> This is a means to shift responsibility from you to the > service provider whose responsibility it is to protect the data. Agreed--it's not a security issue in the pure sense, it's a matter of who gets blamed in case of a failure. The blame (or responsibility, or liability, whatever we want to call it) may be a significant factor, but, as you say, let's understand that's what we're talking about as opposed to the actual security of the situation. > Other implications are the bad publicity that MSU would > receive if they had to inform individuals that an employee > stored their information at the employee's house, and it was > compromised. If that situation arose with relation to a Bank, > there would probably be heads rolling. Again, a blame issue, not a question of how great the security is. > As an exaggeration; if the data is public, or not sensitive > in nature, then there probably wouldn't be a need for > encrypting it. If you can store it in that fashion on a table > on Grand River without supervision, then you might have an > argument for taking it home. Yes, an exaggeration. I wouldn't want the contents of my office hard drive put on a table out on Grand River Avenue, but I'm extremely comfortable storing a backup of it at home. However, looking at it in real security terms, I would say that the backup is safer at home than the original is on my office hard drive. > The thing to remember is that you have to transport that data > to and from work, which isn't as secure as you might think > your home is, but I might just be paranoid. Yes, transport is an issue, but you have to transport the backup regardless of where it's stored. > It's all just about liability. > -Jeff > > > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Michael S. Surato > Sent: Thursday, December 14, 2006 1:06 PM > To: [log in to unmask] > Subject: Re: [MSUNAG] off site backups > > Just to play devil's advocate. What would be the problem of > taking the backup tape home if the data was encrypted. While > this adds the complexity of storing an offsite copy of the > decryption key, it also solves the issue of stolen > tapes/computers with sensitive data. > > +-------------------------------------------+ > | Michael Surato | > | College of Arts and Letters | > | Michigan State University | > | 320 Linton Hall | > | East Lansing, MI 48824 | > | Voice: (517) 353-0778 Fax: (517) 355-0159 | > +-------------------------------------------+ > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Richard Wiggins > Sent: Thursday, December 14, 2006 12:09 PM > To: [log in to unmask] > Subject: Re: [MSUNAG] off site backups > > I agree with Chris. Yesterday UCLA reported a break-in that > exposed SSNs and other personal information for 800,000 > people (which must included fac/staff/students/applicants for > decades). That was a tightly-guarded server locked in a > machine room on campus. And Boeing revealed that for the > third time this year (!!!) a laptop with SSNs and other > personal info was stolen, affecting 322,000 people. This was > a direct violation of company policy. > > So I think a better statement would be that you shouldn't use > home backup for systems that house confidential or sensitive > information. > And you should not carry around large datasets with personal > information on laptops, thumb drives, or other portable devices. > > It might help if people thought of sensitive data as > radioactive. You wouldn't carry radioactive materials in > your car or to your house. > > /rich > > On 12/14/06, Chris Wolf <[log in to unmask]> wrote: > > I'm not sure I see the problem with taking backups home for > off-site > > storage in some situations. It's not perfect, but it adds > an enormous > > > amount of additional safety in a very cheap and convenient > way. I have > > > even recommended that faculty keep one copy of their backup > of their > > office desktop computer at home. Regarding possible theft, > faculty all > > > over campus take their university-owned portable computers > containing > > university data home (not to mention all over the world), > and I would > > say that a computer is much more likely to be stolen during a home > > burglary (or from a traveler in an airport) than some tapes are. > > > > I agree that for AIS servers and other machines that have large > > amounts of sensitive data, it's worthwhile to have a more secure > > arrangement, but for many other situations in academic > departments a > > home is not a bad off-site location. > > > > > -----Original Message----- > > > From: MSU Network Administrators Group > [mailto:[log in to unmask]] > > > On Behalf Of Peter J Murray > > > Sent: Wednesday, December 13, 2006 4:24 PM > > > To: [log in to unmask] > > > Subject: [MSUNAG] off site backups > > > > > > What solutions are different units on campus using for 'off site' > > > backup, or at least, backups in another building. Is there a > > > service that ACNS or AIS provides for those of us who > want to keep a > > > > redundant data source outside our building? Are system > > > administrators taking home tapes with them for off site > storage (and > > > > is that even allowed)? Does MSU have an agreement or preferred > > > vendor for off site backup? > > > > > > >