Educause Security Discussion
mailing list archives
Re: Data Transfer Accross Data Centres
From: Nick Giacobe <nxg13 () PSU EDU>
Date: Fri, 12 Oct 2012 12:13:30 -0400
Ok, I’ll bite… and maybe start the discussion.
So, from a theoretical standpoint, I guess the question is about what are you trying to accomplish – remote backup-tape
replacement or full featured offsite storage?
If you want the backup data to simply be stored at rest at the colo facility, and you don’t “trust” or don’t want to
have to verify that the colo facility hasn’t lost your confidential data to some hack… then I think you’d want to
encrypt before you transmit it.
I think you’re talking about a straight-forward offsite backup. That will require that your backup software does the
encryption before transmission. If you do that, then encryption of the communications channel may be redundant.
If you want the data to be usable at the colo facility (like having the ability to search the backup remotely), then
you may not want to encrypt before transmitting. You should, however, use an encrypted transmission mechanism (like
SSL) to ensure that the data cannot be snooped on by third parties between your site and the colo site.
However, this means that the data will sit at rest in an unencrypted format (so that it can be useful to you at the
remote site. That may require that you audit the system it resides on the same way you would if it were local.
Depending on your colo facility agreement, you may or may not be able to do that effectively. Even if the colo
facility says they will do all of the IDS and monitoring and such, your agreement with the colo facility may not
mitigate your risks or reduce your legal responsibilities. What happens if the colo facility has a cyber event
(hack/break-in/etc) and your data is compromised? Are they responsible for your mitigation costs? Do they pay the
regulatory fines (HIPAA/FERPA or your country’s equivalents)? The agreement you have with the colo facility should be
reviewed by competent counsel (attorneys with a good understanding of technology and the laws for your business type in
your jurisdiction for privacy, confidentiality, etc.) to ensure that the risks that you’re taking are well understood.
So, I guess I’m saying that if you’re using your colo facility as a “backup tape replacement”, then encrypt the data
before it goes out, otherwise, encrypt in transit.
Research Technologist V and Ph.D Candidate
College of Information Sciences and Technology
Penn State University
101 Information Sciences and Technology Building
University Park, PA 16802
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of leo song
Sent: Thursday, October 11, 2012 4:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Transfer Accross Data Centres
We need to transfer large volume of data centre data to off-site colo back up facility, one of the requirements is that
we need to encrypt the data before sending them out of our premises, or another interpretation could be we cannot send
non-encrypted data centre data over ISP networks.
I believe some of you could have done something similar already, could you shed some lights here? thanks.
Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 <callto:+1%28519%29%20824-4120> x 53181