Security Basics mailing list archives

Re: carbonite

From: "Jason Ross" <algorythm () gmail com>
Date: Thu, 21 Jun 2007 16:03:08 -0400

On 6/21/07, fm16923 () bellsouth net <fm16923 () bellsouth net> wrote:

I have some corporate users that are asking for consent to use
carbonite (carbonite.com) for maintaining backups of files etc.
XM has been advertising this as a consumer tool for business
continuity/disaster recovery etc. I have not seen or heard any
pro's or cons about their security set up or if it's actually
hardened to where it's a realistic alternative to traditional storage.

Are there any security industry endorsements?


They claim to encrypt the data you're storing using blowfish and DES,
and then encrypt the data again in transit via SSL. They also have
links on their site to the BBB, and include a Safe Harbor policy.

All of the above are good things IMO, and tend to lend some credibility
to their being a reasonably secure solution.

That said, they also note that the key used to encrypt your data is
stored in their database. While they claim that this database is
encrypted, and is furthermore only available to "certain Carbonite
employees", this makes me nervous.
(see http://www.carbonite.com/CustomerSupport/BrowseCategory.aspx?forumi
d=34)

I get why they would do this, and given the goal they have for their
business model (being a secure offsite backup) it makes sense.

But, it also means that someone can decrypt your company's data and
access it, without in any way being affiliated with your company.

If trade secrets or other sensitive data were to be compromised
via this method, it'd be fairly difficult to track it down to an
individual (you'd be looking at minimally having to subpoena
Carbonite on who the "certain employees" were, and would then have
to acquire information on if/when those people accessed the database
to get your user's keys, etc.)

It really comes down to your company policy (as is usually the case in
this sort of thing).

Frankly, if it were me, I'd be uncomfortable allowing a user to store
potentially sensitive company information with a third party if my
company didn't have a formal contract in place spelling out exactly
what measures were taken to ensure security of the data, along with
what recourse there was should there be a breach of that security.

--
jason

Current thread:

carbonite fm16923 (Jun 21)
- Re: carbonite Jason Ross (Jun 22)
- Re: carbonite Steven Adair (Jun 22)
- RE: carbonite Dan Denton (Jun 22)
- Re: carbonite Brad Bendily (Jun 22)
  - Re: carbonite Jason Ross (Jun 22)
  - Re: carbonite Isaac Perez Moncho (Jun 22)
- Re: carbonite Isaac Perez Moncho (Jun 22)
- <Possible follow-ups>
- Re: carbonite evilwon12 (Jun 22)
- Re: carbonite krymson (Jun 22)
- Re: carbonite bluesoldier007 (Jun 22)