Encryption continues to be the topic on every CIO and IT person’s lips nowadays. No one wants to end up in the news as the next victim of a privacy breach or the next company that didn’t protect its customers’ information. If you conduct a news search using the words “personal data breach,” you’ll be alarmed at the number of instances where personal information such as social security and credit-card numbers have been exposed to possible theft. In a recent breach, a state government site allowed access to hundreds of thousands of records, including names, addresses, social security numbers and documents with signatures.
Whether it’s government agencies, research facilities, banking institutions, credit card processing companies, hospitals–or your company’s computers – the risk of compromising private information is very high. At the recent “CEO-CIO Symposium,” speaker Erik Phelps from the law firm Michael Best & Friedrich described the relationship business has with technology. In his presentation, he stated that since “business relies so heavily on technology today, business risk becomes technology dependent.” The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today’s business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data.
If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user’s computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the “Hail Mary” attempt when all other options have been exhausted.
Data Recovery and Encryption
Business continuity and disaster planning are critical for businesses regardless of their size. Most archive and backup software have key features to restore user files, database stores and point in time snap-shots of users’ files. Software is becoming more automated so users don’t have to manually backup their files. Some computer manufacturers have built-in backup systems that include dedicated hard disk drives for archive storage. Most external USB hard disk drives have some sort of third party software that provides data archiving during a trial time period. Such solutions, while solving the data backup need, create questions regarding how effective the systems are with respect to user data. What are your options when a user’s computer has a data disaster and the hard disk drive is fully encrypted?
Most IT security policies require a multi-pronged approach to data security. For example, when setting up a new computer for a user, the IT department will require a BIOS (Basic Input/Output System) password for the system before the computer will start. BIOS password security varies in functionality. Some are computer system specific, meaning that the computer will not start without the proper password. Other BIOS passwords are hard disk drive specific, meaning that the hard drive will not be accessible without the proper password. Some computer BIOS employ one password for access control to the system and the hard disk drive. To add a second level of protection, new IT security policies require full hard disk drive encryption. The most common of full hard disk encryption software operates as a memory resident program. When the computer starts up, the encryption software is loaded before the operating system starts and a pass-phrase or password prompt is required. After a successful login from the user, the software decrypts the hard disk drive sectors in memory, as they are needed. The process is reversed when writing to the hard disk drive. This leaves the hard disk drive in a constant state of encryption. The operating system and program applications function normally, without having to be aware of any encryption software.
The Recovery Process
Recovering from hard disk drives that are encrypted follows the same handling procedures as all other magnetic media. A strict process of handling and documentation starts right at the shipping door upon drive receipt and ends when the drive is shipped back to the customer. In most cases, when working with a top data recovery provider, all recovery processes are logged. This results in an audit trail of the recovery history and serves as verification that the recovery was conducted in a secure, compliant manner. Specifically, you want to ensure the process consists of the following high-level steps:
- Triage drive; determine faults without opening drive
- Clean room escalation for physical or electronic damage
- Secure original media
- Sector-by-sector copy of drive data
- User Key used to decrypt data
- Produce file listing of user file names
- Repair file system
- Prepare data for delivery
- Encryption options for data delivery
After the first four stages listed above, the recovery engineer will begin to map all key file system structures that point to the user files. However, if the hard disk drive is encrypted, then the drive needs to be decrypted in order to proceed.
If this is the case, a user key or decryption password is required. Fortunately, encryption software has come a long way over the years. Instead of using a master password for decryption, most professional encryption software provides a technician level pass-phrase that changes on a daily basis. This protects the user’s password and the organization’s master password.
Many organizations are comfortable providing these one-time use pass-phrases so that the recovery work can continue. However, this is not always the case. For some organizations, providing this information to an outside vendor, such as a data recovery provider, is against their security policy. In these situations, a successful recovery is still possible. There are data recovery vendors that can perform recoveries while leaving the data in its encrypted form throughout the entire process. In this case, the data will be recovered and sent back to the client in its encrypted form; however, the specific results will be unknown until the files are opened by someone with access to the encryption key. Ultimately, this limits the ability for a data recovery provider to communicate the success of the recovery until the recovered data is delivered and opened, thereby placing some burden back on the customer.
As a result, it is clear that significant time and cost savings are associated with allowing your data recovery vendor to access your one-time use pass-phrase codes while attempting to recover your encrypted data. At the same time, it’s critical to ensure that your selected vendor also understands security protocols, is knowledgeable about encryption products and has privacy policies in place.
Following the recovery, preparation for delivering the data begins. Since the original hard disk drive was encrypted, safely securing the recovered data is highly important. The recovered data is backed up to the media choice of the user and is re-encrypted. The new decryption key is communicated verbally to the user; email should not be used, as this could be a security risk. Some leading edge data recovery companies are able to deliver recovered data back to the customer in an encrypted format on external USB/Firewire hard disk drives. From the start of the recovery to the final delivery, data should be secure throughout the entire process.
Data Recovery Vendor Considerations
When looking for a data recovery provider, it’s important to ensure that the one selected can handle not only the various types of media, but also understands the data security regulations of today’s organizations. For example, encrypted data requires special data handling processes — from the clean room to the technically-advanced recovery lab. This isolation ensures no one person has complete access to the media throughout the recovery process, thereby providing security while maintaining recovery continuity and quality.
Unfortunately, most data loss victims only consider data recovery right after they have experienced a data loss and are scrambling for a solution. Emotions run high at this point. The fallout from a data disaster and corresponding data loss is sometimes crippling, with the IT staff working around the clock to get the computer systems back to normal. These distressed circumstances are not the time to think about what makes a good data recovery vendor. Incorporating this important decision into your business continuity planning is best done in advance. Some key questions to ask as part of this proactive exercise include:
- Do you have a relationship with a preferred data recovery vendor?
- What should you look for when reviewing data recovery companies?
- Do you include data recovery in your disaster and business continuity planning?
- Do you have a plan for how to handle data loss of encrypted data?
- Do appropriate people have access to the encryption keys to speed up the recovery process?
Sometimes planning for these procedures can become involved and tedious, especially if you are planning for something you have never experienced. Do some investigating by calling data recovery service companies and presenting data loss situations such as email server recoveries, or RAID storage recoveries or physically damaged hard disk drives from mobile users. Ask about data protection and the policies in place to protect your company’s files.
Additionally, find out the techniques and recovery tools the providers use. Ask the companies how large their software development staff is. Inquire about how they handle custom development for unique data files. For example, will they be able to repair or rebuild your user’s unique files? Does the data recovery service company have any patents or special OEM certifications?
While these details may not seem important at first, they can be the decisive factors that determine whether your data recovery experience is a positive and successful endeavor.
Following is a checklist of factors to consider when searching for a data recovery vendor for encrypted data or ensuring your data recovery partner is able to comply with your data security policies:
- Solid Reputation – Experienced data recovery company with a strong background.
- Customer Service – Dedicated and knowledgeable staff.
- Secure Protocols – Expert knowledge of encryption products with privacy protocols in place.
- Technical Expertise – Capable of recovering from virtually all operating systems and types of storage devices.
- Scalable Volume Operations – Equipped with full-service labs and personnel that can handle all size jobs on any media type.
- Research & Development – Invested in technology for superior recoveries; not just purchasing solutions.
It is important to understand that data loss can occur at any time on any scale. It’s especially crucial to be prepared with a plan that adheres to your company’s security policy. The more prepared one is, the better the chance for a quick and successful recovery when a problem arises.
Personal Data Exposed (http://www.mercurynews.com/politics/ci_5502819) Fusion CIO Conference (http://wistechnology.com/fusioncio/conference/2007/presentations/) PGP/Poneman Research (http://www.ponemon.org/data-security)