Where should you encrypt your data?

Jon Oltsik, senior analyst, information security at the Enterprise Strategy Group, Milford, Mass., says tape encryption today is mostly done in appliances, with Decru Inc. (a division of NetApp Inc.) boasting one of the most substantial customer lists. Other companies with tape encryption appliances include Bosanova Inc. with its Q3, CipherMax Inc. CM100T and Vormetric Inc. CoreGuard. However, he notes, "I see this migrating to the tape drives themselves over time as customers implement new drives and libraries."

He explains that tape drives imbed the cryptographic processing in the drive so the advantages are cost and performance. The disadvantages are that most existing tape drives don't have encryption functionality built in, which is why users choose to deploy encryption appliances. These appliances are relatively fast and transparent to tape/storage operations but are also rather expensive to buy and operate. "My view is that tape drive-based encryption wins by default over time," he adds.

Gartner Inc.'s Jeffrey Wheatman, research director for security, tells a similar story. He says once you determine you want to encrypt, the main decision points revolve around whether to accomplish that at the server (host-based), in an external appliance or within the tape drive.

He says historically, the primary approach to encryption has been through software as part ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Backup and recovery Criteria for choosing the right tape encryption solution for your data backup plan Creating a System Recovery Disk in Windows 7: A step-by-step tutorial Modern data backup and recovery system considerations SQL Server data backup and recovery best practices Secure your data backups with encryption key management best practices Using data deduplication with backup applications: Source vs. target dedupe Data backup for virtual machines: Alternative methods to VMware Consolidated Backup Upgrading from LTO-3 to LTO-4 tape for data backup and recovery Is VMware Consolidated Backup right for your enterprise? Is cloud data backup service right for your organization? Data backup security Criteria for choosing the right tape encryption solution for your data backup plan Data backup and recovery news briefs: Thales Group releases CryptoStor Tape 3.0 appliance Secure your data backups with encryption key management best practices Podcast: Backing up data on mobile devices Secure data destruction options for old backup tapes and disk Putting a solid data backup and recovery plan behind mobile devices Data storage backup security tutorial: Tape encryption and cloud backup Quantum adds VMware data backup, encryption key management device How do you make sure your data is secure when using a online/cloud backup provider? Using an encryption appliance for data backup security Tape backup and tape libraries Texas Tech turns to data deduplication for data backup, disaster recovery Data backup and recovery news briefs: Rackspace unveils cloud-based file storage apps Spectra Logic looks to leapfrog high-end tape storage market with T-Finity tape library Secure your data backups with encryption key management best practices Data backup news briefs: ProStor Systems ships InfiniVault removable disk backup appliance for SMBs Upgrading from LTO-3 to LTO-4 tape for data backup and recovery W. Curtis Preston: Articles and podcasts on data backup and recovery The tape storage end game: The pros and cons of recycling backup tapes Data backup and recovery news briefs: Tandberg Data introduces DAT tape drives and media Community Health Centers Alliance takes control of data backup and recovery

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

of the backup itself. Indeed, the ability to encrypt may already be built in to your existing backup software or can be acquired inexpensively, he notes. Some examples of encryption-enabled backup software include Atempo Inc. Time Navigator 4.1, CommVault Simpana, EMC Corp. NetWorker and Symantec Corp. Veritas NetBackup 6.5, among others. The big problem, however, is that server-based, backup software encryption often has a substantial negative impact on speed, slowing the backup process and creating an unacceptably large backup window.

Like Oltsik, Wheatman sees backup appliances such as those offered by CipherMax Inc., Ingrian Networks Inc. (recently acquired by SafeNet Inc.) and NeoScale Systems Inc. (recently acquired nCipher Corp.) as the leading approach to the problem at the moment. Built around ASICs or even multi-core processors, they typically sit between the server and the backup library.

"Appliances are usually fast, operating sometimes at close to line speed, so they don't have much of a negative impact on backup windows," he notes. On the other hand, they are generally quite expensive -- even more so in the case where a matching appliance must be maintained at a backup site. Furthermore, Wheatman says some appliances appear to interfere with the compression of backup data, potentially adding cost and time to the process. "Compression usually takes advantage of the repetitive nature of most data but when you randomize things through encryption that can be a problem," so it is better to encrypt after compression if possible, he says.

Although tape drives with built-in encryption have begun to make an appearance, despite their speed, Wheatman says the market is mostly taking a wait-and-see approach because the writing of the tapes is already the place where failures are most common "so anything that adds complexity is viewed with caution." And, according to Oltsik, there are no clear leaders among the vendors, though he notes that both Hewlett-Packard Co. (with its StorageWorks 1840) and IBM Corp. (with its T1120) are among those offering encrypting tape drives and libraries.

Finally, although Wheatman says he hasn't studied any encryption approaches using a virtual tape library (VTL), "it is a concept that could work," he says.

Tape encryption implementation strategy

As you plan your investment in tape encryption capabilities, Wheatman stresses the importance of considering the entire enterprise encryption strategy. "You should put together a three-year roadmap and try to ensure that what you do will fit in your long-term encryption and security framework," he adds.

Wheatman says appliances usually fit better within an enterprise encryption strategy than software-based approaches because of performance and the fact that software encryption may not conform to norms such as the new IEEE 1610 standard. "Furthermore, software approaches don't usually mesh with an end-to-end approach to data encryption," he says.

Despite their cost and the market's cool reception to date, Wheatman says tape drive encryption also has the potential to provide performance and a good fit with an enterprise approach.

Last but not least, Wheatman says it's also important to pay attention to how keys are handled -- an area that has attracted vendors such as nCipher Corp. "You need to cycle keys periodically while being able to preserve keys for recoverability," he adds.

About the author: Alan Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.

Rate this Tip To rate tips, you must be a member of SearchDataBackup.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.