Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
Professional
 
 
Thoughts on eVaulting

Included below is my response to a post in the cisspforum. The person was considering e-vaulting versus traditional off-site storage of backup tapes.

Happy holidays to you and yours!

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, SCSA
Wellington, FL
gideon@...

http://www.ussecurityawareness.org

I'll play devil's advocate on this one. Consider if the benefits of e-vaulting are worth the associated risk and management overhead (data transfer and external datacenter vs. traditional transport and storage of encrypted backup tapes). Hosting data externally brings into audit scope the vendor's VPN, infrastructure, data center and off-site facilities (if applicable).

I wouldn't take a sales rep's word or that of a technologist on a con call. An e-vault assessment by an external party is suspect too. There is the potential for use of a generic data center audit template and junior personnel. The use of off-site e-vaulting requires a thorough on-site audit. Here are several topics that come to mind:

1. How is data encrypted in storage and transmission?

2. What type of device is the data stored in (e.g. EMC frame)?

3. How is customer data separated?

4. What type of backup solution is in place? Are they using tapes or mirroring data to yet another location?

5. Does customer data ever exist in unencrypted format at the off-site data center?

6. Does anyone at the data center have the ability to decrypt the data?

7. What are the details of the data center security devices/software?

8. How is the platform/application monitored?

9. What auditing measures are in place (continuous, daily, weekly, monthly,
annually)?

10. What is the current network bandwidth utilization?

11. What are the high availability components of the platform
(Internet/street to system)?

12. How are backups conducted (e.g. proprietary backup agents)?

13. How is the customer alerted when a backup fails?

14. How is a full system restore accomplished at a customer site?

15. Will the vendor allow external audits of the associated systems, personel and facilities?

The standard NOC/datacenter controls must be audited as well. An on-site visit, system review and interview with system administrators and NOC operators is warranted.

Posted: Wed Dec 21, 2005 4:37 am



Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices