Secure Online Backup with unparalleled support
Header

A lot of people wonder whether an internet-based backup system is just a gimmick, invented by geeks who thought it would be cool to backup across the internet. Geeks may have thought it up, but there are valid business reasons to backup to a geographically distant location on hard drives instead of tapes.

Daily Rotating Backup Tapes

In the early days of computing, way back about 15 years ago and earlier, virtually all backup was tape-based. There would be a stack of 10 tapes, labeled Monday1 – Friday1 and Monday2 – Friday2. Someone had the job to replace the tape in the tape drive and take the just-completed tape home, bringing from home the next tape to be overwritten. Larger companies would have a storage service perform this function, with the added benefit of storage in a secure, controlled environment. Other companies would store tapes in their bank’s safe deposit box. Still other companies would not bother to take their tapes offsite but keep them in a safe in the office. Or just leave them sitting in the closet with the server.

So if there were a fire at the business, and the tapes were there, everything would be lost. Even if the tapes were in an ordinary firesafe, there was a good chance they’d be damaged because ordinary firesafes are designed to protect paper, not media.

But the offsite tapes presented another problem- the accessibility of securely stored tapes. Nights or weekends were problematical. As experienced in Katrina on the Gulf Coast, a lot of companies lost not only their production servers but their backup tapes down the street at the bank or storage facility.

So when bandwidth became affordable and available and was sufficient to transmit changed data, the internet became the best solution for getting the backup offsite. And storage on hard drives is more reliable and less expensive than tape storage, and far easier to manage.

There are companies that risk keeping their backups on removable hard drives in their offices or at a local storage facility. A tornado, or hurricane, fire, or flood can easily ruin both original data and backup copies. Why take a chance? Enveloc is secure, offers several levels of offsite storage, and is accessible twenty-four hours a day. Try our no-risk solution today!

Photo Credit: SaltyIrishDog @ Deviantart - Vault, Security, AES Encryption, Enveloc

There are lots of claims about encryption security, citing all different types of encryption, with exotic names like “blowfish” or “military grade.” Reminds me of the advertisements for a certain vegetable slicer – it would perfectly slice tomatoes, as long as they were green.

• Here’s what counts in encryption:
• Is the algorithm safe?
• Is the key secure?
• Who has the key?
• Is the data encrypted during transmission?
• Does the data remain encrypted at rest?

First, let’s consider the algorithm. Most knowledgeable people would agree that the US Government document FIPS-140-2 is a pretty good authority on which algorithms are secure. FIPS stands for Federal Information Processing Standards and the document is published by the National Institute of Standards and Technology. Among the algorithms specified in Annex A is TDEA, or “3DES.” The algorithm has been thoroughly tested for over 25 years and has no known weakness so long as certain implementation standards are met (avoid known weak keys, and use Keying Option 1 as described in NIST Special Publication 800-67). Enveloc conforms to these requirements for 3DES, which is the algorithm we use to encrypt the already user-encrypted backup sets prior to transmission.

The other, more important algorithm we use, also specified in Annex A to FIPS-140-2, is the Advanced Encryption Standard, or AES. This algorithm is described in FIPS 197. AES can be used in 112 bit, 192 bit or 256 bit mode. Enveloc only uses the 256 bit implementation of AES as described in FIPS 197. This is the algorithm used to encrypt the computer data during the compression-encryption phase, as it is placed in the backup sets.

So note that the only encryption algorithms we use are those approved by FIPS-140-2: the Triple Data Encryption Algorithm or 3DES, and the Advanced Encryption Standard or AES. For 3DES use Keying Option 1 which requires three 56 bit keys. For AES we use only the 256 bit implementation.

What about the key? Some companies assign you a key and they have a copy. Or they let you make one up and they have a copy. This is like writing the combination on the safe. If anyone has the key and the data, no matter how secure the algorithm, someone can read your data, and can do so without your knowing it. At Enveloc, we require that you create the key, and we do not have a copy unless you explicitly request that we keep one. Your key is encrypted on disc (using either AES256 or 3DES plus another technique) so that only our software – not a prying co-worker – can open it to use it during backup time. Otherwise, you’d have to be standing by at backup time to enter the key.

By the way, if you choose to store the key with us, it does reduce your security, but we take many steps to safeguard it. It is only transmitted once, itself in an encrypted state with a system key so that our employees cannot discover it. Only the programming staff knows how to decrypt it and we keep them locked in the basement (just kidding about the basement). When the technical staff are called on by the customer to forward the key, the automated process records notices to management and the request is verified just to be sure everything is in order.

Enveloc - AES 256-bit Encryption + Triple DES

So here’s a general idea of how everything works: at backup time, the user’s key is checked to be sure it hasn’t been tampered with, then recovered from disk and applied to the file data of files as they are compressed into the backup sets using AES256 bit encryption. The backup sets are then tested for integrity by doing a test decompress-decrypt (without writing to disk). Then the backup sets are 3DES encrypted with an Enveloc key for transmission. When they are received by Enveloc servers, they are checked for integrity and authenticity, then the “outer wrapper” of 3DES is removed. The data in the compressed files always remains encrypted with 256bit AES. Remember – we don’t have the key.

So say someone broke into your office and stole just the printout of your encryption key. Could they log in to your account and download your data? No way – only the machine that backs up can access the account, and then only through the Enveloc software. By prohibiting direct access to folders on our servers, we provide yet another layer of security for your data.

What happens if your backup computer is toast and you need to restore to another machine? We have made provision for that. You just identify yourself to our servers in a fresh installation of Enveloc software and your credentials will be provided for accessing the old account. But you will still need your encryption key.

Because we don’t have a copy of the key, one thing is extremely important: Don’t lose that key! Without it, your backup sets are useless since they cannot be decrypted.

So to summarize: Enveloc uses secure, NIST approved algorithms; the key is secured with those same algorithms and never leaves the client machine; the data is encrypted during transmission and at rest.

Another day we’ll talk about the security of our network centers. Do you know that some backup companies keep their servers in a garage?

If you would like your company’s data to be extremely well protected against access, hacking, theft, data mining, or any other nefarious activities while it is backed up offsite, call Enveloc and take us up on our 30 day no-risk guarantee: if for any reason at all you are not totally satisfied with Enveloc software and service, there will be no charge. Thanks for using Enveloc!