Results 1 to 13 of 13
  1. #1
    Member
    Join Date
    Mar 2004
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Our security group is looking into security of our backups. I took over the TSM setup, but don't have much experience with it. Maybe someone can help answer these questions...



    First, our setup. We have the TSM server machine (AIX) connected to an IBM 3494 tape library with 2 3590 tape drives. We run the disaster/recovery plan to tapes on the library. The tape pool is copied, and sent off-site.



    So, what kind of security do we have there? If someone got a hold of our off-site tapes, what could they do? I know they'd have to recreate the TSM db to restore the data from the tapes. Can they get at data on the tapes without TSM? How much effort would they have to go through to get at our data?



    Our security group is looking into purchasing a device that sits between the server and the tape library that encrypts/decrypts the data.



    Thanks for any help.

    Tim

  2. #2
    Member
    Join Date
    Jan 2004
    Posts
    90
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Hi,

    you can easily encrypt all backup data. This is already done by the client. There is a good explanation about this topic in the Client Users Guide, e.g. GC32-0789-03.

    Cheers

    Michael

  3. #3
    Member
    Join Date
    May 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    I know this is an older post. But the company i am at right now has the same questions. I think the client guide answers encryption across the network. But not the security of the offsite tapes.



    I need some sort of technical document that explains how TSM writes data to tape for offsite, and why, without the TSM DB those files are impossible to read.



    Can anyone help with this?



    Travis

  4. #4
    Member
    Join Date
    Mar 2005
    Location
    London
    Posts
    74
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    TSMTravis,



    the following article seems to imply that if you turn encryption on on the client then it will be stored encrypted:



    http://web.mit.edu/ist/integration/security-tsm.html



    Further, IBM Tivoli Storage Manager: A Technical Introduction states that:



    The ITSM Backup/Archive client optionally provides a data encryption function, which allows for encrypting data before it is sent to the ITSM server, and which protects the data while it is being transferred to the server and also while it resides in the storage repository.



    Quite how secure all of this is though, I have no idea.



    Regards,



    Tom

  5. #5
    Member
    Join Date
    May 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Thanks for the reponse. I guess what I have always heard is that without the TSM Database tape the offsite tapes are totally worthless. I have heard this from before the encryption of clients.



    I guess my question is, if the tapes are stolen from an offsite location but the DB backup tape is not, how secure are the tapes? Will people be able to get at the data or not? I have always heard that, No. They will not be able to get at the data without the DB Backup. If that is the case. Why not?



    Hope that makes sense.



    Travis

  6. #6
    Moderator
    Join Date
    Sep 2002
    Location
    Indiana
    Posts
    2,560
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    To the best of my knowledge, it IS possible to read data from a non-encrpyted stgpool volume(there are utilities that can do it), BUT.... you have to know the structure of the data (where to start, where to end, etc) and hope that the data is not spanned across multiple tapes.



    The likelihood of someone being able to read data from a single TSM stgpool tape without the TSM database is approching nil. If that data is also encrypted (client-side encryption) then it is virtually impossible.



    If you have data that you are THAT worried about someone getting ahold of, enable client-side encrpytion and store the data seperate from the DB-backups. Make sure that tapes are labeled in some non-obvious way (random numbers/letters, NOT DBBACK1, etc)



    If you asked IBM to recover a tape that had data on it without the DB, they could for a hefty price. If you turn on client encryption, they claim that not even they can get it back for you.



    -Aaron
    Three things are certain:
    Death, taxes, and lost data.
    Guess which has occurred.

  7. #7
    Member
    Join Date
    Mar 2005
    Location
    London
    Posts
    74
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Hi,



    it most certainly is possible to read unencrypted data on TSM tapes. There is some control information muddled in with it, but if you dump the contents of a tape and take a look at it in a hex editor, you will you your files in the dump file. It would certainly be a huge pain to recover a particular file this way though. Having said that if you were not looking for one particular file but just wanted to rip what you could get off a given tape, I really don't think TSM is very secure at all.



    The following should link to an IBM field guide on TSM client security. This issue isn't really what it's about, however, it does mention that the encryption is standard 56-bit. The 5.3 technical guide also mentions this. There doesn't seem to be a whole lot of information out there on this though.



    http://www-1.ibm.com/support/docview...5133&aid=1



    regards,



    Tom

  8. #8
    Senior Member
    Join Date
    Apr 2005
    Location
    Michigan
    Posts
    1,359
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    All;

    Security is a hot topic lately within IBM development arena since Iron Mountain lost a hole series of bank offsite media. Tom is correct, the current encryption is 56 bit. There is a new release coming very soon which enhances this to 128 and perhaps 256. I'll keep you informed on their progress.



    Aaron is also correct, recreating the TSM environment is in fact doable, if the person wishes to pursue on the processes of reading the labels of all the media, then trying to rebuild the TSM server without the vital 5. If fortunate and lucky enough to rebuild, they would have to come up with a hash hack to attempt to read through the encryption.



    Third party tools are costly but even at that, the data retrieved will be unreadable without another hack of some kind.



    Therefore, Its safe to assume that the offsite media will be deemed useless as standalone pieces. Unless the adminstrator is dumbfounded and used common catch phrases with any password hack program can use. There will be too much work involved. The crime would have to be premeditated, the environment already prepared for a recovery scenario and the person is a highly trained DB2 programmer/hacker to know the sequence of steps to perform a successful restore.



    Purchasing a device that sits in the middle will be a waste of money and too difficult to support in the long run. This device most likely will not be application level supported but OS level supported. Offsite media would still be under DB2 format. And so far I have not heard of any such devices that can join DB2 or TSM for that matter to insert an additional encryption hash. Unless your security team can come up with a product that we all can validate and test and then build a business case to use it, then I would like to be one of the first to read their summary.

    I am satisfied that my encrypted media is secure via TSM standards. Knowing IBM is also taking into account this current security issue as well.



    This is my opinion



    Steven
    Steven Gabriel
    Principal -SGSolutions Inc.
    http://www.sgsolutionsinc.com

  9. #9
    Senior Member
    Join Date
    Jun 2007
    Location
    St Louis
    Posts
    286
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Just to update everyone on this, It is entirely possible to read the data from and unencrypted TSM tape. It being written in its own TSM proprietary and spanned across multiple volumes hold true, but is totally and easily readable.

    Just to prove it I took a expired and reclaimed tape that contained PHI data and used a little program called dcfldd and dumped it into a file. I then opened it with my handy notepad, nto even a hex editor and guess what? I seen a jumbled mess, but I also seen PHI data and SSN information. Thats right to bad bill gates isnt one of our customers! That was a joke.

    My point being if you dont encrypt at drive (LTO4) or client level your only fooling yourself. However We saw that backing up data using Tivoli Storage Manager client compression rendered the data unreadable on the tape and even a step further client encryption and compression will render all data useless.
    Last edited by djchopps0013; 05-01-2008 at 03:25 PM.

  10. #10
    Senior Member
    Join Date
    Nov 2005
    Location
    LU Germany
    Posts
    1,066
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Our security department claimed (and proved) that they can easily decompress and read unencrypted but client-compressed TSM stgpool data. They also wanted to go the extra mile for decryption but weren't allowed access to the cray for something so obvious.
    I think its common sense that anything unencrypted can be hacked in no time and that the encrypted stuff can be hacked as well - if you've got a sufficiently large bunch of really fast machines and even more time.

    PJ

  11. #11
    Moderator mikeymac's Avatar
    Join Date
    Jun 2003
    Location
    Syracuse, NY
    Posts
    893
    Thanks
    8
    Thanked 12 Times in 12 Posts

    Red face

    A few years ago, I had to provide TSM tapes to a Federal agency. I told them they would be worthless to them without the TSM DB. They thought that was very funny.

    Another funny anecdote. My boss at my old place of employment was concerned about the security of our offsite tapes. They were stored in another building owned by the corporation, in a room that was accessible by anyone on the floor. His solution? Hang a red velvet rope around the tape racks. I'm not kidding.

  12. #12
    Senior Member
    Join Date
    Nov 2005
    Location
    LU Germany
    Posts
    1,066
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Quote Originally Posted by mikeymac View Post
    His solution? Hang a red velvet rope around the tape racks. I'm not kidding.
    LOL
    Well look at it this way: at least he didn't stick a note on the door saying "Attention! Unprotected confidencial, highly classified information hidden in plain view inside this room. Please do not steal or copy because we would neither notice nor care until we find our financial and operational details on the frontpage of the daily mirror."

    PJ

  13. #13
    Senior Member
    Join Date
    Jun 2007
    Location
    St Louis
    Posts
    286
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Mikey that was hilarious, I must of laughed for about 2 hours after reading that.

Similar Threads

  1. Query for tapes that have gone empty
    By krissie in forum Scripting
    Replies: 1
    Last Post: 11-15-2006, 09:36 AM
  2. Problem with checking in cleaning tapes...
    By c.j.hund in forum Tape / Media Library
    Replies: 3
    Last Post: 03-08-2006, 10:41 AM
  3. Help With : Implementing Off Site Backups
    By pinsky in forum Backup / Archive Discussion
    Replies: 8
    Last Post: 02-18-2006, 05:50 AM
  4. Questions about DR and remote site....
    By bvillega in forum Backup / Archive Discussion
    Replies: 0
    Last Post: 11-24-2004, 03:09 PM
  5. Tivoli Security & Privacy Consultants
    By Sophia in forum Storage Management Jobs
    Replies: 0
    Last Post: 09-11-2004, 02:41 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •