Only 47% of Enterprises Encrypt Backup Tapes

11:30 AM -- PricewaterhouseCoopers International 's recent "Global State of Information Security 2008" survey of 7,000 corporate and IT executives revealed that, as of the spring of 2008 when the survey was conducted, fewer than half the organizations encrypted their backup tapes. Even in the financial services industry, where you would think someone's paying attention, only 57 percent of organizations encrypt backup tapes.

While these figures are better than the 37 percent encryption rate for tapes in the 2007 survey, they're still a cause for concern, as is the 50 percent, up from 40 percent, rate of data encryption on enterprise laptops.

Many storage, and security, professionals underestimate the risk of tapes getting loose. After all, the tapes are behind several layers of physical security in the data center or sent by bonded couriers to Iron Mountain Inc. (NYSE: IRM) or another secure facility. What could go wrong?

Well, if you read the news, a lot. Citibank, Bank of New York, and others have had tapes disappear in transit. Most amusingly, a courier for a vendor storing tapes for the University of Utah Hospital decided to skip picking up the company van, complete with drop safe, and used his personal car to pickup tapes. Of course, the tapes were stolen from his driveway, and I assume he's looking for a new position. Hopefully, "Do you want fries with that?" is part of his vocabulary.

The odds of a customer or patient's personally identifiable information getting to someone that would actually use it, from a backup tape that was lost in a vendor's warehouse or misdelivered to another customer, are low. After all, it's hard enough to restore data from a tape you made three years ago, let alone one where you don't even know what software was used to create it. But a real data breach isn't the primary risk in lost or stolen tapes.The real risk is in embarrassment and identity theft protection costs for the people whose personal data was compromised. Most states have laws that follow California's SB 1386, which requires organizations to notify anyone whose data may have be compromised, unless the data was encrypted. Notices to customers lead to press releases, which lead to embarrassment and buying identity theft protection for all the affected customers before they become ex-customers. Lose a tape with 1 million social security numbers on it -- spend many dollars to make everyone feel warm and fuzzy.

From where I sit, there's no good excuse for not encrypting tapes. Every enterprise backup application, and even SMB backup apps like Ultrabac and Yosemite Backup, has built-in encryption. If youre worried about the compute overhead on your media server, use the built-in encryption in LTO-4 and high-end tape drives from IBM and Sun or add a NetApp/Decru encryption appliance to your SAN.

Don't wait for the Holy Grail of enterprise key management that ties encryption keys to the type of data being backed up, so keys can be discarded when the retention period ends, or a VTL that can encrypt direct tape exports. Just do it.

The full report from PWC can be found here. Please let me know why you don't encrypt your tapes. I'd like to know.

— Howard Marks is chief scientist at Networks Are Our Lives Inc., a Hoboken, N.J.-based consultancy where he's been beating storage network systems into submission and writing about it in computer magazines since 1987. He currently writes for InformationWeek, which is published by the same company as Byte and Switch.6607