> This is a means to shift responsibility from you to the
> service provider whose responsibility it is to protect the data.
Agreed--it's not a security issue in the pure sense, it's a matter of who
gets blamed in case of a failure. The blame (or responsibility, or
liability, whatever we want to call it) may be a significant factor, but, as
you say, let's understand that's what we're talking about as opposed to the
actual security of the situation.
> Other implications are the bad publicity that MSU would
> receive if they had to inform individuals that an employee
> stored their information at the employee's house, and it was
> compromised. If that situation arose with relation to a Bank,
> there would probably be heads rolling.
Again, a blame issue, not a question of how great the security is.
> As an exaggeration; if the data is public, or not sensitive
> in nature, then there probably wouldn't be a need for
> encrypting it. If you can store it in that fashion on a table
> on Grand River without supervision, then you might have an
> argument for taking it home.
Yes, an exaggeration. I wouldn't want the contents of my office hard drive
put on a table out on Grand River Avenue, but I'm extremely comfortable
storing a backup of it at home. However, looking at it in real security
terms, I would say that the backup is safer at home than the original is on
my office hard drive.
> The thing to remember is that you have to transport that data
> to and from work, which isn't as secure as you might think
> your home is, but I might just be paranoid.
Yes, transport is an issue, but you have to transport the backup regardless
of where it's stored.
> It's all just about liability.
> -Jeff
>
>
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Michael S. Surato
> Sent: Thursday, December 14, 2006 1:06 PM
> To: [log in to unmask]
> Subject: Re: [MSUNAG] off site backups
>
> Just to play devil's advocate. What would be the problem of
> taking the backup tape home if the data was encrypted. While
> this adds the complexity of storing an offsite copy of the
> decryption key, it also solves the issue of stolen
> tapes/computers with sensitive data.
>
> +-------------------------------------------+
> | Michael Surato |
> | College of Arts and Letters |
> | Michigan State University |
> | 320 Linton Hall |
> | East Lansing, MI 48824 |
> | Voice: (517) 353-0778 Fax: (517) 355-0159 |
> +-------------------------------------------+
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Richard Wiggins
> Sent: Thursday, December 14, 2006 12:09 PM
> To: [log in to unmask]
> Subject: Re: [MSUNAG] off site backups
>
> I agree with Chris. Yesterday UCLA reported a break-in that
> exposed SSNs and other personal information for 800,000
> people (which must included fac/staff/students/applicants for
> decades). That was a tightly-guarded server locked in a
> machine room on campus. And Boeing revealed that for the
> third time this year (!!!) a laptop with SSNs and other
> personal info was stolen, affecting 322,000 people. This was
> a direct violation of company policy.
>
> So I think a better statement would be that you shouldn't use
> home backup for systems that house confidential or sensitive
> information.
> And you should not carry around large datasets with personal
> information on laptops, thumb drives, or other portable devices.
>
> It might help if people thought of sensitive data as
> radioactive. You wouldn't carry radioactive materials in
> your car or to your house.
>
> /rich
>
> On 12/14/06, Chris Wolf <[log in to unmask]> wrote:
> > I'm not sure I see the problem with taking backups home for
> off-site
> > storage in some situations. It's not perfect, but it adds
> an enormous
>
> > amount of additional safety in a very cheap and convenient
> way. I have
>
> > even recommended that faculty keep one copy of their backup
> of their
> > office desktop computer at home. Regarding possible theft,
> faculty all
>
> > over campus take their university-owned portable computers
> containing
> > university data home (not to mention all over the world),
> and I would
> > say that a computer is much more likely to be stolen during a home
> > burglary (or from a traveler in an airport) than some tapes are.
> >
> > I agree that for AIS servers and other machines that have large
> > amounts of sensitive data, it's worthwhile to have a more secure
> > arrangement, but for many other situations in academic
> departments a
> > home is not a bad off-site location.
> >
> > > -----Original Message-----
> > > From: MSU Network Administrators Group
> [mailto:[log in to unmask]]
> > > On Behalf Of Peter J Murray
> > > Sent: Wednesday, December 13, 2006 4:24 PM
> > > To: [log in to unmask]
> > > Subject: [MSUNAG] off site backups
> > >
> > > What solutions are different units on campus using for 'off site'
> > > backup, or at least, backups in another building. Is there a
> > > service that ACNS or AIS provides for those of us who
> want to keep a
>
> > > redundant data source outside our building? Are system
> > > administrators taking home tapes with them for off site
> storage (and
>
> > > is that even allowed)? Does MSU have an agreement or preferred
> > > vendor for off site backup?
> > >
> >
>
>
|