Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/23/2006
09:00 AM
50%
50%

IT Managers Walk Tape Tightrope

Experts warn of no good reason to use the medium for critical backup and recovery

SECAUCUS, New Jersey -- Users that continue to rely on tape for backing up or accessing critical data do so at their peril, IT managers and industry experts warned at an industry event today.

Randy Kahn, CEO of analyst firm Kahn Consulting said that although tape is a cost-effective, long-term storage medium, it may not be the best option for firms that need swift access to key pieces of information. "Is it sufficiently accessible, can you get to it when you need to get to it?" he asked.

A number of firms have already incurred the wrath of regulatory bodies, thanks to their inability to produce critical data when requested. Morgan Stanley, for example, was recently slapped with a $15 million fine by the Securities and Exchange Commission (SEC) for failing to produce email evidence in court. (See Email Travail.)

According to the SEC, the firm allegedly didn't produce backup tapes on request, never archived emails for faster searches, and overwrote backup tapes containing subpoenaed emails.

Kahn told Byte and Switch that such high profile storage snafus highlight the need for firms to rethink their storage strategies. The majority of firms, he explains, are currently using backup tapes for the wrong reasons. "Backup tapes are essential, but they are essential for disaster recovery," he says. "It's the worst possible place to park records that you need immediately."

David McDermott, records manager at Boise, Idaho-based agricultural manufacturer J.R Simplot and chair of industry body ARMA International agreed that most users haven't wrapped their heads around this challenge yet. "There's a lot of companies out there that don't understand the severity of the procedures and processes that they should have in place," he says.

J.R Simplot, according to McDermott, has a "very robust program" in place for records retention, and is currently developing an electronic system for handling the likes of email data. "Anything that is produced [by the company] could be included in the electronic records management program, he adds.

Kahn urged other users to follow this lead and consider specialized records management systems that can handle the business, legal, and technology needs of current compliance regulations: "There's all kinds of document management, electronic content management (ECM), and records management systems, that provide functionalities of all kinds."

A number of vendors, including EMC's Documentum division, FileNet, Hummingbird, and Interwoven are making moves in this space. (See EMC Acquires Authentica, EMC Googles Documentum, York Saves With Content Management , FileNet Sets New Standard, Hummingbird Has Server Solution, and Interwoven Delivers Content Storage .)

Kahn, however, highlighted the cultural challenges involved in getting a firm's IT staff and legal teams to build an effective records management system. Storage administrators, he explains, are typically concerned about the likes of file sizes whereas company lawyers are focused on content, policy, and regulations. "It's a different perspective," he says.

But the analyst believes that picking storage security battles carefully can help one get around these problems. "You take the hot button issue, the low-hanging fruit," he explains. "Take one problem, solve it holistically, and move onto the next problem," adding the users do not need to "boil the ocean."

It was not just storage security that was a hot topic in the Garden State today, as users expressed their concern about reports that a laptop containing sensitive information on 26.5 million people was stolen from a Department of Veterans Affairs employee. "I don’t know why the information is being kept on the hard drive on a laptop, rather than on a server," says McDermott.

Ray Ricks, the former vice president of security services at Citibank, now CEO of security vendor eCenturion used his keynote to warn that criminals and even terrorist organizations are becoming more sophisticated in how they perpetrate financial fraud. Even some Los Angeles street gangs, he warns, are now using magnetic stripe data from credit cards as a form of currency. "They are using it to trade and barter and pay off inter-gang debts," he reports.

Ricks also reiterated concerns that America's chief enemy in the war on terror is getting in on this act. (See U.S.: Al Qaeda Eyeing Cyber Threats.) "There is evidence that Al Qaeda has compromised our financial services systems by skimming credit cards," he says.

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article:

  • Citibank
  • EMC Corp. (NYSE: EMC)
  • FileNet Corp. (Nasdaq: FILE)
  • Hummingbird Ltd. (Nasdaq, Toronto: HUM)
  • Interwoven Inc.
  • Morgan Stanley
  • Securities and Exchange Commission (SEC)
  • Storage Networking Industry Association (SNIA)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    When It Comes To Security Tools, More Isn't More
    Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
    US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
    Seth Rosenblatt, Contributing Writer,  1/11/2021
    IoT Vendor Ubiquiti Suffers Data Breach
    Dark Reading Staff 1/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25533
    PUBLISHED: 2021-01-15
    An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
    CVE-2021-3162
    PUBLISHED: 2021-01-15
    Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
    CVE-2021-21242
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
    CVE-2021-21245
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
    CVE-2021-21246
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...