BACKUP SOLUTIONS ONLINE BACKUP SECURITY OVERVIEW
Critical data may be stored in a variety of locations including user PC's and servers. Backing up this data is the first step towards a successful disaster recovery plan. However, it’s not enough to just back up the data: stored backups must also be secure from outside threats. BackUp Solutions meets this need with a service that truly and comprehensively protects the data that belongs to your company. BackUp Solutions is partnered with Iron Mountain and we follow rigorous standards to keep this data safe, including security best practices and Iron Mountain-developed practices. The bottom line: BackUp Solutions and Iron Mountain takes data protection seriously, and we go to great lengths to protect customer data from all credible threats. BackUp Solutions provides security at every level, from backup through storage through data retrieval. This document introduces the many security measures currently in place within the data protection architecture to prevent unauthorized access or damage to customer data.
What is the BackUp Solutions Online Backup Service?
The BackUp Solutions Online Backup Service is a client-server system for file backup from personal computers and file servers, over any TCP/IP network, to ultra-secure off-site facilities. The BackUp Solutions online backup solution is available internationally.
While there is no specific standard for HIPAA compliance for online backup services, BackUp Solutions enables HIPAA covered entities to comply with the security and privacy rules required to protect electronic patient data. The following information provides details of the electronic and physical security measures employed with our service.
BackUp Solutions Online Backup provides a level of security for the customer's data that is better than alternative practices for handling computer data. The following sections show how BackUp Solutions and Iron Mountain creates a secure environment for data transfer, data storage, and account management. Our security objectives have four aspects:
- Data Transfer Security: Prevents access to customer's data during transfer for backup or retrieval.
- Storage Security: Prevents unauthorized access to backed up data stored on the server.
- Management Security: Prevents unauthorized access while providing client account management.
- Facility Security: Iron Mountain's physical security practices and facility hardening.
Data Transfer Security
The Agent is an application that manages all backup, retrieval, and heal activities at the client level. For example, the Agent scans the PC's disk, and determines what data to send to the Data Center servers at Iron Mountain’s off-site, highly available, mirrored facilities.
Data transfer security features include:
- The Agent always initiates contact with the Data Center.
- SSL encryption (TLS 1.0) protects all customer information during transmission between Agent and Data Center.
- The Data Center server authenticates the Agent connection using the user encryption key, while the Agent authenticates the server using a digital certificate embedded in the Agent installation package.
- After authentication, the Agent encrypts every file flagged for backup with 128-bit Advanced Encryption Standard (AES) and sends the encrypted data to the Data Center. If enterprises use third-party encryption products, such as Microsoft’s Encrypting File System (EFS), to encrypt files on PCs, the Agent backs up the encrypted files.
- The Agent requires a valid password when a user tries to retrieve files. This can prevent unauthorized individuals with physical access to another person's client from performing retrieves.
- Changing the account status can temporarily or permanently prevent an Agent from backing up or retrieving files from stolen or unused clients. For example, when an employee leaves the organization, canceling their account prevents unauthorized individuals from accessing files that the former employee backed up.
The Account Management Website is an administration tool that allows users to modify their own profile information, such as their password. The user must enter a valid password to access the Account Management Website. The MyRoam® administration tool allows users to retrieve backed-up files using a Web browser instead of the Agent user interface.
Iron Mountain stores all backup data in secure, off-site facilities. Storage security features include:
- The Data Center stores the 128-bit AES-encrypted files without decrypting them.
- Every account has a unique encryption key, used to encrypt and decrypt each file that the Agent backs up. Only the Agent that encrypted the file can decrypt it. The Agent uses 112-bit Triple DES encryption to send the encryption key to the Data Center securely. The Data Center escrows the encryption key on its secure server.
- Since facility servers do not provide a view to customer data, in the highly unlikely event that an individual were able to gain access to data files on the server, that individual would not be able to view the data.
Support Center technicians possess credentials, consisting of a valid Technician ID and an associated password. Technician accounts can have varying levels of access to Support Center's features, based on the permissions granted to the technician ID. For example, a given technician might have access only to specific communities.
Staff security features include:
- Access to Data Center areas is restricted to facility administrators only.
- Only Iron Mountain employees and signed-in escorted guests can gain access to the Iron Mountain facilities.
- All Iron Mountain employees receive a picture ID/card-key for entry to the facility. Iron Mountain employees must display these Iron Mountain badges at all times. Card key use logs are reported and reviewed regularly.
Iron Mountain protects over 3 petabytes (3 million gigabytes) of PC data for some 3 million users in its secure off-site facilities worldwide. Iron Mountain has achieved 99.99 percent uptime for the past ten years, with most months 100 percent.
Facility security features include:
- All data received by either mirrored facility is immediately replicated to its mirror by high-speed links.
- Outages or disasters at either facility do not interfere with the availability of the data.
- All Iron Mountain servers run a hardened version of Microsoft® Windows® 2003 Server, using Microsoft best practices and security patches and service packs.
- Up-to-date virus protection: never a business interruption due to viruses.
- Intrusion detection systems monitored by an Underwriter Laboratories-listed station.
Physical security features include:
- Iron Mountain owns and controls all its facilities, in undisclosed geographically dispersed sites.
- Level 9 (Ultra-Reliable Data Center) rating by independent security consultants BRUNS-PAK.
- Level 4 (highest) Security Rating.
- 145-acre site, 200 feet underground, with five-ton steel gates and 24x7 armed security.
- Admittance by electronic access and internal/external closed circuit television monitoring and recording.
- Redundant commercial power feeds, with redundant generators for full backup power for up to 7 days.
- Clean air fire extinguishing system (CAFES) with a pre-action (dry pipe) sprinkler system as a backup.
- Internal/external alarms monitor motion detection, temperature, “waterbugs”, smoke and fire detection, 24x7.
- FM-200 Waterless Fire Suppression Systems, plus OSHA-certified fire brigade and EPA-certified water treatment.
- 24x7 maintenance and service operations.
As of June 2007, Iron Mountain is managing over 3 petabytes (12 billion backup files) of data at its facilities including data backed up from BackUp Solutions customers. BackUp Solutions has been backing up PC data since 2001 and with Iron Mountain delivers the expertise customers need to reduce the costs and risks of data protection and storage.