A big topic that Bruce Schneier covers in his book "Applied Cryptography" is the life span on the 'sentive' label of the data. If you use an uncrackable algorithm (like blowfish) you are relatively safe for the time being. But you have to take into account how long the data on the tapes will be regarded as 'sensitive' and the rate at which computing power used to crack these algorithms grows. If these two intersect at any point (even though you are safe now) you are in trouble. Its important to also think about the massive botnets that some of these bad guys have at there disposal and the enormous distributed computing power behind them. All and all I would say encrypting your backups is a good practice (if you don't mind it taking longer to perform a restore), but is not a silver bullet by any means. Bryan Murphy, CISSP Information Technology Coordinator MSU Plant Research Lab and Plant Biology Departments https://infotech.prl.msu.edu -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Michael S. Surato Sent: Thursday, December 14, 2006 1:06 PM To: [log in to unmask] Subject: Re: [MSUNAG] off site backups Just to play devil's advocate. What would be the problem of taking the backup tape home if the data was encrypted. While this adds the complexity of storing an offsite copy of the decryption key, it also solves the issue of stolen tapes/computers with sensitive data. +-------------------------------------------+ | Michael Surato | | College of Arts and Letters | | Michigan State University | | 320 Linton Hall | | East Lansing, MI 48824 | | Voice: (517) 353-0778 Fax: (517) 355-0159 | +-------------------------------------------+ -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Richard Wiggins Sent: Thursday, December 14, 2006 12:09 PM To: [log in to unmask] Subject: Re: [MSUNAG] off site backups I agree with Chris. Yesterday UCLA reported a break-in that exposed SSNs and other personal information for 800,000 people (which must included fac/staff/students/applicants for decades). That was a tightly-guarded server locked in a machine room on campus. And Boeing revealed that for the third time this year (!!!) a laptop with SSNs and other personal info was stolen, affecting 322,000 people. This was a direct violation of company policy. So I think a better statement would be that you shouldn't use home backup for systems that house confidential or sensitive information. And you should not carry around large datasets with personal information on laptops, thumb drives, or other portable devices. It might help if people thought of sensitive data as radioactive. You wouldn't carry radioactive materials in your car or to your house. /rich On 12/14/06, Chris Wolf <[log in to unmask]> wrote: > I'm not sure I see the problem with taking backups home for off-site > storage in some situations. It's not perfect, but it adds an enormous > amount of additional safety in a very cheap and convenient way. I have > even recommended that faculty keep one copy of their backup of their > office desktop computer at home. Regarding possible theft, faculty all > over campus take their university-owned portable computers containing > university data home (not to mention all over the world), and I would > say that a computer is much more likely to be stolen during a home > burglary (or from a traveler in an airport) than some tapes are. > > I agree that for AIS servers and other machines that have large > amounts of sensitive data, it's worthwhile to have a more secure > arrangement, but for many other situations in academic departments a > home is not a bad off-site location. > > > -----Original Message----- > > From: MSU Network Administrators Group [mailto:[log in to unmask]] > > On Behalf Of Peter J Murray > > Sent: Wednesday, December 13, 2006 4:24 PM > > To: [log in to unmask] > > Subject: [MSUNAG] off site backups > > > > What solutions are different units on campus using for 'off site' > > backup, or at least, backups in another building. Is there a > > service that ACNS or AIS provides for those of us who want to keep a > > redundant data source outside our building? Are system > > administrators taking home tapes with them for off site storage (and > > is that even allowed)? Does MSU have an agreement or preferred > > vendor for off site backup? > > >