How can you protect your tapes once they leave your hands? Pierre Dorion, Data Center Practice Director with Long View Systems Inc., answers today's most common tape encryption questions. His answers are also available below as an MP3 download.
Listen to the Tape Encryption FAQ
Table of contents:
>>Why should I encrypt tape?
>>Can you explain the various ways to encrypt tape?
>>What are the benefits of using LTO-4?
>>Who are the major vendors in the tape encryption market?
>>Are there any major drawbacks to using tape encryption?
>>How can you ease encryption key management issues?
Security is probably the main concern when it comes to tapes. We've seen a lot of companies move away from tape specifically for that reason.
But for companies that have very large investments or requirements for these tapes, security becomes a great concern, particularly when looking at compliance. Take PCI for example, where you are handling private or personal information that can not end up in the wrong hands.
Tape encryption is especially needed in this instance if the tape media leaves your premises, which technically, if you're following backup best practices, it should. You should be sending a copy of your backups to a vault site, so therefore you want that added level of protection and should the tape become lost, it won't end up in the wrong hands. Encryption makes the data unreadable without the encryption key.
The most recent addition is a tape level or device level encryption. We've heard of STK and LTO-4, there are a number of devices available for LTO-4 and device level encryption at the hardware level.
There are also appliances you can use and those have been around for a little while longer. Examples of these would be NetApp's Decru or NeoScale, which is now owned by nCipher. These are appliances that you put between your backup server or the source of your backup data and the target, which is your tape device. So, that is another form of encryption.
And of course, probably the most ancient form of encryption, is software level encryption. This encrypts your data at the server level or the backup client level and then sends it to the tape device encrypted.
I did touch a little bit on STK before. Sun Microsystems bought STK a little while back and they also have the equivalent technology, but it is a little more siloed. IBM was the first to release LTO-4 with encryption and now HP offers it as well and eventually we will see more of that.
So, there is probably a better portability when using LTO-4, but the technologies are equivalent.
IBM and Sun Microsystems are probably the leaders right now. HP is probably not too far behind, although I don't have numbers to tell you if HP is selling more than Sun. But they are definitely one of the top players, and being a large hardware player, you'd probably expect better support.
Of course that is at the device level. If we are looking at the appliances, there are quite a few players. NeoScale and Decru are probably the two largest, but there a number out there that have offerings that may not be as popular.
And when we are talking about software encryption, pretty much all of the mainstream backup products offer encryption capabilities.
Probably the biggest one: You lose your keys; you lose your data. This deserves the most consideration and you need to have the best possible key management.
Also, if you plan on encrypting at the client level, that may cause some issues if you have implemented deduplicaiton within your environment. Deduplication technology needs to recognize identical data blocks or segments in order to work. If you start encrypting your data at the source to put it on tape, that will completely destroy your ability to apply deduplication. So that is something worth considering. You can not have both.
If you are encrypting at the device level, it takes care of that problem, but then you are not deduplicating on tape. So if you are deduplicating on disk, staging on disk or encrypting at the source, this is definitely an issue.
Ideally, you don't want to have to manage your keys. So when we talk about key management, you want this to be as automated as possible. You are counting on an application to do this for you and you don't want to have to copy it anywhere.
For example, a backup product like Tivoli Storage Manager is fully integrated with IBM's LTO-4, so the backup product would take care of key management. This is an ideal set up because you don't want to have to worry about another component taking care of your keys.
Again, one of the main drawbacks to encryption is losing your keys, so you want to back that up. And as simple as this may sound, you don't want to back up your key to encrypted media. You want to make sure you backup your keys and keep your keys somewhere where you can retrieve them. In the Sun STK offering, their station that takes care of key management is capable of replicating it to another one. So, it is also good to do this and ensure you always have a set of keys that is available to you.
Pierre Dorion is the Data Center Practice Director and a Senior Consultant with Long View Systems Inc. in Phoenix, AZ, specializing in the areas of business continuity and disaster recovery planning services, and corporate data protection.
This was first published in October 2008