Security Basics mailing list archives
Re: carbonite
From: "Jason Ross" <algorythm () gmail com>
Date: Thu, 21 Jun 2007 16:03:08 -0400
On 6/21/07, fm16923 () bellsouth net <fm16923 () bellsouth net> wrote:
I have some corporate users that are asking for consent to use carbonite (carbonite.com) for maintaining backups of files etc. XM has been advertising this as a consumer tool for business continuity/disaster recovery etc. I have not seen or heard any pro's or cons about their security set up or if it's actually hardened to where it's a realistic alternative to traditional storage. Are there any security industry endorsements?
They claim to encrypt the data you're storing using blowfish and DES, and then encrypt the data again in transit via SSL. They also have links on their site to the BBB, and include a Safe Harbor policy. All of the above are good things IMO, and tend to lend some credibility to their being a reasonably secure solution. That said, they also note that the key used to encrypt your data is stored in their database. While they claim that this database is encrypted, and is furthermore only available to "certain Carbonite employees", this makes me nervous. (see http://www.carbonite.com/CustomerSupport/BrowseCategory.aspx?forumi d=34) I get why they would do this, and given the goal they have for their business model (being a secure offsite backup) it makes sense. But, it also means that someone can decrypt your company's data and access it, without in any way being affiliated with your company. If trade secrets or other sensitive data were to be compromised via this method, it'd be fairly difficult to track it down to an individual (you'd be looking at minimally having to subpoena Carbonite on who the "certain employees" were, and would then have to acquire information on if/when those people accessed the database to get your user's keys, etc.) It really comes down to your company policy (as is usually the case in this sort of thing). Frankly, if it were me, I'd be uncomfortable allowing a user to store potentially sensitive company information with a third party if my company didn't have a formal contract in place spelling out exactly what measures were taken to ensure security of the data, along with what recourse there was should there be a breach of that security. -- jason
Current thread:
- carbonite fm16923 (Jun 21)
- Re: carbonite Jason Ross (Jun 22)
- Re: carbonite Steven Adair (Jun 22)
- RE: carbonite Dan Denton (Jun 22)
- Re: carbonite Brad Bendily (Jun 22)
- Re: carbonite Jason Ross (Jun 22)
- Re: carbonite Isaac Perez Moncho (Jun 22)
- Re: carbonite Isaac Perez Moncho (Jun 22)
- <Possible follow-ups>
- Re: carbonite evilwon12 (Jun 22)
- Re: carbonite krymson (Jun 22)
- Re: carbonite bluesoldier007 (Jun 22)