And what about those "other" backup products that allow you to recreate the
database from the tapes. Re-cataloging a tape I think it's called. How
secure is that? Then all you need is a copy of the backup product and you
can restore anyone's tape/data...even if it's not yours! With TSM unless the
database "knows" about what's on that tape, you can't restore the files. If
you have sensitive data, then you should be looking at client-side
encryption. Physical tape security should also be a consideration.
Bill Boyer
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Andrew Raibeck
Sent: Saturday, February 19, 2005 9:52 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Reading client data from a storage pool tape.
Frank, after responding to Orville's post, I think in retrospect I
misunderstood at least part of what you were asking, and therefore should
clarify:
While a tape utility would not be able to reconstruct a whole file system
from a given TSM tape, if the data on the tape is not encrypted, or at
least compressed by the client, you might be able to see the original data
as it existed on the client (interspersed with TSM control information and
other metadata). Plain text (source code, for example) probably has the
most exposure in this regard. For binary data, it will just appear as a
string of hex data, just as it would if you were to load the original file
on the client machine into a hex editor. There are no "sign posts" clearly
delimiting the end of one file and the beginning of the next, but if you
know what patterns you are looking for, at least some of the data would be
recognizable by reading the tape.
Unless you use client side encryption, or otherwise encrypt the files
before backing up or archiving them with TSM, the format of the data on
TSM should not be considered "secure".
In sum, while you would be very hard-pressed to reconstruct entire files
from the tape, bits and pieces of it (depending on the type of data) could
be recognizable just by examining the data on the tape with some tape
utility. Any statement such as the one you suggest below, does not exist,
and would not be true (not unless you've taken care to encrypt all your
data before sending it to the TSM server).
Regards,
Andy
Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.ibm DOT com
The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.
"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 2005-02-18
14:34:40:
> The auditor would like a published statement from IBM TSM that says
> something like:
> The TSM data is written in a proprietary format which prevents a tape
> utility; such as 'ditto', 'Iebcopy', etc.,
> from being able to read any of the client information.
>
> Thank you for your help and patience.
>
> Frank McClean
> ITSB SSU
> (916)795-1353
> frank_mcclean AT calpers.ca DOT gov
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> Of
> Andrew Raibeck
> Sent: Friday, February 18, 2005 1:16 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: Reading client data from a storage pool tape.
>
>
> Please forgive my density, but I am still not clear on what kind of
> "statement" you are looking for. What is it *specifically* that the
> auditor wants to know? I would think the auditor would be asking for a
> statement of what we do, not what we don't do. I am not aware of any
> explicit statements like, "use of compression will obfuscate the data",
> but I would think that is a given for *any* compression scheme used by
> *any* product (but maybe I presume too much?).
>
> If the auditor wants to know whether the files can be readily retrieved
> in their original format by reading the tapes, then the answer is "no",
> per the section of the Admin Guide I quoted in my original response to
> your question.
>
> If the auditor wants to know whether the data can be retrieved *at all*
> by reading the tapes, then the answer is "theoretically, yes". Given
> enough resources (time, compute power, money, brain power), I'm not sure
> there yet exists any unhackable encryption scheme; it's all a matter of
> putting enough blocks in place to discourage. This would apply to any
> system, and is not specific to TSM. This is not explicitly documented
> anywhere, but could be intuited from other information in the doc and
> what we know today about data security.
>
> As for explicit encryption (which is really what we are talking about, I
> think), that is supported via the client side INCLUDE.ENCRYPT option.
> There is a statement in the description for that option (in the client
> manual, in the options reference info for "Include") that says the TSM
> does not encrypt the data without the use of this option.
>
> The TSM 5.3 client introduces a stronger encryption type. You can
> selected between DES56 (the older encryption method) or AES128 via the
> ENCRYPTIONTYPE client option.
>
> Regards,
>
> Andy
>
> Andy Raibeck
> IBM Software Group
> Tivoli Storage Manager Client Development
> Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
> Internet e-mail: storman AT us.ibm DOT com
>
> The only dumb question is the one that goes unasked.
> The command line is your friend.
> "Good enough" is the enemy of excellence.
>
> "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 2005-02-18
> 12:57:19:
>
> > This is exactly the information I need for the Auditor.
> > Is this spelled out in any formal IBM TSM documentation? Thanks,
> >
> > Frank McClean
> > ITSB SSU
> > (916)795-1353
> > frank_mcclean AT calpers.ca DOT gov
> >
> >
> > -----Original Message-----
> > From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> > Of Andrew Raibeck
> > Sent: Friday, February 18, 2005 11:44 AM
> > To: ADSM-L AT VM.MARIST DOT EDU
> > Subject: Re: Reading client data from a storage pool tape.
> >
> >
> > > If you dump the data off of the tape, what do you see.
> >
> > That depends. Factors to consider include:
> >
> > - Format of the data that was backed up (was it already compressed or
> > encrypted, for example)?
> >
> > - Use of client-side encryption (use this if security is required)
> >
> > - Use of client-side compression (helps to obfuscate the data)
> >
> > - Use of tape hardware compression (helps to obfuscate the data)
> >
> > Even assuming that you don't do any of the above, the data is stored
> > in a proprietary format. You just can't read the tape and pick off
> > whole, intact files up from start to finish. The need for an intact
> > TSM server database to restore the client data is necessary in order
> > for the data to be read from the tapes and put back on the client, in
> > its original format. But a serious hacker could probably get at bits
> > and pieces of the data. This is why we offer client-side encryption of
>
> > the data (compression isn't the same as encryption per se, but it
> > offers another layer of obfuscation just the same).
> >
> > Regards,
> >
> > Andy
> >
> > Andy Raibeck
> > IBM Software Group
> > Tivoli Storage Manager Client Development
> > Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet
> > e-mail: storman AT us.ibm DOT com
> >
> > The only dumb question is the one that goes unasked.
> > The command line is your friend.
> > "Good enough" is the enemy of excellence.
> >
> > "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 2005-02-18
> > 12:20:54:
> >
> > > Let me rephrase the question.
> > > If you dump the data off of the tape, what do you see.
> > >
> > > Frank McClean
> > > ITSB SSU
> > > (916)795-1353
> > > frank_mcclean AT calpers.ca DOT gov
> > >
> > >
> > > -----Original Message-----
> > > From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On
> > > Behalf Of Andrew Raibeck
> > > Sent: Friday, February 18, 2005 11:16 AM
> > > To: ADSM-L AT VM.MARIST DOT EDU
> > > Subject: Re: Reading client data from a storage pool tape.
> > >
> > >
> > > I found this pretty quickly in the Admin Guide.
> > >
> > > Chapter 24 "Protecting and Recovering Your Server"
> > >
> > > Verse "Database and Recovery Log Protection: An Overview"
> > >
> > > "The database contains information about the client data in your
> > > storage pools. The recovery log contains records of changes to the
> > > database. If you lose the recovery log, you lose the changes that
> > > have
> >
> > > been made since the last database backup. If you lose the database,
> > > you lose all your client data."
> > >
> > > Regards,
> > >
> > > Andy
> > >
> > > Andy Raibeck
> > > IBM Software Group
> > > Tivoli Storage Manager Client Development
> > > Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet
> > > e-mail: storman AT us.ibm DOT com
> > >
> > > The only dumb question is the one that goes unasked.
> > > The command line is your friend.
> > > "Good enough" is the enemy of excellence.
> > >
> > > "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on
> > > 2005-02-18
> > > 11:47:59:
> > >
> > > > "The only way to read client data from a tape is to set-up another
>
> > > > TSM
> > >
> > > > server, and restore the database from your current TSM server onto
>
> > > > it.
> > >
> > > > You would then be able to access the data on the tape, it cannot
> > > > be done without TSM." I have heard this several times. Where in
> > > > the IBM
> >
> > > > TSM documentation does it specifically state this?
> > > > I need to quote chapter and verse to an auditor.
> > > >
> > > > Frank McClean
> > > > frank_mcclean AT calpers.ca DOT gov
|
