Re: carbonite

["Steven Adair" <steven () securityzone org>]

This sounds like some questions you might want to bounce off of them.  I
don't see all the details while just lightly browsing their websites, but
it does appear that the data is encrypted prior to it being stored at
their location.  Now some questions this brings up to me is:

1) How exactly is it encrypted?  They say with the same encryption as
banks and ePayment websites.  Well, there are still some that don't use
encryption and do they just mean encrypted in transit or stored?

2) If the data is encrypted on their servers, do they require key-escrow
or are they the one that issued the encryption keys? (i.e. can they peak
into it if they want to)

3) Is there any disaster recovery?  What are the service levels?  What if
they lose your data?

You can also ask them if they have gone through some sort of ISO 17799,
SAS 70, or NIST 800-53 type audit.  Even if they have that doesn't mean it
covered everything you'd be concerned with.  At least you'd know they took
some extra measures of involving a (potentially useful/useless?)
third-party.

It's really a tough call unless they really spill the beans or they have
someone trusted come out and weigh in on the overall security of the
place.

Steven
securityzone.org


> I have some corporate users that are asking for consent to use carbonite
> (carbonite.com) for maintaining backups of files etc. XM has been
> advertising this as a consumer tool for business continuity/disaster
> recovery etc. I have not seen or heard any pro's or cons about their
> security set up or if it's actually hardened to where it's a realistic
> alternative to traditional storage.
>
> Are there any security industry endorsements?
>
> Regards,
>
> Fred Martin