Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: carbonite

from [Jason Ross] Network Security [Permanent Link]
Subject: Re: carbonite
Date: Thu, 21 Jun 2007 16:03:08 -0400
On 6/21/07, fm16923@bellsouth.net <fm16923@bellsouth.net> wrote: 
I have some corporate users that are asking for consent to use
carbonite (carbonite.com) for maintaining backups of files etc.
XM has been advertising this as a consumer tool for business
continuity/disaster recovery etc. I have not seen or heard any
pro's or cons about their security set up or if it's actually
hardened to where it's a realistic alternative to traditional storage.

Are there any security industry endorsements? 

They claim to encrypt the data you're storing using blowfish and DES,
and then encrypt the data again in transit via SSL. They also have
links on their site to the BBB, and include a Safe Harbor policy.

All of the above are good things IMO, and tend to lend some credibility
to their being a reasonably secure solution.

That said, they also note that the key used to encrypt your data is
stored in their database. While they claim that this database is
encrypted, and is furthermore only available to "certain Carbonite
employees", this makes me nervous.
(see http://www.carbonite.com/CustomerSupport/BrowseCategory.aspx?forumi
d=34)

I get why they would do this, and given the goal they have for their
business model (being a secure offsite backup) it makes sense.

But, it also means that someone can decrypt your company's data and
access it, without in any way being affiliated with your company.

If trade secrets or other sensitive data were to be compromised
via this method, it'd be fairly difficult to track it down to an
individual (you'd be looking at minimally having to subpoena
Carbonite on who the "certain employees" were, and would then have
to acquire information on if/when those people accessed the database
to get your user's keys, etc.)

It really comes down to your company policy (as is usually the case in
this sort of thing).

Frankly, if it were me, I'd be uncomfortable allowing a user to store
potentially sensitive company information with a third party if my
company didn't have a formal contract in place spelling out exactly
what measures were taken to ensure security of the data, along with
what recourse there was should there be a breach of that security.

--
jason

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is pentesting legal in Denmark?, Robert Larsen
Next by Date:  Re: carbonite, krymson
Previous by Thread:  carbonite, fm16923
Next by Thread:  Re: carbonite, Steven Adair
Indexes:  [Date] [Thread] [Top] [All Lists]