Happy Data Privacy Day … from System Center


originally posted on
Jason's blog posts on Because It's Everybody's Business

Yes, it really is an established day.  Check out http://dataprivacyday2010.org/:

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

This is a great day to think about “How private is your backup?


System Center Data Protection Manager has quite a few capabilities that support this kind of goal.

Is your data protected on Tape?   Are the tapes encrypted?  

It seems like a simple question, and the process is straightforward.  You check the box that says “Encrypt Tapes”.  But so many folks forget or choose not to.  Sometimes, these kinds of settings are mandated at corporate, but seem to be forgotten by the time that the backup administrator actually is clicking the boxes.

Thankfully, DPM 2007 and DPM 2010 are PowerShell controllable.  So, consider running a PowerShell script that reaches out to the list of DPM servers and setting the “Encrypt Tape” option after the fact.  This way, no matter how the initial jobs are done, you can push out corporate policies to ensure that your backup tapes are private.

We covered this and several other easy PowerShell DPM management scenarios in a webcast quite a while ago at http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032353820

And while we are looking at tape…

What happens if your tapes are lost in transit?

I often joke as to “Why should you pay some guy in a truck to come lose your tapes for you?”.  That is not a knock against all courier and vaulting providers (though it is a ding on a few).  My point is to challenge, why ship tapes when you can replicate the data offsite and then create the tapes there?

DPM 2007 and DPM 2010 provide the ability to replicate from an on-site DPM server to an off-site DPM server.  Once the data is at the off-site DPM server, THEN do your backups.  Regardless of SOX, HIPAA, GLB, CO-OP or any other regulation, the tape is in a different geography than where your production server is.  It is an off-site backup tape.  The regulations and compliance guidance doesn’t say “you must pay a third-party to ship tapes”.  The goal is simply to ensure a recoverability capability that will survive a catastrophic site crisis.

And if you don’t have two sites to replicate between, or even if you do but would prefer to outsource these processes – DPM has partnered with one of the best names in the business for offsite vaulting and data preservation, Iron Mountain.  To check out our partnership around DPM, please check out www.microsoft.com/DPM/cloud.

Is your data private over the wire during the backup itself?

For that, consider an easy IP SEC policy that can be mandated within Active Directory Group Policy.  It can be as easy as configuring a policy where, “Any network traffic going to IP address should be encrypted”, where that IP address is the DPM server.  Data to and from the DPM server is encrypted, while other traffic remains unscathed.  Some routers support this capability as well.

Thanks for reading …

Leave a Reply