Is Your Online Backup Data Really Secure – Six Questions to Ask Your Service Provider
Various data privacy regulations require compliance by many companies who use Online Backup services. Generally, the regulations require that companies ensure their data are completely inaccessible except by authorized people.
There are many data privacy regulations in many countries. Here are a few in the USA:
- Payment Card Industry (PCI)
- Sarbanes-Oxley (Section 404 – SOX 404)
- Gramm-Leach-Bliley (GLBA)
- Healthcare Industry Portability and Accountability Act (HIPAA)
- California Privacy
- Federal Information Security Management Act (FISMA)
- USA Patriot Act
- Defense Information Assurance Certification (DIACAP)
- FFIEC, FRB, OCC, FDIC, NCUA, OTS, and more.
Most online backup services offer some form of file encryption as a solution to satisfying these regulations. Some encryption is stronger than others.
In order to fully satisfy these regulations, data must be encrypted to a certain level (which is different for each regulation) while it is in trasit and at rest on the Online Backup Server, and encryption keys must not be transmitted to the Online Backup Server. The intent is to prevent unauthorized access to the data even if the files are physically compromised.
To accomplish this, Online Backup software must encrypt data before it is transmitted to the Server, and it must not transmit the encryption keys to the server. The data must remain stored in an encrypted state, and never be unencrypted on the Server for any reason – including deduplication, synthesizing full restores, and patching sub-file backups.
Not all Online Backup Services are compliant. Some send data in its raw form over a secure connection, and the data files are stored on the Server in raw form. The files may be secure while in transit, but they are completely open to scrutiny while stored on the Server.
Other Online Backup services do a good job of data encryption but fall short when it comes to the file names, folder names and file dates.
The bulk of the sensitive data might be in the encrypted files. But, if the file names, paths, and dates are stored in native form, they can disclose very sensitive information like this:
G:\\Dr. Brown\Patients\Jack Smith\Procedures\PROC00.24.DOC 08/13/2010
In the above example, the file “PROC00.24.DOC” may be encrypted and secure, but anyone looking at the Server’s directory might easily know that Jack Smith received services associated with procedure code 00.24 from Dr. Brown on August 13, 2010.
In my opinion, storing filenames, paths and dates in raw format breaks compliance with HIPAA and is just simply a bad idea even if it doesn’t.
RBackup from Remote Backup Systems uses strong encryption (user-selectable up to 448 bits) and fully encrypts filenames, paths, and dates. It is compliant with all data privacy regulations to date.
How can you tell if your Online Backup Service might not be fully compliant? Ask these questions and look for these answers.
1. Are files encrypted using at least 256 Bit AES encryption before being sent over the Internet? (Yes)
2. Are files stored in their encrypted state? (Yes)
3. Are filenames, paths, and file dates encrypted, even in databases and indexes used for online restore? (Yes)
4. Does the Server ever have access to the encryption key used to encrypt the files? (No)
5. Does the Server ever decrypt customer files for ANY REASON? (No)
6. Does the Server do global deduplication, sub-file patching, or synthetic full backups? (No)
Rob Cosgrove is the President of Remote Backup Systems, founder of the Online Backup Industry, and a vocal advocate for maintaining the highest standards in Online Backup software. His latest book, the Online Backup Guide for Service Providers: How to Start and Operate an Online Backup Service, is available online now, on Amazon.com, and at bookstores.
Remote Backup Systems provides brandable, scalable software and solutions to MSPs and VARs enabling them to offer Online Backup Services.