Where in the storage infrastructure should you encrypt data?
This is the most fundamental question in selecting an encryption product. Each encryption architecture introduces significantly different considerations. Encryption key generation and management, increased backup windows, Fibre Channel SAN reconfigurations and heightened server overhead are just some of the factors a company needs to consider prior to adding encryption to its backup infrastructure.
How does the encryption software or appliance support key escrow and management for long-term data access and disaster recovery?
Key management is a compelling issue during any recovery, disaster or otherwise. If and when a company is required to recover data years later at its existing facility or during a disaster, it needs to have the keys used to encrypt the data before that data can be recovered.
How much space is required to encrypt the data?
Adding storage space in the form of more tape or disk isn't prohibitively expensive, but with encryption potentially increasing backed up data footprints by 20% or more, controlling the impact of encryption on storage growth is paramount. Compression is almost always part of the encryption process, so ascertain what capacity savings compression will provide and if that offsets the
Is deduplication done prior to encryption?
In the long term, deduplication should offer better performance characteristics than compression, but on the initial pass backup windows can be horrific. Verify how deduplication products generate and manage encryption keys and what options administrators have to change them over time.
What is the likelihood of searching and accessing data after it's encrypted?
If data is encrypted and stored on tape without being indexed first, it's prohibitively expensive to search and index the data later.
This article first appeared in Storage magazine. Click here for the entire article.
This was first published in April 2008