Closed Bug 814034 Opened 12 years ago Closed 12 years ago

Complete Privacy-Policy Review for Use of IronMountain services for offsite tapes relocation

Categories

(Privacy Graveyard :: Product Review, task)

Product:
Privacy Graveyard
Component:
Product Review
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: dumitru, Assigned: me)

References

Details

Initial Questions:

Project/Feature Name:  Use of IronMountain services for offsite tapes relocation
Tracking  ID:809196
Description:
Mozilla IT uses "tapes" for media storage of our backups.
These tapes should be contained outside the datacenter, so in case of a disaster recovery we can access these tapes outside our facility. (ie, datacenter burns down and everything is lost inside, we still have access to them from a different location).

IronMountain (http://cic.ironmountain.com/dataprotection/vaults/) provide such service, as described here: http://www.brainshark.com/ironmountain/vu?pi=724671580
Additional Information:
Iron Mountain is on the Safe Harbor list.
Urgency: 2-4 weeks
Current Goal: Disaster recovery for IT infrastructure
Release Date: 2013-01-01
Project Status: ready
Mozilla Data: No
New or Change: New
Mozilla Project: none
Mozilla Related: 
Separate Party: Yes

Privacy Policy: No
Privacy Policy Link: 
User Data: Yes
Data Safety  ID: 
Legal  ID:
I have a couple of questions about the nitty gritty. Could you set up a time to talk about it?
Tom,
I am in MV this week, but will be in SF office next week.
Maybe we can meet in person?
Certainly. I'm normally in SF, and my calendar is usually accurate. Alina Hua and Stacy Martin should probably be optional invitees too.
Adding Denelle
Tom, great!
How about next week Wednesday at 10 somewhere in SF? Or what time works for you, Alina, Stacy and Denelle?
Once we have the time squared I'll send a calendar invite.
Thanks!
I should be in SF next Wed, but 10am is booked for me. After 11am would work for me. 

Thanks!
11 AM wfm too.
11a (or later) works for me too. :dumitru, can you add something to the calendar at a time that Zimbra claims is free for Denelle and Stacy too?
Done!
We managed to meet, and it sounds like we should look at other solutions because of security/contract concerns noted in bug 809196.

Dumitru, I think you took notes that you were planning to add here?
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(dgherman)
Resolution: --- → INCOMPLETE
Whoops, I added the notes on bug 813780. They were Stacy's:

Here they are:

Plan to use Iron Mountain for offsite tapes relocation.  Tapes are backup tapes used for Zimbra.  applications, databases, bugzilla, pretty much anything we'd want to get back in case of a disaster. 

Two data centers - Phoenix, sitting in our space, in Santa Clara stored in MV server room.  This is the offsite location.  Don't have an office in Phoenix - so only use Iron Mountain there. 

Are the tapes encrypted?  No.  Only encrypt certificates (CRTs).

Denelle has read it and is not happy with their subpoena policy or legal risk of data accessible to someone else.  If we can encrypt them and keep the key somewhere that isn't next to the tapes, that would mitigate that concern.  Or if we could ask them to change their subpoena policy.  We are a small dollar value client.

Encrypting will increase the cost - pay for license per client.  Only one tape.  Have lots of old tapes that can't be encrypted.  Could copy them.

Plan to update process to backup to the alternate data center - sits in secure cages in each - but not until Q3.

Other options?  Safety deposit box?  What is the physical volume?  Tom could lift them - 100-150 tapes.  We recycle tapes once every six months.  20 new tapes every six months.  A shoebox or less.

Iron Mountain is not attack secure - someone could walk in and access our tapes.

In Phoenix, we have a locked space where we transfer the tapes.  So right now, it's automatic.  Our technicians unloaded the tapes (Mozilla employees) and moved them to the storage location in the same data center.  Iron Mountain - a Mozilla employee or contractor would walk in and pick up the box of stuff, drive it to Iron Mountain, and put it in their storage space?  No, Iron Mountain would pick up.  Are there other providers?  Yes.  We have a pretty hard blocker around Iron Mountain.  Liked Iron Mountain because of the security - Safe Harbor certified, banks use them.  Understand that the concerns are valid.  Encrypting for 9 months is not worth the effort (don't have the time for it), but if it slips beyond that, then may need to revisit in Q2.

Mozilla signed a contract with them 2 years ago, but never used it.  Now Iron Mountain has new terms.
Flags: needinfo?(dgherman)
Hi Team 

Tom - thank you for passing on my thoughts to the team and apologies that I had a conflict with the meeting. 

I am going to reach out to the lawyer at Iron Mountain and just request certain changes. 

Bottom line is that I don't love the language, but don't hate it enough to be a blocker if this is the best option that we have.  This presumes that you believe the security is there. 

Give me until the end of next week on this - as they said it takes 5 days for them to respond. 

I'll post my communication to them here.  My comments on the language are not only friendly to us but very helpful to them in any type of subpoena situation so it is possible they will take it. 

Stay tuned and thanks to all for being so thoughtful about this. 

denelle
You need to log in before you can comment on or make changes to this bug.