Data encryption's impact on network backup can be high

There are three ways to encrypt tape-based backup data:

• Host-based encryption through integration with backup software
• Appliance-based encryption with the addition of an inline appliance that encrypts data as it flows to the tape drive or library
• Tape drive or endpoint encryption, in which data is encrypted as it is written to the tape media

More on backup and encryption Tape encryption FAQ Choosing a tape encryption product How archiving and encryption impact backup Five questions for evaluating an encryption product

Host-based or software-based encryption exacts perhaps the harshest performance penalty on the backup process. It is processor-intensive because it's a task of the host computer and requires CPU overhead to process. Software-based encryption is incorporated into backup software such as EMC Corp. NetWorker or Symantec Corp.'s Veritas NetBackup either as a standard or optional feature. It also has the benefit of being less expensive and being integrated into existing backup packages vs. appliance- or tape drive-based encryption. Software-based encryption often doesn't include data compression, a process that needs to take place before encryption and which requires additional media.

Appliance-based encryption has the advantage of being able to encrypt data to both legacy (pre-LTO-4) products and heterogeneous tape libraries and drives. While having nearly wire-speed performance in encrypting data, appliances mean an extra device in the network to manage. Most appliance-based encryption devices also have their own key management systems rather than requiring users to obtain their own. An appliance has also the advantage of being able to be inserted into the existing data path without changing the backup application or integration with the tape library or tape drives. Examples of encryption appliances would be Crossroad Systems Inc.'s StrongBox TapeSentry, nCipher Corp.'s NeoScale CryptoStor and NetApp's DataFort.

Tape drive-based or library-based encryption has the advantage of little performance degradation as well as the ability to encrypt data after it is compressed and written to tape, thus maximizing the number of cartridges required to complete the backup process. But it has disadvantages, which are brought to it with the advent of the LTO-4 tape specification -- it is homogeneous -- often encrypting only the contents of one brand of tape library.

John Ruffing, assistant director for advanced technology integration services at Weill Medical College of Cornell University in New York City, uses tape-based encryption from Spectra Logic Corp.

"Weill Cornell is using tape encryption to enhance HIPAA and other regulatory compliance and, in particular, to allow safer offsite tape transport," says Ruffing, who has two Spectra Logic T950 tape libraries installed. "We are doing compression via the Spectra T950 Library with G5 QIPS [Quad Interface Processors] simultaneous to encryption."

When Ruffing initially installed the Spectra T950, he was using LTO-3 drives. "Performance via the G5 QIPS was indeed significantly affected by encryption," says Ruffing. "LTO-3 was the only option when we purchased the Spectra T950 and it required the QIPS."

Not long after in 2007, "LTO-4 drives with built-in encryption became available," says Ruffing. "I suspect the impact has been reduced or eliminated."

Another advantage of encrypting at the tape drive or library level is that it enables compression before encryption, resulting in a reduction of the number of tape cartridges required for backup. Other examples of encrypting drives include IBM Corp. System Storage TS1120 and Sun Microsystems Inc. StorageTek T10000.

Media for LTO-4 tapes is also more expensive than their LTO-3 predecessors -- for instance, an 800 GB LTO-4 tape may cost as much as $150, while a 400 GB LTO-3 cartridge is available a little more than $50.

Whichever method of encryption you choose, remember that with each comes its own benefits and drawbacks.

About this author: Deni Connor is principal analyst with Storage Strategies NOW in Austin, TX.

Do you have comments on this column? Let us know.

Do you know a helpful backup tip, timesaver or workaround? Email the editors if you'd like to write tips for SearchDataBackup.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Backup and recovery SQL Server data backup and recovery best practices Secure your data backups with encryption key management best practices Using data deduplication with backup applications: Source vs. target dedupe Data backup for virtual machines: Alternative methods to VMware Consolidated Backup Upgrading from LTO-3 to LTO-4 tape for data backup and recovery Is VMware Consolidated Backup right for your enterprise? Is cloud data backup service right for your organization? Are data backup vendor certifications valuable for backup administrators? Choosing a Linux system backup tool: Pros and cons of popular Linux backup apps Dedupe dos and don'ts: Data deduplication technology best practices Data backup security Data backup and recovery news briefs: Thales Group releases CryptoStor Tape 3.0 appliance Secure your data backups with encryption key management best practices Podcast: Backing up data on mobile devices Secure data destruction options for old backup tapes and disk Putting a solid data backup and recovery plan behind mobile devices Data storage backup security tutorial: Tape encryption and cloud backup Quantum adds VMware data backup, encryption key management device How do you make sure your data is secure when using a online/cloud backup provider? Using an encryption appliance for data backup security LTO-4 tape technology finally catching on -- tape storage isn't dead yet Data storage backup tools Data backup and recovery news briefs: Thales Group releases CryptoStor Tape 3.0 appliance Data archiving reduces data backup workload prior to data deduplication Symantec releases Linux version of Backup Exec System Recovery Data backup and recovery news briefs: Druvaa Software updates flagship product, releases inSync v3.1 SQL Server data backup and recovery best practices Data backup and recovery vendors dig into deduplication technology, aim for cloud backup Veeam integrates with VMware vStorage APIs in Backup and Replication 4 Data backup and recovery news briefs: Data Domain upgrades data deduplication appliances Double-Take replication software solves remote-office data backup headache for Lennox International Using data deduplication with backup applications: Source vs. target dedupe

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary