Online Backup Software - Data Security and Encryption

The Online Backup software which is used by Databarracks in the provision of its online backup service has been developed over 20 years. Online Backup Software is trusted by some of the largest companies in the world to protect their data and keep it secure. Security of data is paramount and data is encrypted within its own environment, it is never transmitted or stored in an unencrypted format.

Below are some of the encryption features of the software:

• Choice of DES or AES encryption
• Choice of encryption bit length 128/192/256
• Encryption of data 'in-flight'
• Encryption of data 'at-rest'
• Encryption Keys are only ever known to the client
• Encryption Keys are never escrowed at data centres

A small selection of the companies that use the software:

• Department of Trade and Industry (DTI)
• National Health Service (NHS)
• Porsche
• Invesco
• US Airforce
• Coca-Cola

A small selection of Databarracks customers who use the software:

• Legal and General Investment Management
• Save the Children
• Live Nation
• Aegis Defence Systems
• London Oncology Clinic
• Moorcrofts LLP
• Dixons Group PLC

Extract Below Taken From a White Paper Written by The Enterprise Strategy Group, Inc.

Data encryption

To prevent a "man-in-the-middle" from intercepting confidential traffic, all client/server data communications is encrypted using standard encryption algorithms like AES 128, AES 192, or AES 256. What's more, all encryption/de-encryption operations are done solely by the DS-Client. This masks the actual data content from the server provider assuaging the risk of an insider attack by a rogue employee. Even within a remote facility on a trusted LAN segment Online Backup Software will use existing native protocols to retrieve the data (e.g. SSH communication to Unix Servers, Oracle & DB2 native DB APIs)

Password protection

All backup servers need to have sufficient credentials access to each node in order to kick off a backup job. If these passwords are somehow compromised, an attacker could gain access to critical machines and data. Online Backup Software recognizes and protects against this threat by encrypting access passwords using AES 128 in its database while the DS-Client encryption keys are stored in encrypted format in the registry. The DS-Client access is done via the existing O/S security and the DSClient will not maintain its own login credentials and will forward login requests to the underlying O/S.

Client and system side logging

What happens if a legitimate administrator makes system changes in order to set up an insider attack? While this "worst case" scenario is hard to prevent, Online Backup Software provides detailed logging on the DS-Client and DS-Server that captures any configuration or database changes while monitoring events like a string of failed logins. This information can act as an alert of suspicious activity or a paper trail of clues for forensic investigations.

Perimeter security

Even with these security features built in, Online Backup Software still recommends that customers deploy a perimeter firewall to further protect DS-Client and the DS-System. As always, a properly configured firewall can allay the risk of an outsider doing an IP or port scan to discover the DS-Client or access it remotely.

Online Backup Software's backup software is unique in some ways because it is based on agentless access to backup clients over standard protocols like RPC, SSH, CIFS & various native database API protocols (Oracle, DB2, MS SQL Server etc.). Doesn't this type of standards-based open communications increase risk? ESG does not believe so. Since most organizations monitor their internal networks, LAN-based communication is unencrypted so Online Backup Software simply sends traffic over a standard protocol rather than a typical backup vendor's proprietary protocol. No increased risk here. Online Backup Software also can address internal threats with its support of SSH for critical UNIX, Oracle, or DB/2 data. Once data is aggregated at Online Backup Software's DS-Client, all client/server communication is transmitted and stored in an encrypted format as well.

In truth, Online Backup Software's architecture does not introduce incremental risk. On the contrary, an agentless backup software actually reduces vulnerabilities, risks, and threats associated with remote backup through the use of SSH, encrypted password storage, and encrypted client/server traffic.

Jon Oltsik 2006

The Enterprise Strategy Group

Autonomous Self Healing is a process which runs on Databarracks systems to ensure that the data that is sent to us is not corrupt. As data is encrypted on your systems using your unique encryption key before it is transmitted, a unique digital file signature is created. This file signature is re-created on our systems as data is received by us and a check sum is carried out to ensure that these digital signatures match exactly. If there is any difference between these two unique signatures then the system will re-send the data. This ensures that all data that is received onto our storage systems is the same as the data that is sent.

This process works alongside data validation to ensure all data stored is free from corruption.

Data validation is a process which can be scheduled by the user in the same way as a backup can be scheduled. Data validation sends your encryption keys to the storage platform and opens the file that has been sent to us to check the contents of that file and compare them against the original stored on your system. Data validation can be performed periodically as an extra security measure to ensure that all data stored on our storage systems is the same as the data stored on your network.

While the encryption keys are sent to Databarracks, they are never visible to Databarracks or stored on Databarracks systems.

Data validation works alongside Autonomous Self Healing to ensure the validity of your data.