Educause Security Discussion mailing list archives
Re: Data Transfer Accross Data Centres
From: Nick Giacobe <nxg13 () PSU EDU>
Date: Fri, 12 Oct 2012 12:13:30 -0400
Ok, I’ll bite… and maybe start the discussion. So, from a theoretical standpoint, I guess the question is about what are you trying to accomplish – remote backup-tape replacement or full featured offsite storage? If you want the backup data to simply be stored at rest at the colo facility, and you don’t “trust” or don’t want to have to verify that the colo facility hasn’t lost your confidential data to some hack… then I think you’d want to encrypt before you transmit it. I think you’re talking about a straight-forward offsite backup. That will require that your backup software does the encryption before transmission. If you do that, then encryption of the communications channel may be redundant. If you want the data to be usable at the colo facility (like having the ability to search the backup remotely), then you may not want to encrypt before transmitting. You should, however, use an encrypted transmission mechanism (like SSL) to ensure that the data cannot be snooped on by third parties between your site and the colo site. However, this means that the data will sit at rest in an unencrypted format (so that it can be useful to you at the remote site. That may require that you audit the system it resides on the same way you would if it were local. Depending on your colo facility agreement, you may or may not be able to do that effectively. Even if the colo facility says they will do all of the IDS and monitoring and such, your agreement with the colo facility may not mitigate your risks or reduce your legal responsibilities. What happens if the colo facility has a cyber event (hack/break-in/etc) and your data is compromised? Are they responsible for your mitigation costs? Do they pay the regulatory fines (HIPAA/FERPA or your country’s equivalents)? The agreement you have with the colo facility should be reviewed by competent counsel (attorneys with a good understanding of technology and the laws for your business type in your jurisdiction for privacy, confidentiality, etc.) to ensure that the risks that you’re taking are well understood. So, I guess I’m saying that if you’re using your colo facility as a “backup tape replacement”, then encrypt the data before it goes out, otherwise, encrypt in transit. --- Nick Giacobe Research Technologist V and Ph.D Candidate College of Information Sciences and Technology Penn State University 101 Information Sciences and Technology Building University Park, PA 16802 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of leo song Sent: Thursday, October 11, 2012 4:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Transfer Accross Data Centres We need to transfer large volume of data centre data to off-site colo back up facility, one of the requirements is that we need to encrypt the data before sending them out of our premises, or another interpretation could be we cannot send non-encrypted data centre data over ISP networks. I believe some of you could have done something similar already, could you shed some lights here? thanks. -- Leo Song, Senior Analyst & Cluster Lead Computing and Communication Services - Networking and Security University of Guelph (519) 824-4120 <callto:+1%28519%29%20824-4120> x 53181
Current thread:
- Data Transfer Accross Data Centres leo song (Oct 11)
- Re: Data Transfer Accross Data Centres Nick Giacobe (Oct 12)
- Re: Data Transfer Accross Data Centres Valdis Kletnieks (Oct 12)
- Re: Data Transfer Accross Data Centres Leo Song (Oct 12)
- Re: Data Transfer Accross Data Centres Ian Lazerwitz (Oct 18)
- Re: Data Transfer Accross Data Centres Leo Song (Oct 12)