Main Menu

Backup Device: Encryption?

Started by Charlie Charbonneau, February 04, 2013, 01:14:26 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Charlie Charbonneau

It has been recommended that our backup usb devices should be encrypted or contain hardware encryption instead of just an ordinary USB External drive.  So in researching, I have a few questions.  I'm not very familiar with solid state drives.  Are they better? will they work with Server 2008 backup?  Will a hardware encrypted drive work with 2008 Backup?  Anyone have anything inparticular that they're using to encrypt backup drives being taken off premesis?
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Jeff Zylstra

Quote from: Charlie Charbonneau on February 04, 2013, 01:14:26 PM
It has been recommended that our backup usb devices should be encrypted or contain hardware encryption instead of just an ordinary USB External drive.  So in researching, I have a few questions.  I'm not very familiar with solid state drives.  Are they better? will they work with Server 2008 backup?  Will a hardware encrypted drive work with 2008 Backup?  Anyone have anything inparticular that they're using to encrypt backup drives being taken off premesis?

I'll show my ignorance, once again....  We use Acronis to back up, and I'm pretty sure that it uses encryption to backup to the primary drive, and then just copies that file to the USB drive for offsite redundancy.  Does your Seagate, Backup Exec, or other backup software use encryption already?  You may be doing it already, but not know it because you're always viewing the backups from within the backup software.  You may want to check it out and see if your software will do it.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

We're on Backup Exec 2012.  Still backing up to tape, but yes, it does use encryption.

Charlie, if you don't want to shell out the bucks for something like Backup Exec, you could very likely work TrueCrypt into your nightly backup routine without much complication.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Golas

I've tried Truecrypt and it does work with little impact on performance. Basically you either set up a truecrypt container on the drive or set the drive itself, then configure the backup server to automount (or require a password up to you).
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Mark

There you go, Charlie!  Free and "simple!"
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Charlie Charbonneau

woot! will be looking into it!  Thanks folks!
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Charlie Charbonneau

Ok, possibly found another free route and of course have more questions?  Windows 2008 comes with BitLocker Drive Encryption which also looks like it will do what I need and is built into what I already have.  Seems like a plus to me.  What I'm wondering is:  If I apply encryption to the root, data, and backup drives, will TAM and Exchange play well with it?
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Mark

oooh... I can't answer that, but I'm going to ask why don't you just encrypt the backup drive.

Why don't you just encrypt the backup drive?  I would think encrypting anything else could impact performance.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Charlie Charbonneau

I'm sure I could, but God forbid if someone walks off with the server and it's been left unencrypted have I done my due diligence to protect confidential data?  What's good enough?
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Conan_Ward

To the best of my knowledge TAM will not like working on an encrypted drive (or may just not work entirely).
Former TAM support, P&C licensed in Maryland, LFW

Billy Welsh

Quote from: Charlie Charbonneau on February 07, 2013, 04:08:38 PM
I'm sure I could, but God forbid if someone walks off with the server and it's been left unencrypted have I done my due diligence to protect confidential data?  What's good enough?

Is your server physically secure?  I would think that is sufficient due diligence.
Billy Welsh
Director of Accounting
LCMC Health

Charlie Charbonneau

It sits on a table in my office.  As of today, the door will be locked when I'm not inhouse. There is no window access, but that can be bypassed via the drop ceiling from the next office if someone were really determined.  Suite is alarmed and building is alarmed.   Good enough?
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Mark

Hang some barbed wire in the drop ceiling right above your wall, and put vaseline anywhere someone might be able to grab hold of the server.

I think that could cover it.  ;)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Charlie Charbonneau

I'll have to see if I can get my buddy Achmed in to do some customizations...
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Billy Welsh

I am no attorney or bureaucrat, but that seems like enough to me.  Ours is behind a locked door, but locks are for honest people.  Also have a suspended ceiling.

Even with encryption, if the thief really wants the data I suspect he can get it.
Billy Welsh
Director of Accounting
LCMC Health

Jason@KiteTech

Some states are requiring that you encrypt data at rest.  Most are simply requiring that you document your best efforts.  Since TAM doesn't support drive level encryption, you can document that and be fine.  Just make sure your physical safeguards are decent (locked room, locked cabinet, locked faceplate, etc.) to preven the server from walking.  I'd throw in recoded surveillance just for good measure.

With regards to encrypting a backup drive:  My concern would be from a bare metal recovery scenario.  If your encryption is within the backup product (such as Acronis) then you don't have to worry about creating an environment to be able to access the data before continuing.
Jason Gobbel

The Kite Technology Group

Mark

Quote from: Jason@KiteTech on February 09, 2013, 11:45:09 AM
With regards to encrypting a backup drive:  My concern would be from a bare metal recovery scenario.  If your encryption is within the backup product (such as Acronis) then you don't have to worry about creating an environment to be able to access the data before continuing.

That's why I liked the TrueCrypt idea.  Not a big deal do download as needed.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jim Jensen

Dredging up an old post, but it's still a relevant topic - is this still the case for Tam 2017 & 2018? 6 years is a long time in the software world, though not in TAM-land.

Quote from: Conan_Ward on February 07, 2013, 04:24:29 PM
To the best of my knowledge TAM will not like working on an encrypted drive (or may just not work entirely).
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Jeff Golas

Really shouldn't matter, although now you're better off using Bitlocker or the like. Once the device is "mounted" (decrypted) it should operate like any other device.

Quote from: Jim Jensen on August 01, 2019, 04:35:01 PM
Dredging up an old post, but it's still a relevant topic - is this still the case for Tam 2017 & 2018? 6 years is a long time in the software world, though not in TAM-land.

Quote from: Conan_Ward on February 07, 2013, 04:24:29 PM
To the best of my knowledge TAM will not like working on an encrypted drive (or may just not work entirely).
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Tom Fisher

As Jeff mentioned .. if you use Bitlocker no program should know the difference.
Tom Fisher
The Tech Frood
tom@techfrood.com
www.techfrood.com