Backup data security overview

News of a lost tape or hacked data center storage can easily make the front page of The Wall Street Journal or USA Today, often leading to lost customers, regulatory scrutiny and a rash of litigation that can damage a company for years. Today, backups are more than just a technical exercise in copying files from one place to another. Storage administrators are increasingly relying on encryption technologies to guard sensitive data on tape, disk or WAN.

The loss or theft of sensitive data doesn't just impact an IT department. News of a lost tape or hacked data center storage can easily make the front page of The Wall Street Journal or USA Today, often leading to lost customers, regulatory scrutiny and a rash of litigation that can damage a company for years. Storage administrators are increasingly relying on encryption technologies to guard sensitive data. Encrypted data cannot be read without the corresponding encryption key, so company data remains secure even when a tape is lost in transit to an off-site location, or a disgruntled ex-employee makes off with a client database. Encryption is typically employed on disk, on tape and across networks -- depending on the storage security needs of the particular business.

Encryption basics

Encryption starts by processing data through a complex mathematical algorithm (a cipher) that uses a unique variable value (or key) to produce unique encryption results. Longer keys, used together with more complex encryption algorithms, such as AES 256, will result in encrypted data that is practically impossible to recover without the key. Once the data is in an unreadable form, it is considered safe even if the files are lost or compromised by hackers. Conversely, encrypted data is made readable again (or decrypted) by processing it through the algorithm using the same key, though sometimes a different or companion key might be used for added security.

Encryption can typically be implemented in software or hardware. "Source encryption" works to encrypt data at its source directly through a particular application. Most operating system and application vendors, including Microsoft and Oracle, include a means of data encryption. A second means of encryption is typically provided through backup software applications, including EMC Corp.'s Legato, Symantec Corp.'s NetBackup and IBM's Tivoli. The backup software can encrypt data on its way to tape or VTL. This enables the tape to be transported and stored securely off site, while backup data relegated to disk will remain secure.

Storage All-In-One Guides
Learn more about storage topics like disk storage, disaster recovery, NAS, and more in's All-in-One Research Guides.
Encryption is a CPU-intensive process, and hardware-based encryption appliances are increasingly employed to support point-to-point encryption at near wire speeds. Vendors include Decru Inc.'s DataFort security appliances and the CryptoStor appliance family from NeoScale Systems Inc. Vendors like SpectraLogic Corp. also integrate encryption software functionality into their tape library products. Even hard drive manufacturers are adding encryption to some disks. For example, Seagate Technologies and Secude IT Security GmbH have joined to implement full disk encryption on the Seagate Momentus 5400 FDE notebook hard drive.

Keys are essential for decrypting protected data --- if the key is lost or forgotten, the encrypted data will be inaccessible. Consequently, key management features are an important aspect of any encryption product evaluation, and company security policies may need to be adjusted to include key management in day-to-day operations.

Tape encryption

Tapes are the most frequent encryption targets since they are often the most vulnerable to loss and theft. Tapes may be stolen from cars, taken from homes or lost in shipment to off-site storage facilities. In fact, many of the most notable security breaches reported in the popular media over the last few years have been the result of lost tapes.

Tape encryption is normally accomplished through backup storage software. Data is encrypted on the fly through the backup server and passed to the tape drive or library where the secure data is written to tape. In many cases, the processing overhead imposed by software encryption impairs backup server performance, and this in turn increases the backup window. Encryption can also be accomplished through hardware appliances placed inline between the backup server and tape system. This is a costlier approach but typically imposes little, if any performance penalty.

Storage Learning On-The-Go
Download this overview and listen on your iPod or laptop.
It's important to note that encryption is the enemy of compression. Since encrypted files are perceived as random data by the compression algorithm, it is virtually impossible to compress or duplicate encrypted data. This presents storage administrators with a dilemma. Tapes (and even disk storage today) normally rely on compression technologies to reduce tape costs, so encryption can force users to forego compression and utilize more tape media -- dramatically changing the economics of tape use. One way to correct this issue is to compress the data first and then encrypt it.

Perhaps a more practical way to mitigate the potential issues of backup performance and compression loss is to encrypt only the files that contain sensitive information rather than adopting an all-or-nothing approach. For example, if only 10 GB of a 60 GB backup represent sensitive data, only that 10 GB needs to be encrypted. The remaining 50 GB can remain unencrypted, so overall impact on the backup server and tape utilization is minimized.

Disk/SAN encryption

Storage administrators are increasingly sensitive to vulnerabilities in the data center/SAN where sensitive data can be hacked through a public network or directly compromised by internal users. Another concern is the vulnerability of data located on laptop and notebook PCs in the field. Consequently, encryption is being employed to protect data on disk as it resides in the data center on storage arrays or servers, as well as the disks on mobile PCs.

Although disks are a much faster medium than tape, encryption can still impair the performance of file servers -- generally impacting the overall user experience by waiting for decryption or delaying application response times as data is encrypted/decrypted. As a result, broad encryption across a SAN is quite rare today. But again, the impact of encryption can be mitigated by narrowing the scope of encryption to only sensitive data.

WAN encryption

Data is particularly vulnerable whenever it is off site and outside of direct corporate control. This is the principle argument for tape encryption, but it also applies to data passed over a public network like the Internet. There is nothing new about encrypting data over the Internet -- SSL (secure sockets layer) is the standard encryption scheme between Web browsers and secure Web sites. However, more companies are deploying strong encryption to prevent data theft due to sniffing and other tactics.

Files that have already been encrypted (e.g. files in the data center) can be exchanged across a WAN without further concern. However, unencrypted files can easily be encrypted through storage hardware by adding an appliance to each end of a WAN connection. For example, a primary data center may encrypt its data before sending it across the Internet to a secondary data center or replication/disaster recovery site where it is decrypted again before being sent to disk. Since hardware encryption can typically be accomplished at wire (or near wire) speeds, data can be encrypted and exchanged on the fly while still making best use of available WAN bandwidth.

Dig Deeper on Data backup security



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.