Marriott Vacation Club International (MVCI), the vacation ownership division and subsidiary of Marriott International, gave an unwelcome Christmas present to approximately 206,000 associates, timeshare owners and timeshare customers. On December 27th it announced that backup computer tapes containing data pertaining to them were missing from the corporate office in Orlando, Florida.
Coming hard on the heels of the ABM AMRO missing tape this is yet another welcome marketing gift to the tape encryption vendors on the one hand and the network industry on the other. MVCI is working diligently to minimise loss and damage and help affected people be aware of unusual activity affecting their credit activities. This is a very good and responsible exercise. However it is barn door closing. The horse has gone.
The whole world of computer backup tape users is having to revaluate what a backup tape containing customer information is. It is not just a backup tape to be treated like an ordinary corporate parcel delivery item. A backup tape must now be viewed as identity theft waiting to happen. It must be treated almost as a pile of potential pound notes, a pot of dollars waiting to happen.
That means that you no longer use DHL or UPS to ship them. You use a bank security shipping or cash collection company. Yes, your costs are going right up.
That's not all. You have to encrypt the data on the tapes. It's not enough to leave it in clear, aka Networker backup format or whatever. You will have to encrypt it. It's going to become almost a duty of care you owe your customers. Lawyers will certainly see it that way. I expect some greedy US lawyers are already thinking of class action possibilities
Welcome news to the encryption suppliers
How much does encryption cost? Here are extracts of a correspondence I've had with Les Fernandes, a NeoScale marketing spokesperson, about NeoScale's tape encryption appliance:
- How much is it?
LF: NeoScale US pricing starts at $20k. However, its international list pricing starts at $26k.
- How long does it take to encrypt/decrypt a tape?
LF: Both operations are at wire speed with virtually no latency
- How are the keys managed?
LF: NeoScales Global Key Management software manages encryption keys across appliances in multiple locations and enables automatic key archival through centralized repositories. Through clustering and key archiving, customers have the ability to build redundancy across highly distributed locations eliminating a single point of failure.
Key management for data at rest encryption requires a comprehensive set of key management tools to enable a global company to securely automate information recovery. Global Key Management delivers secure encryption keys for data at rest on primary and secondary storage and can operate on three tiers for complete key security:
Appliance tier: Hardened appliance for secure key creation and management. The FIPS operation mode ensures unencrypted keys never leave the appliance and supports backup and recovery of system keys.
Data center tier: Secure clustering to ensure policy and key replication. CryptoStor clustering automatically shares keys and policy data to ensure data is accessible via any clustered storage security appliance.
Enterprise tier: Automated key archival and secure recovery from multiple locations. Companies can recover through any networked CryptoStor appliance, or by using CryptoStor FC Recovery Software on any networked Windows or UNIX workstation.
Added complexity and cost
A New Year's resolution for virtually all IT Directors is to re-evaluate the security of the backup arrangements for their customer data. IT budget spend is going to see a shift I estimate, and the shift is going to be towards encrypting backup data and using network data delivery methods rather than parcel delivery trucks.
Still, compared to the marketing tragedy of telling customers that you've opened a door into their finances for crooks to use, twenty grand spent on encrypting tapes starts looking like a bargain.