Re: Data Transfer Accross Data Centres

[Nick Giacobe <nxg13 () PSU EDU>]

Ok, I’ll bite… and maybe start the discussion.

 

So, from a theoretical standpoint, I guess the question is about what are you trying to accomplish – remote backup-tape 
replacement or full featured offsite storage?

 

If you want the backup data to simply be stored at rest at the colo facility, and you don’t “trust” or don’t want to 
have to verify that the colo facility hasn’t lost your confidential data to some hack… then I think you’d want to 
encrypt before you transmit it.

 

I think you’re talking about a straight-forward offsite backup.  That will require that your backup software does the 
encryption before transmission.  If you do that, then encryption of the communications channel may be redundant.

 

If you want the data to be usable at the colo facility (like having the ability to search the backup remotely), then 
you may not want to encrypt before transmitting.  You should, however, use an encrypted transmission mechanism (like 
SSL) to ensure that the data cannot be snooped on by third parties between your site and the colo site.

 

However, this means that the data will sit at rest in an unencrypted format (so that it can be useful to you at the 
remote site.  That may require that you audit the system it resides on the same way you would if it were local.  
Depending on your colo facility agreement, you may or may not be able to do that effectively.  Even if the colo 
facility says they will do all of the IDS and monitoring and such, your agreement with the colo facility may not 
mitigate your risks or reduce your legal responsibilities.  What happens if the colo facility has a cyber event 
(hack/break-in/etc) and your data is compromised?  Are they responsible for your mitigation costs?  Do they pay the 
regulatory fines (HIPAA/FERPA or your country’s equivalents)?  The agreement you have with the colo facility should be 
reviewed by competent counsel (attorneys with a good understanding of technology and the laws for your business type in 
your jurisdiction for privacy, confidentiality, etc.) to ensure that the risks that you’re taking are well understood.

 

So, I guess I’m saying that if you’re using your colo facility as a “backup tape replacement”, then encrypt the data 
before it goes out, otherwise, encrypt in transit.

 

---

Nick Giacobe

Research Technologist V and Ph.D Candidate

College of Information Sciences and Technology

Penn State University

101 Information Sciences and Technology Building

University Park, PA 16802

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of leo song
Sent: Thursday, October 11, 2012 4:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Transfer Accross Data Centres

 

We need to transfer large volume of data centre data to off-site colo back up facility, one of the requirements is that 
we need to encrypt the data before sending them out of our premises, or another interpretation could be we cannot send 
non-encrypted data centre data over ISP networks.

I believe some of you could have done something similar already, could you shed some lights here? thanks. 
  


-- 
Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 <callto:+1%28519%29%20824-4120>  x 53181