Encryption starts by processing data through a complex mathematical algorithm (a cipher) that uses a unique variable value (or key) to produce unique encryption results. Longer keys, used together with more complex encryption algorithms, such as AES 256, will result in encrypted data that is practically impossible to recover without the key. Once the data is in an unreadable form, it is considered safe even if the files are lost or compromised by hackers. Conversely, encrypted data is made readable again (or decrypted) by processing it through the algorithm using the same key, though sometimes a different or companion key might be used for added security.
Encryption can typically be implemented in software or hardware. "Source encryption" works to encrypt data at its source directly through a particular application. Most operating system and application vendors, including Microsoft and Oracle, include a means of data encryption. A second means of encryption is typically provided through backup software applications, including EMC Corp.'s Legato, Symantec Corp.'s NetBackup and IBM's Tivoli. The backup software can encrypt data on its way to tape or VTL. This enables the tape to be transported and stored securely off site, while backup data relegated to disk will remain secure.
Keys are essential for decrypting protected data --- if the key is lost or forgotten, the encrypted data will be inaccessible. Consequently, key management features are an important aspect of any encryption product evaluation, and company security policies may need to be adjusted to include key management in day-to-day operations.
Tapes are the most frequent encryption targets since they are often the most vulnerable to loss and theft. Tapes may be stolen from cars, taken from homes or lost in shipment to off-site storage facilities. In fact, many of the most notable security breaches reported in the popular media over the last few years have been the result of lost tapes.
Tape encryption is normally accomplished through backup storage software. Data is encrypted on the fly through the backup server and passed to the tape drive or library where the secure data is written to tape. In many cases, the processing overhead imposed by software encryption impairs backup server performance, and this in turn increases the backup window. Encryption can also be accomplished through hardware appliances placed inline between the backup server and tape system. This is a costlier approach but typically imposes little, if any performance penalty.
Perhaps a more practical way to mitigate the potential issues of backup performance and compression loss is to encrypt only the files that contain sensitive information rather than adopting an all-or-nothing approach. For example, if only 10 GB of a 60 GB backup represent sensitive data, only that 10 GB needs to be encrypted. The remaining 50 GB can remain unencrypted, so overall impact on the backup server and tape utilization is minimized.
Storage administrators are increasingly sensitive to vulnerabilities in the data center/SAN where sensitive data can be hacked through a public network or directly compromised by internal users. Another concern is the vulnerability of data located on laptop and notebook PCs in the field. Consequently, encryption is being employed to protect data on disk as it resides in the data center on storage arrays or servers, as well as the disks on mobile PCs.
Although disks are a much faster medium than tape, encryption can still impair the performance of file servers -- generally impacting the overall user experience by waiting for decryption or delaying application response times as data is encrypted/decrypted. As a result, broad encryption across a SAN is quite rare today. But again, the impact of encryption can be mitigated by narrowing the scope of encryption to only sensitive data.
Data is particularly vulnerable whenever it is off site and outside of direct corporate control. This is the principle argument for tape encryption, but it also applies to data passed over a public network like the Internet. There is nothing new about encrypting data over the Internet -- SSL (secure sockets layer) is the standard encryption scheme between Web browsers and secure Web sites. However, more companies are deploying strong encryption to prevent data theft due to sniffing and other tactics.
Files that have already been encrypted (e.g. files in the data center) can be exchanged across a WAN without further concern. However, unencrypted files can easily be encrypted through storage hardware by adding an appliance to each end of a WAN connection. For example, a primary data center may encrypt its data before sending it across the Internet to a secondary data center or replication/disaster recovery site where it is decrypted again before being sent to disk. Since hardware encryption can typically be accomplished at wire (or near wire) speeds, data can be encrypted and exchanged on the fly while still making best use of available WAN bandwidth.