Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/23/2006
09:00 AM
50%
50%

IT Managers Walk Tape Tightrope

Experts warn of no good reason to use the medium for critical backup and recovery

SECAUCUS, New Jersey -- Users that continue to rely on tape for backing up or accessing critical data do so at their peril, IT managers and industry experts warned at an industry event today.

Randy Kahn, CEO of analyst firm Kahn Consulting said that although tape is a cost-effective, long-term storage medium, it may not be the best option for firms that need swift access to key pieces of information. "Is it sufficiently accessible, can you get to it when you need to get to it?" he asked.

A number of firms have already incurred the wrath of regulatory bodies, thanks to their inability to produce critical data when requested. Morgan Stanley, for example, was recently slapped with a $15 million fine by the Securities and Exchange Commission (SEC) for failing to produce email evidence in court. (See Email Travail.)

According to the SEC, the firm allegedly didn't produce backup tapes on request, never archived emails for faster searches, and overwrote backup tapes containing subpoenaed emails.

Kahn told Byte and Switch that such high profile storage snafus highlight the need for firms to rethink their storage strategies. The majority of firms, he explains, are currently using backup tapes for the wrong reasons. "Backup tapes are essential, but they are essential for disaster recovery," he says. "It's the worst possible place to park records that you need immediately."

David McDermott, records manager at Boise, Idaho-based agricultural manufacturer J.R Simplot and chair of industry body ARMA International agreed that most users haven't wrapped their heads around this challenge yet. "There's a lot of companies out there that don't understand the severity of the procedures and processes that they should have in place," he says.

J.R Simplot, according to McDermott, has a "very robust program" in place for records retention, and is currently developing an electronic system for handling the likes of email data. "Anything that is produced [by the company] could be included in the electronic records management program, he adds.

Kahn urged other users to follow this lead and consider specialized records management systems that can handle the business, legal, and technology needs of current compliance regulations: "There's all kinds of document management, electronic content management (ECM), and records management systems, that provide functionalities of all kinds."

A number of vendors, including EMC's Documentum division, FileNet, Hummingbird, and Interwoven are making moves in this space. (See EMC Acquires Authentica, EMC Googles Documentum, York Saves With Content Management , FileNet Sets New Standard, Hummingbird Has Server Solution, and Interwoven Delivers Content Storage .)

Kahn, however, highlighted the cultural challenges involved in getting a firm's IT staff and legal teams to build an effective records management system. Storage administrators, he explains, are typically concerned about the likes of file sizes whereas company lawyers are focused on content, policy, and regulations. "It's a different perspective," he says.

But the analyst believes that picking storage security battles carefully can help one get around these problems. "You take the hot button issue, the low-hanging fruit," he explains. "Take one problem, solve it holistically, and move onto the next problem," adding the users do not need to "boil the ocean."

It was not just storage security that was a hot topic in the Garden State today, as users expressed their concern about reports that a laptop containing sensitive information on 26.5 million people was stolen from a Department of Veterans Affairs employee. "I don’t know why the information is being kept on the hard drive on a laptop, rather than on a server," says McDermott.

Ray Ricks, the former vice president of security services at Citibank, now CEO of security vendor eCenturion used his keynote to warn that criminals and even terrorist organizations are becoming more sophisticated in how they perpetrate financial fraud. Even some Los Angeles street gangs, he warns, are now using magnetic stripe data from credit cards as a form of currency. "They are using it to trade and barter and pay off inter-gang debts," he reports.

Ricks also reiterated concerns that America's chief enemy in the war on terror is getting in on this act. (See U.S.: Al Qaeda Eyeing Cyber Threats.) "There is evidence that Al Qaeda has compromised our financial services systems by skimming credit cards," he says.

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article:

  • Citibank
  • EMC Corp. (NYSE: EMC)
  • FileNet Corp. (Nasdaq: FILE)
  • Hummingbird Ltd. (Nasdaq, Toronto: HUM)
  • Interwoven Inc.
  • Morgan Stanley
  • Securities and Exchange Commission (SEC)
  • Storage Networking Industry Association (SNIA)
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
    Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
    Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
    Robert Lemos, Contributing Writer,  7/28/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-16271
    PUBLISHED: 2020-08-03
    The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
    CVE-2020-16272
    PUBLISHED: 2020-08-03
    The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
    CVE-2020-8574
    PUBLISHED: 2020-08-03
    Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
    CVE-2020-8575
    PUBLISHED: 2020-08-03
    Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
    CVE-2020-12739
    PUBLISHED: 2020-08-03
    A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...