Every few months, there's another horror story about lost tapes or stolen laptops, and we're left wondering if the information stored on the missing media will be put to some nefarious use, thereby adding personal injury to a public relations insult.
The importance of protecting these media has become a no-brainer. But managers are often hampered in their efforts because they buy into one or more of the following six myths of movable media:
Myth 1: Tapes are obsolete.
The humble magnetic tape, a seeming relic of the mainframe and batch-processing era, has given way in some instances to disk-to-disk backups to remote sites over networks. But for rapid and efficient backup, archiving and restoration of large quantities of data, there's no beating tape.
Iron Mountain Inc. offers both data backup over a network connection and tape storage at its sites. "In a disaster scenario, when time is of the essence, there is nothing more efficient than putting a collection of tapes in a vehicle and driving it to a recovery site," says Ken Rubin, a senior vice president at the information protection and storage company. "And the bandwidth limitations on transporting terabytes or petabytes of data over the line make that impractical."
Still, some users want to move on. "We are trying to get out of the tape business because of the threat of physical loss," says Christopher Leach, chief information security officer at Affiliated Computer Services Inc. He says ACS is setting up a service to send encrypted data backups to clients via a Web browser if the files aren't too big.
Myth 2: Protecting tapes and laptops is a job for technical people.
The protection of information technology is, of course, a job for IT. But there is a big and often overlooked role for others in the organization as well.
New York state CIO Melodie Mayberry-Stewart draws on a 12-person legal team to research best security practices, especially in the financial industry. Some of those people specialize in areas such as encryption and telecommunications, she says. In addition, she has a separate team of technologists who specialize in security and risk management. Mayberry-Stewart says the lawyers negotiate "painstakingly detailed" contracts and "memoranda of understanding on service levels" with companies such as Iron Mountain that transport and store the state's tapes -- some 4,000 per month -- from four mainframe data centers.
At Sun Microsystems Inc., tapes are created at seven data centers around the world. While each center manages its own data-retention processes, "they don't get to make up all their own rules," says Leslie Lambert, Sun's chief information security officer. So where do the rules, policies and procedures come from? "We have a very vigilant legal team, a privacy team, a business conduct team, internal auditors, external auditors and an information protection law group -- all working together," she says.
Leach says keeping up with state and federal regulations on data protection and retention demands human expertise, but it's such a daunting task that he gets automated help via risk and compliance management software from Relational Security Corp.