SSL is Not Enough Security for Online Backup

Almost all online backup service providers use security terms like, SSL and encryption. They boast of "military grade security", "128-bit SSL", "256-bit encryption", "448-bit encryption" and more. Some will use terms like "double encryption", "blowfish", "triple DES", "AES", and even "twofish". Online backup services providers know that they need to convince potential customers that it is safe to backup their data over the Internet. With all of the fraud, hacking, and security problems on the Internet, even the novice computer user is concerned about security issues when considering online backup services.

Don't be fooled by all of the high-tech terminology. Just because an online backup service provider uses great technology such as Secure Socket Layer (SSL) or Hyper Text Transmission Protocol Secured (HTTPS), doesn't mean that your data will be secure when stored at their online backup facility on the Internet. SSL is an excellent technology for authenticating a website and encrypting data during transmission. When an HTTP connection is established to an online backup server and the data is secured with SSL, then wire tappers, snoopers, and Internet service providers are unable to see your data. While these technologies are effective for their intended purposes they offer no protection against common attacks against servers, human error, and unethical behavior.

SSL encrypts data during transmission, but once the data arrives at the destination it is immediately decrypted before it is stored or processed. This is the way SSL works every time. Even though the online backup service provider may use SSL, your data is likely to be stored in unencrypted form. Your data was secure during transmission, but it is stored in a format that can be accessed by unauthorized people or hackers. There are numerous cases of hackers exploiting security holes in servers and operating systems that cause data to be exposed and stolen. In addition to the exposures relating to malicious code and trojan horses, there are also issues with the physical access and handling of hard drives. Suppose the offsite storage operator upgrades some disk drives and sells the old ones on the used equipment market. Might your data be found on a used drive bought at an auction?

The better online backup services store your data in encrypted form. If the server is compromised, then all the criminal can get is scrambled data. Your data is also protected from the issues surrounding the disposition of old equipment and unauthorized access to the equipment. If the online backup service provider upgrades equipment and doesn't properly wipe the data off of the old equipment, the data is useless to anyone who gets their hands on the old equipment. The data must be stored in encrypted form to provide any acceptable level of security for your data.

While storing the data in encrypted form offers superior protection, there is one additional level of security that is needed to properly secure offsite data. The data must be encrypted with an encryption key that is not known or available to the offsite storage provider or anyone else. This is accomplished when the data is encrypted on your local computer using a key that is never sent to the offsite backup server. The truly professional grade online backup services operate with this level of security. The software provided by the backup service encrypts your data before it is sent offsite and it is never decrypted until you restore it back to your computer. All of the encryption and decryption takes place on your computer only and there is no need for anyone other than you to have the encryption keys. With this level of security, even employees, technicians and engineers at the backup service can't even access your data.

I don't want my tax records, social security number, letters, pictures and documents to be visible to a curious technician or night operator at the offsite data center. I only recommend the professional grade services that store my data using strong encryption, and I am the only person with the key. There are numerous online backup service providers to choose from. Sometimes it can be difficult to determine if the provider uses security procedures that are up to standards. Websites throw around all kinds of terminology, but details are often unavailable. Before you sign up for an online backup service, make sure you are comfortable with their security features. You may need to call the provider and pry for answers to find out how secure they really are. If they can't answer quickly, then they probably are not very secure. The really secure backup services make data security a top priority. Below is a list of six providers that meet my requirements.

Secure Site Backups

Backup-Connect

Backup Guard

Secure Online Backup

Global Data Vault

DataTrust

How a Lack of Workstation Backups Caused a Bloated Exchange Server

Years ago I was the IT director of a medium-sized company. Our MS Exchange server information storage was growing as fast as gasoline prices have recently. We decided to limit each mailbox to 100Mb. At the time, that was a good bit of storage. (Now I get 100Mb of spam in a month.) Even though the mailbox limit seemed fairly generous, we quickly found ourselves fighting a constant battle with users who insisted that we increase their limits. My biggest problem with the increasing the limits, was that it was becoming increasingly difficult to backup the Information Store.

The logical solution was to get people to clean up their mailboxes. Move old mail and archived mail to personal folders, which don't use server storage space. This move revealed the root of the problem. Smart users did not want to store important emails and documents on their personal computers because they knew that the Exchange database on the server was backed up every night, while their workstations were never backed up. Keeping their mail on the server was their way of protecting themselves from a hard drive crash.

As is often the case, email folders contain valuable information. In fact, in a lot of cases the email folders are the most valuable information on the computer. So if you find that your mail server is getting bloated, you might discover that the users are out-smarting IT by saving their valuable documents in the mail system. Perhaps an effective backup solution that also backs-up mail folders will give users enough confidence to store their email archives on their own computers, rather than fattening up the mail server.

Please see my previous posting about backing up email folders: Data Backup and Recovery: Backing up your email folders or MS Outlook .PST file or this one about backing large files using online backup systems: Data Backup and Recovery: Online Backup Technology Can Handle Large Amounts of Data.

Backup Methods for Home Office and Small Business

"What is the best way to backup my data?" I occasionally get this question when discussing backup and recovery issues with clients. What a great question! The answer is "it depends." (I know someone who answers every question like that.) In this case, a simple answer cannot be given without some additional information. The fact is that a single backup method or technology is rarely appropriate for a person or company.

Most of us have multiple types of data that potentially require different backup strategies. The first thing we have to do is determine what data needs to be backed up. If your computer or office were completely destroyed and you had to get new equipment. What would you want restored to the new equipment?

Once you have an inventory of your data that needs to be backed up, the next step is to classify the data according to how quickly you need to be able to recover it, and how current the backup data needs to be. The answers to these questions are directly related to the amount of pain that would be caused in case of a temporary or permanent loss of the data. This categorization will relate to which backup methods are most appropriate.

• For letters, spreadsheets, digital photos, and other documents; I recommend online backup methods. Online backup services will backup these files and get them offsite quickly efficiently and frequently.
  
• For large collections of MP3 files or video files; backing up to portable disk drives and physically keeping a copy offsite is effective. This is assuming that these files are not critical to your business and they don't change frequently.
  
• For software; making copies of your installation media and maintaining copies in an offsite location is usually appropriate.
  
• For databases; it depends on the size and frequency of changes. In most cases online backup services are the best option.

The above recommendations are intended to be examples for home computer owners and small business computing. There are other questions, answers, and situations that must be considered in the process of ensuring appropriate backup procedures. If you are not an expert then maybe this information will give you some direction in selecting the backup strategies appropriate for your data and circumstances.

Automation is the Key to Reliable Backups

I have personally used many different backup methods and procedures. For many years I was a consultant for a large systems management software and services company. I worked with IT professionals to implement reliable backup systems for critical business data. All of those engagements involved professional IT people, procedures, hardware and software working together to ensure that backup copies of all critical data were made daily. Backing up data and moving it offsite was the highest priority task, after the actual data processing that was required by the business. Most medium size and larger business still treat backing up data with very high priority. Lost data is simply unacceptable and in most cases has the potential to cause severe consequences for the business.

Smaller businesses and home office computer owners can't afford the dedicated staff and resources required to implement rigid procedures and reporting to ensure that critical data is backed up and moved offsite reliably and consistently. Many of these computer owners and users realize that their data is vital so they pursue hardware and software solutions to help them backup the data. However, it is not typical to find that small businesses and home office computer owners keep current backup copies of their data offsite.

The biggest impediment to reliable backups and offsite data storage for small business and home office computer owners is the reliance on manual procedures. Good hardware and software solutions are available, although costly to own and maintain. All of them require some level of human intervention to achieve good reliable backups and offsite storage. This is where the problems begin; human intervention and manual procedures are almost always unreliable for backing up data and moving it offsite, particularly in small and medium businesses and home office environments.

Most backup software includes a scheduling mechanism. This is helpful, but it almost never eliminates the manual intervention. There is usually a tape or other media that must be changed. I will also mention that there are some good hardware solutions that will automatically change tapes for you. These solutions are expensive and require a certain amount of maintenance and monitoring. Even when working smoothly, manual procedures are required to get backup copies moved offsite.

Online backup solutions solve the automation problem nicely. Online backup requires less manual intervention than any other backup solution. It may not be the ideal solution for every situation, but for most critical business data, it is far more reliable than any solution that requires people, procedures, hardware, software and media. Online backup is also much less expensive when compared to the total cost of ownership (TCO) of the people, processes and technology required to get reliable backups and offsite protection using conventional methods.

Backing Up Your Data is Only Half of the Solution

So you are backing your data up to a portable disk drive, or maybe CDs or Tapes. Good for you, you are probably doing a better job of protecting your computer files than most computer owners do. If your hard drive crashes, you will have a way to restore your data. Your data is safe and secure, right?

Your data is probably safe and secure from some common problems such as electrical or mechanical failure of hard drive. Your data is safe from at least half of the data losses caused by human error. Your data is safe from a good many viruses and malicious software issues.

However, if you are not storing current copies of your data in a secure offsite location, your data could be totally lost in a fire, flood, hurricane, tornado or other natural disaster.

You can physically transport your backup media to another location. That is how most businesses did it up until a few years ago. The more modern and cost effective option is to use your Internet connection to transport your data to secure storage in another location.

Don't worry, you don't actually have to set up your own secure offsite storage location. There are plenty of great online backup services that have already done it for you. They also provide software and technology to encrypt, compress and transmit your data. In many cases the cost is very reasonable. Just search Google for Secure Offsite Backup Service and you will find plenty of great online backup services that will meet your needs.