes, ad are capable of providig customized data recovery solutios that will meet your most striget data security requiremets whe hadlig ecrypted files ad drives: Egieers should be familiar with all versios of ecryptio software ad ca provide custom security solutios for returig recovered data or hadlig ecryptio keys Provider ca offer ecryptio recovery optios: Egieers ca create sector-by-sector images of the source drive durig the recovery process to protect the origial data from beig compromised Sector-by-sector image ca be trasferred to a target drive ad retured with origial ecryptio still itact Data ca be restored ad decrypted at the service provider s facility to verify the itegrity of data ad retured to the customer ecrypted or fully decrypted. The ecryptio userame, password ad/or key must be provided to the service provider, if this method is chose A secure, ecrypted electroic data trasfer service should be available upo request 5. Uwated hard disk drives ca be recycled properly, ad classified or sesitive data ca be erased permaetly, whe required. You caot completely erase files from your computer by deletig them, emptyig the recycle bi, or quick formattig your hard drive. These processes just remove the iformatio the hard drive eeds to fid the data, ot the data itself, allowig it to be recovered. A study by Simso L. Garfikel, author of Database Natio, foud that drives purchased o lie routiely cotai sesitive or cofidetial data. To prove his poit, Garfikel purchased a old ATM machie hard drive that cotaied 827 uique PIN umbers, ad a secod drive previously owed by a medical ceter, which cotaied 31,000 credit card umbers. To remove data beyod all practical ability to recover it, a wipig or erasig utility ca be used to overwrite every sector of the hard drive with a patter of biary 1 s ad 0 s. If you wish to permaetly destroy a hard disk drive that cotais sesitive data, however, a degausser is the best method to reder the classified or sesitive data stored o magetic media completely uusable. Those that meet govermet security stadards are ideal tools for compliace with DoD ad Federal requiremets or privacy legislatio. With the itroductio of the Sarbaes-Oxley Act (SOX), SAS 70 took o icreased importace. SOX heighteed the focus placed o uderstadig the cotrols over fiacial reportig ad idetified a Type II SAS 70 report as the oly acceptable method for a third party to assure a service orgaizatio's cotrols. Security certificatios are excluded as acceptable substitutes for a Type II SAS 70 audit report. 8
Coclusio Icidets of data breach amog third party vedors are o the rise, ad corporate ad fiacial orgaizatios are ow demadig detailed iformatio about their service provider s ability to meet madated security requiremets. Professioal data recovery service providers must prove their ability to uphold the same security stadards as corporatios ad govermet agecies. To avoid the legal ad fiacial ramificatios of a uwated breach i security, choose a data recovery service provider that has udergoe security audits by accoutig, auditig ad iformatio security professioals, ad is verified to provide maximum data security from poit of receipt to poit of departure. About DriveSavers DriveSavers is the worldwide leader i data recovery, with a solid reputatio built o outstadig customer service, cosistetly high success rates, ad the fastest stadard turaroud time i the busiess. I 2008, DriveSavers ivested millios of dollars i clearoom ad etwork techology, as well as traiig ad certificatio, to provide our customers with the highest degree of security available i the data recovery idustry today. DriveSavers is the premiere provider of fast, reliable ad certified secure data recovery. We are the oly data recovery service provider i the world that has received SAS Type II certificatio. At the heart of our certified secure eviromet is a Cisco Self-Defedig Network, protected by a alliclusive defese-i-depth architecture. All data recoveries are performed i our ISO 5 certified clearoom eviromet, the most techologically advaced data recovery clearoom i the idustry. Our data recovery egieers have udergoe extesive traiig ad are certified by all leadig ecryptio software vedors. You ca view all our authorizatios ad certificatios o our website, at www.drivesavers.com/proof. About the Author Michael Hall is the Chief Iformatio Security Officer for High Security Programs ad Director of PC Egieerig at DriveSavers Data Recovery With over 13 years experiece i data recovery techology, focusig o high-ed arrays, he has successfully recovered data from over 12,000 failed storage devices. Hall supports corporate ad govermet accouts with security protocols desiged to meet their specific criteria. He was istrumetal i DriveSavers SAS 70 Type II certificatio, the deploymet of our Cisco Self-Defedig Network ad the istallatio ad certificatio of our ISO 5 (Class 100) clearoom. Michael also was the drivig force behid the traiig of our data recovery egieers, who received ecrypted data recovery traiig ad certificatio from PGP, GuardiaEdge, PoitSec/Checkpoit, Utimaco ad ECase. 2009 DriveSavers, Ic. All Rights Reserved. DriveSavers Data Recovery, the DriveSavers logo, ad We ca save it! are registered trademarks of DriveSavers, Ic. All other trademarks are the property of their respective owers. 9