Second-hand tape storage security risk
While used tapes may offer budget benefits to IT departments, the security risks could cost firms in the long haul
Liden: Used-tape dealers should be treated like their counterparts in the used-car industry
In the market, there are more Linear Tape-Open (LTO), Digital Linear Tapes (DLT) and 9x40 cartridges circulating that are not as new as the shiny and perfect packaging leads customers to believe.
These tapes have had their ‘mileages’ reversed; they have been on the road for some time and then been recycled as new.
This tape recycling phenomenon is encouraged by the need of organisations to destroy their old tapes. The limited budgets endured by IT departments also give malicious used-tape sellers the upper hand. Such dealers can offer their ‘branded tapes’ for just one Euro below the market price.
At first glance, the low price offers a breath of fresh air to IT managers and their departments. However, such an offer is probably too good to be true.
Selling used tapes to be re-certified and resold to another organisation is a practice some IT departments have begun to employ. But selling used tapes may only produce a small amount of revenue and the competitive and security risks of this practice far outweigh any benefits.
Selling used tapes can also put a company at risk of violating regulations around privacy and records compliance.
When we examined four LTO Ultrium 1 re-certified tape cartridges bought on the open market, the results were shocking. Considerable residual customer data in the form of detectable signals was discovered on three of the four cartridges.
Of the hundreds of thousands of possible data sets, a random sample of eight data samples was reviewed. Remnants of an SQL database were discovered. A subsequent web search led to a database of DNA sequences.
A second study analysed a sample lot of 40 9840 recertified cartridges that we had procured from two different suppliers. In most of the cartridges, the directory was completely intact and, in some cases, the data map had not been erased.
Further analysis also revealed that suppliers had only performed a minimal write test of approximately 10MB on some cartridges. Shortcuts like this are appealing to the re-certifier because it takes so long to rewrite the full length of a 9840 cartridge.
Finally, some permanent errors appeared when we tested the used cartridges. We also performed a detailed analysis of one cartridge. A look at the Media Information Record showed that the last action taken by a user was a full read of the data. This was most likely done by the firm selling it.
What is worse is that the re-certifier did not attempt to erase the data, and neither the customer nor the re-certifier executed a data-security erase. Firms that buy such recycled, ‘good as new’ tapes may expose themselves to significant risk.
The US Sarbanes-Oxley legislation requires companies to store their valuable data for at least 10 years. Tapes are still considered as an inexpensive and reliable medium to comply with such legislative compliance requirements.
However, if a company is not aware of how much a cartridge has been used, there is a risk that the valuable back-up may be lost. Re-certified tape’s archival life expectancy is unknown because no reliable information is available on the condition of each cartridge.
And while new tape has an expected archival life of 15 to 30 years, re-certified tape does not. IT dealers and managers just like in the used vehicle industry must beware of hand-me-downs with the clocks wound back.
Anna Lidén is product manager of magnetic and commercial storage for Imation Europe