Data & Analytics Opinion South Africa

Metadata - playing a vital role in back-up and recovery

Metadata is data about data. It tells us who authored a document, when, what the document contains and where the file 'fits' in relation to other data. Metadata is important because it is a key enabler of data storage, retrieval and/or restoration - a vital requirement for any business in this era of exponential data growth.

However, could metadata also be a security risk, giving hosted and outsourced storage providers inappropriate access to sensitive data?

Metadata is generated automatically by the applications used to create documents and files. These applications use standard protocols and data policies to generate basic information about the data. The created data files are then stored within the data structure of an organisation, and structural metadata is created. Whether the data is stored in-house, offsite or in the cloud, metadata is what allows stored data to be classified and identified. It's a unique set of data that indicates where the data comes from, where it must go, and how it should be ordered, labelled and sorted. It also facilitates the back-up and restoration of files. Clearly, it's vital information to have to manage data successfully. The question asked repeatedly, however, is whether this information - on its own - poses a security risk.

The short answer is 'no'. Just because the metadata can be read does not mean that the underlying data is available for reading. Any simple encryption tool should protect the underlying data. Furthermore, when data is backed up, it should be done over a secure connection with the data itself being encrypted and compressed before being stored on appliances or in a database. The metadata is used by the back-end system to catalogue the back-up, identifying and classifying the information being backed up. Like the ISBN number of a book, which may tell us about the book but does not expose the contents of the book, metadata acts as a list of contents (file and directory names, file sizes and file types) for the storage solution or service provider - it is not the actual data itself.

Authentication required

There are also many layers of security around backed up company data. It is usually stored within an environment accessible only to the customer organisation. Metadata may be requested by a client organisation user, but is usually only made available once the user has been authenticated and the connection (usually a Secure Socket Layer or SSL connection) is verified to be from a legitimate user. SSL provides protection against masquerading and eavesdropping. If data packets are sent to the user, they are likely to be encrypted, with SSL ensuring that no data modification occurs.

So is metadata a security risk? Metadata is useful. It is important and it needs to be safeguarded. However, it is merely an identifier. The right authorisation and security clearance is needed to access the data itself. While general users are unlikely ever to have to deal with metadata outside of a search for documents, it is beneficial to be aware of how important this data can be for back-up and the retrieval of files.

About Gareth Tudor

Gareth Tudor is the CEO at Altonet, an ISP and provider/integrator of backup and restore solutions. Tudor started his career in finance after he qualified as a chartered accountant (SA) and has subsequently garnered a wealth of experience in a number of businesses, including his own.
Let's do Biz