1. Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING) Click the link to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This message will disappear after you have made at least 12 posts. Thank you for your cooperation.

Security of off site TSM tapes

Discussion in 'TSM Security and Regulatory Compliance' started by swortsoul, Dec 16, 2004.

  1. swortsoul

    swortsoul New Member

    Joined:
    Mar 1, 2004
    Messages:
    11
    Likes Received:
    0
    Our security group is looking into security of our backups. I took over the TSM setup, but don't have much experience with it. Maybe someone can help answer these questions...



    First, our setup. We have the TSM server machine (AIX) connected to an IBM 3494 tape library with 2 3590 tape drives. We run the disaster/recovery plan to tapes on the library. The tape pool is copied, and sent off-site.



    So, what kind of security do we have there? If someone got a hold of our off-site tapes, what could they do? I know they'd have to recreate the TSM db to restore the data from the tapes. Can they get at data on the tapes without TSM? How much effort would they have to go through to get at our data?



    Our security group is looking into purchasing a device that sits between the server and the tape library that encrypts/decrypts the data.



    Thanks for any help.

    Tim
     
  2.  
  3. p007393

    p007393 New Member

    Joined:
    Jan 22, 2004
    Messages:
    90
    Likes Received:
    0
    Hi,

    you can easily encrypt all backup data. This is already done by the client. There is a good explanation about this topic in the Client Users Guide, e.g. GC32-0789-03.

    Cheers

    Michael
     
  4. TSMTravis

    TSMTravis New Member

    Joined:
    May 9, 2005
    Messages:
    12
    Likes Received:
    0
    I know this is an older post. But the company i am at right now has the same questions. I think the client guide answers encryption across the network. But not the security of the offsite tapes.



    I need some sort of technical document that explains how TSM writes data to tape for offsite, and why, without the TSM DB those files are impossible to read.



    Can anyone help with this?



    Travis
     
  5. tom.s

    tom.s New Member

    Joined:
    Mar 1, 2005
    Messages:
    74
    Likes Received:
    0
    Occupation:
    Infrastructure & Network Support Analyst
    Location:
    London
    TSMTravis,



    the following article seems to imply that if you turn encryption on on the client then it will be stored encrypted:



    http://web.mit.edu/ist/integration/security-tsm.html



    Further, IBM Tivoli Storage Manager: A Technical Introduction states that:



    The ITSM Backup/Archive client optionally provides a data encryption function, which allows for encrypting data before it is sent to the ITSM server, and which protects the data while it is being transferred to the server and also while it resides in the storage repository.



    Quite how secure all of this is though, I have no idea.



    Regards,



    Tom
     
  6. TSMTravis

    TSMTravis New Member

    Joined:
    May 9, 2005
    Messages:
    12
    Likes Received:
    0
    Thanks for the reponse. I guess what I have always heard is that without the TSM Database tape the offsite tapes are totally worthless. I have heard this from before the encryption of clients.



    I guess my question is, if the tapes are stolen from an offsite location but the DB backup tape is not, how secure are the tapes? Will people be able to get at the data or not? I have always heard that, No. They will not be able to get at the data without the DB Backup. If that is the case. Why not?



    Hope that makes sense.



    Travis
     
  7. heada

    heada Moderator

    Joined:
    Sep 23, 2002
    Messages:
    2,560
    Likes Received:
    168
    Occupation:
    Storage Administrator
    Location:
    Indiana
    To the best of my knowledge, it IS possible to read data from a non-encrpyted stgpool volume(there are utilities that can do it), BUT.... you have to know the structure of the data (where to start, where to end, etc) and hope that the data is not spanned across multiple tapes.



    The likelihood of someone being able to read data from a single TSM stgpool tape without the TSM database is approching nil. If that data is also encrypted (client-side encryption) then it is virtually impossible.



    If you have data that you are THAT worried about someone getting ahold of, enable client-side encrpytion and store the data seperate from the DB-backups. Make sure that tapes are labeled in some non-obvious way (random numbers/letters, NOT DBBACK1, etc)



    If you asked IBM to recover a tape that had data on it without the DB, they could for a hefty price. If you turn on client encryption, they claim that not even they can get it back for you.



    -Aaron
     
  8. tom.s

    tom.s New Member

    Joined:
    Mar 1, 2005
    Messages:
    74
    Likes Received:
    0
    Occupation:
    Infrastructure & Network Support Analyst
    Location:
    London
    Hi,



    it most certainly is possible to read unencrypted data on TSM tapes. There is some control information muddled in with it, but if you dump the contents of a tape and take a look at it in a hex editor, you will you your files in the dump file. It would certainly be a huge pain to recover a particular file this way though. Having said that if you were not looking for one particular file but just wanted to rip what you could get off a given tape, I really don't think TSM is very secure at all.



    The following should link to an IBM field guide on TSM client security. This issue isn't really what it's about, however, it does mention that the encryption is standard 56-bit. The 5.3 technical guide also mentions this. There doesn't seem to be a whole lot of information out there on this though.



    http://www-1.ibm.com/support/docview.wss?uid=swg27005133&aid=1



    regards,



    Tom
     
  9. sgabriel62

    sgabriel62 Senior Member

    Joined:
    Apr 7, 2005
    Messages:
    1,359
    Likes Received:
    5
    Occupation:
    Principal of SGSolutions Inc.; Systems Architect &
    Location:
    Michigan
    All;

    Security is a hot topic lately within IBM development arena since Iron Mountain lost a hole series of bank offsite media. Tom is correct, the current encryption is 56 bit. There is a new release coming very soon which enhances this to 128 and perhaps 256. I'll keep you informed on their progress.



    Aaron is also correct, recreating the TSM environment is in fact doable, if the person wishes to pursue on the processes of reading the labels of all the media, then trying to rebuild the TSM server without the vital 5. If fortunate and lucky enough to rebuild, they would have to come up with a hash hack to attempt to read through the encryption.



    Third party tools are costly but even at that, the data retrieved will be unreadable without another hack of some kind.



    Therefore, Its safe to assume that the offsite media will be deemed useless as standalone pieces. Unless the adminstrator is dumbfounded and used common catch phrases with any password hack program can use. There will be too much work involved. The crime would have to be premeditated, the environment already prepared for a recovery scenario and the person is a highly trained DB2 programmer/hacker to know the sequence of steps to perform a successful restore.



    Purchasing a device that sits in the middle will be a waste of money and too difficult to support in the long run. This device most likely will not be application level supported but OS level supported. Offsite media would still be under DB2 format. And so far I have not heard of any such devices that can join DB2 or TSM for that matter to insert an additional encryption hash. Unless your security team can come up with a product that we all can validate and test and then build a business case to use it, then I would like to be one of the first to read their summary.

    I am satisfied that my encrypted media is secure via TSM standards. Knowing IBM is also taking into account this current security issue as well.



    This is my opinion



    Steven
     
  10. djchopps0013

    djchopps0013 Senior Member

    Joined:
    Jun 29, 2007
    Messages:
    286
    Likes Received:
    5
    Occupation:
    Storage Administrator
    Location:
    St Louis
    Just to update everyone on this, It is entirely possible to read the data from and unencrypted TSM tape. It being written in its own TSM proprietary and spanned across multiple volumes hold true, but is totally and easily readable.

    Just to prove it I took a expired and reclaimed tape that contained PHI data and used a little program called dcfldd and dumped it into a file. I then opened it with my handy notepad, nto even a hex editor and guess what? I seen a jumbled mess, but I also seen PHI data and SSN information. Thats right to bad bill gates isnt one of our customers! That was a joke.

    My point being if you dont encrypt at drive (LTO4) or client level your only fooling yourself. However We saw that backing up data using Tivoli Storage Manager client compression rendered the data unreadable on the tape and even a step further client encryption and compression will render all data useless.
     
    Last edited: May 1, 2008
  11. PJ

    PJ Senior Member

    Joined:
    Nov 18, 2005
    Messages:
    1,066
    Likes Received:
    4
    Location:
    LU Germany
    Our security department claimed (and proved) that they can easily decompress and read unencrypted but client-compressed TSM stgpool data. They also wanted to go the extra mile for decryption but weren't allowed access to the cray for something so obvious.
    I think its common sense that anything unencrypted can be hacked in no time and that the encrypted stuff can be hacked as well - if you've got a sufficiently large bunch of really fast machines and even more time.

    PJ
     
  12. mikeymac

    mikeymac Moderator

    Joined:
    Jun 20, 2003
    Messages:
    906
    Likes Received:
    27
    Location:
    Syracuse, NY
    A few years ago, I had to provide TSM tapes to a Federal agency. I told them they would be worthless to them without the TSM DB. They thought that was very funny.

    Another funny anecdote. My boss at my old place of employment was concerned about the security of our offsite tapes. They were stored in another building owned by the corporation, in a room that was accessible by anyone on the floor. His solution? Hang a red velvet rope around the tape racks. I'm not kidding.
     
  13. PJ

    PJ Senior Member

    Joined:
    Nov 18, 2005
    Messages:
    1,066
    Likes Received:
    4
    Location:
    LU Germany
    LOL
    Well look at it this way: at least he didn't stick a note on the door saying "Attention! Unprotected confidencial, highly classified information hidden in plain view inside this room. Please do not steal or copy because we would neither notice nor care until we find our financial and operational details on the frontpage of the daily mirror."

    PJ
     
  14. djchopps0013

    djchopps0013 Senior Member

    Joined:
    Jun 29, 2007
    Messages:
    286
    Likes Received:
    5
    Occupation:
    Storage Administrator
    Location:
    St Louis
    Mikey that was hilarious, I must of laughed for about 2 hours after reading that.
     
: encryption

Share This Page