Security of off site TSM tapes

[swortsoul]

Our security group is looking into security of our backups. I took over the TSM setup, but don't have much experience with it. Maybe someone can help answer these questions...



First, our setup. We have the TSM server machine (AIX) connected to an IBM 3494 tape library with 2 3590 tape drives. We run the disaster/recovery plan to tapes on the library. The tape pool is copied, and sent off-site.



So, what kind of security do we have there? If someone got a hold of our off-site tapes, what could they do? I know they'd have to recreate the TSM db to restore the data from the tapes. Can they get at data on the tapes without TSM? How much effort would they have to go through to get at our data?



Our security group is looking into purchasing a device that sits between the server and the tape library that encrypts/decrypts the data.



Thanks for any help.

Tim

 

[p007393]

Hi,

you can easily encrypt all backup data. This is already done by the client. There is a good explanation about this topic in the Client Users Guide, e.g. GC32-0789-03.

Cheers

Michael

 

[TSMTravis]

I know this is an older post. But the company i am at right now has the same questions. I think the client guide answers encryption across the network. But not the security of the offsite tapes.



I need some sort of technical document that explains how TSM writes data to tape for offsite, and why, without the TSM DB those files are impossible to read.



Can anyone help with this?



Travis

 

[tom.s]

TSMTravis,



the following article seems to imply that if you turn encryption on on the client then it will be stored encrypted:



http://web.mit.edu/ist/integration/security-tsm.html



Further, IBM Tivoli Storage Manager: A Technical Introduction states that:



The ITSM Backup/Archive client optionally provides a data encryption function, which allows for encrypting data before it is sent to the ITSM server, and which protects the data while it is being transferred to the server and also while it resides in the storage repository.



Quite how secure all of this is though, I have no idea.



Regards,



Tom

 

[TSMTravis]

Thanks for the reponse. I guess what I have always heard is that without the TSM Database tape the offsite tapes are totally worthless. I have heard this from before the encryption of clients.



I guess my question is, if the tapes are stolen from an offsite location but the DB backup tape is not, how secure are the tapes? Will people be able to get at the data or not? I have always heard that, No. They will not be able to get at the data without the DB Backup. If that is the case. Why not?



Hope that makes sense.



Travis

 

[heada]

To the best of my knowledge, it IS possible to read data from a non-encrpyted stgpool volume(there are utilities that can do it), BUT.... you have to know the structure of the data (where to start, where to end, etc) and hope that the data is not spanned across multiple tapes.



The likelihood of someone being able to read data from a single TSM stgpool tape without the TSM database is approching nil. If that data is also encrypted (client-side encryption) then it is virtually impossible.



If you have data that you are THAT worried about someone getting ahold of, enable client-side encrpytion and store the data seperate from the DB-backups. Make sure that tapes are labeled in some non-obvious way (random numbers/letters, NOT DBBACK1, etc)



If you asked IBM to recover a tape that had data on it without the DB, they could for a hefty price. If you turn on client encryption, they claim that not even they can get it back for you.



-Aaron

 

[tom.s]

Hi,



it most certainly is possible to read unencrypted data on TSM tapes. There is some control information muddled in with it, but if you dump the contents of a tape and take a look at it in a hex editor, you will you your files in the dump file. It would certainly be a huge pain to recover a particular file this way though. Having said that if you were not looking for one particular file but just wanted to rip what you could get off a given tape, I really don't think TSM is very secure at all.



The following should link to an IBM field guide on TSM client security. This issue isn't really what it's about, however, it does mention that the encryption is standard 56-bit. The 5.3 technical guide also mentions this. There doesn't seem to be a whole lot of information out there on this though.



http://www-1.ibm.com/support/docview.wss?uid=swg27005133&aid=1



regards,



Tom

 

[sgabriel62]

All;

Security is a hot topic lately within IBM development arena since Iron Mountain lost a hole series of bank offsite media. Tom is correct, the current encryption is 56 bit. There is a new release coming very soon which enhances this to 128 and perhaps 256. I'll keep you informed on their progress.



Aaron is also correct, recreating the TSM environment is in fact doable, if the person wishes to pursue on the processes of reading the labels of all the media, then trying to rebuild the TSM server without the vital 5. If fortunate and lucky enough to rebuild, they would have to come up with a hash hack to attempt to read through the encryption.



Third party tools are costly but even at that, the data retrieved will be unreadable without another hack of some kind.



Therefore, Its safe to assume that the offsite media will be deemed useless as standalone pieces. Unless the adminstrator is dumbfounded and used common catch phrases with any password hack program can use. There will be too much work involved. The crime would have to be premeditated, the environment already prepared for a recovery scenario and the person is a highly trained DB2 programmer/hacker to know the sequence of steps to perform a successful restore.



Purchasing a device that sits in the middle will be a waste of money and too difficult to support in the long run. This device most likely will not be application level supported but OS level supported. Offsite media would still be under DB2 format. And so far I have not heard of any such devices that can join DB2 or TSM for that matter to insert an additional encryption hash. Unless your security team can come up with a product that we all can validate and test and then build a business case to use it, then I would like to be one of the first to read their summary.

I am satisfied that my encrypted media is secure via TSM standards. Knowing IBM is also taking into account this current security issue as well.



This is my opinion



Steven

 

[djchopps0013]

Just to update everyone on this, It is entirely possible to read the data from and unencrypted TSM tape. It being written in its own TSM proprietary and spanned across multiple volumes hold true, but is totally and easily readable.

Just to prove it I took a expired and reclaimed tape that contained PHI data and used a little program called dcfldd and dumped it into a file. I then opened it with my handy notepad, nto even a hex editor and guess what? I seen a jumbled mess, but I also seen PHI data and SSN information. Thats right to bad bill gates isnt one of our customers! That was a joke.

My point being if you dont encrypt at drive (LTO4) or client level your only fooling yourself. However We saw that backing up data using Tivoli Storage Manager client compression rendered the data unreadable on the tape and even a step further client encryption and compression will render all data useless.

 

[PJ]

Our security department claimed (and proved) that they can easily decompress and read unencrypted but client-compressed TSM stgpool data. They also wanted to go the extra mile for decryption but weren't allowed access to the cray for something so obvious.
I think its common sense that anything unencrypted can be hacked in no time and that the encrypted stuff can be hacked as well - if you've got a sufficiently large bunch of really fast machines and even more time.

PJ

 

[PJ]

His solution? Hang a red velvet rope around the tape racks. I'm not kidding.

LOL
Well look at it this way: at least he didn't stick a note on the door saying "Attention! Unprotected confidencial, highly classified information hidden in plain view inside this room. Please do not steal or copy because we would neither notice nor care until we find our financial and operational details on the frontpage of the daily mirror."

PJ

 

[djchopps0013]

Mikey that was hilarious, I must of laughed for about 2 hours after reading that.