IBM and Sun Microsystems Inc. have simultaneously introduced drive-level encryption options for their high-end tape drives. Both provide hardware-based encryption and come with key management
The advantage of hardware-based encryption at the drive level, as opposed to software-based encryption or third-party appliances, is that it performs encryption after data is compressed and written to tape. Hardware-based encryption in general also has a lower performance impact on the backup server than software-based products; both companies are claiming around a 1% performance impact.
However, both systems, the IBM T1120 and the Sun T10000, which is being marketed as part of its Titanium 10,000 product line, are pricey. The T1120 drive has a list price of $35,500. The IBM Enterprise Key Management (EKM) system, a Java application that can run on commodity hardware, will be included in future IBM products free of charge, but adding the encryption option to an existing T1120 drive will cost $5,000 each.
"I think these systems are pretty accurately priced for the environments they run in," said W. Curtis Preston, backup analyst with Glasshouse Technologies Inc. Generally, these proprietary tape systems are designed for large shops that usually use mainframes and often require up to a 90% duty cycle for a tape drive, Preston said.
Meanwhile, the LTO Consortium is promising that the next generation of the more widely used Linear Tape-Open (LTO) format, due out later this year, will also be including native encryption. Digital linear tape's (DLT) newest format, DLTSage, released in January, also includes security features, although they are not as complete as the new tape drives or hardware appliances.
Still, it's unclear, despite vendor hype, how many users can afford to or wish to unite storage and security more closely. IBM said it surpassed its end-of-year sales goals for the T1120 even before its official announcement this week but declined to say what its goals were, either in terms of numbers or users. IBM also declined to name any users of the new product, despite requests from press on a conference call Tuesday.
"I really don't see too many users asking me, 'when is this going to be available?' " when it comes to security, Preston said.
New regulations in certain industries are driving some new adoption of encryption, like a new Department of Defense regulation drawn up in response to the loss of a laptop containing sensitive information on veterans from a Department of Veterans Affairs' clinic last June. According to Mark Stewart, backup and recovery storage administrator at Randolph Air Force Base in Texas, that new regulation lit a fire under his organization to explore encryption for his backups -- but that he still will probably not be going for tape drive-level encryption.
"I absolutely love the idea of hardware encryption at the tape device," Stewart said, adding that he had "fallen in love" with the DLTSage product in particular. "[But] my leadership cannot afford to give me the steamer-trunks full of cash that would be needed to replace my current tape library, tape drives and media." Instead, Stewart said, he's going with a third-party encryption appliance.
Even if the target market for the first tape drive encryption products is small, analysts point out that this is probably the first phase of encryption as a standard feature within tape backup products -- and, eventually, disk products, which IBM has already hinted will be its next step.
"Encryption at the tape drive level is the cleanest, most efficient approach," said Bob Abraham, analyst with Freeman Reports. "Someday, I think you'll see it as a very common capability, like compression, that's included in all systems -- and it's unlikely users will deliberately disable the process."
The key differentiator: Key management
If and when encryption becomes ubiquitous, analysts emphasized, the most important differentiator between products will not be the process of encryption itself but key management.
So far, the most advanced of the tape drive encryption products is the IBM T1120, which uses both public and private keys, a process that allows the safe sharing of data between business partners, IBM said. In the case of IBM, the private key is embedded within the tape cartridge itself, and public keys are available to everyone. Both keys would be needed to read the data. In the case of Sun's T10000, which uses only the private key, the first time users send a tape to a trusted partner, the key would also have to be transported, which some analysts say could compromise security.
Also, tape drive vendors still lack at least one key management feature already included in the third-party appliances -- quorum management of a global key, which unlocks the entire key management system. If just one global key is issued, it presents a twofold security hazard, according to Preston: One, it allows it to fall into the wrong hands more easily, and two, in a disaster situation it can be lost or destroyed too easily as well. Decru's box in particular allows a global key to be split up among a quorum of designated administrators, requiring a minimum number to be present to open the encryption box in the case of a disaster.
"If you're evaluating security products, key management is the number one thing," Preston said. "And the No. 1 thing there is how easy it is to lose the key or give it to the wrong person."
Bob Venable, manager of enterprise systems at Blue Cross Blue Shield in Tennessee, said there's considerable thought and planning required around key management before encrypting tapes, and Blue Cross -- an IBM shop -- plans to use the new tape encryption product from IBM when it becomes available. But for regulatory purposes he notes, "encrypted tapes are a huge relief, both pragmatically, as well as politically."