Whether you're faced with a government regulation, a business partner contractual requirement, or just want to take some basic precautions, tape encryption should be on your radar.
This leads us to the host versus appliance encryption question. Which one will work best in your environment? The following describes considerations related to both approaches, and will help you choose the right option to ensure that your tapes are secure.
Pros and cons of host-based tape encryption
Pros: You likely already have what you need to start encrypting tapes now since most current backup applications provide encryption options (i.e., CA ARCserve, Symantec Corp. Backup Exec, etc.).
Cons: Host-based encryption schemes can be harder to manage if you have a lot of data to encrypt. Tape backups are often painfully slow anyway, but adding encryption on top of the process generates even more overhead to cram into those shrinking backup windows. Also, there may be additional costs associated with the extra media required because you get limited to no compression with encrypted data. That is, unless it can be compressed via the software first which may not be a good option given the extra time it can take.
Another security gotcha that many people don't think about is the fact that encryption keys are typically stored on the host, which can expose them to unauthorized access and abuse. If a malicious internal user -- or even an outside attacker -- gains access to your backup software installation by cracking a password or exploiting a missing patch, that could spell trouble. And gaining access in this way is much easier than most people think it is. Finally, host-based tape encryption is system-dependent and may require updates when your local OS is patched or upgraded to a newer version.
The bottom line with host-/software-based encryption is that it works but may generate some extra work. If you can deal with the downsides, it's still probably the most reasonable option for smaller organizations and enterprises with limited tape sets.
The pros and cons of appliance-based tape encryption
Pros: First off, appliance-based encryption solutions are transparent to the OS, which helps make them easier to manage. Appliances can also compress data before it's encrypted thus maximizing throughput and tape storage space required. You also get stronger protection of encryption keys with them being stored in the hardware as well as the option to work with an enterprise key management application. Finally, built-in audit logging, reporting and related features from vendors such as Crossroads Systems Inc. and nCipher (now part of Thales) help with the visibility and insight required for enterprise-level compliance and security management needs.
Cons: Unfortunately, appliance-based encryption solutions can be pricey. Not only that but you also have to allot time for some up-front planning to ensure such a solution is implemented correctly across all of your tape systems. Appliances can also be another target for attack. The security mantra is if it has an on/off switch and an IP address, it's open to attack. So, an appliance is likely yet another thing to include in the scope of your security assessments.
The bottom line with appliance-based tape encryption is that if you're in a larger environment and need a high-performance solution that can tap into your networked storage then it's the way to go.
Tape libraries with built-in encryption
If neither host nor appliance-based tape encryption solutions seem to be a good fit, you could always invest in a tape library system that has built-in encryption capabilities. Based on my experience, these solutions tend to not be as flexible as host- or appliance-based encryption yet can still be expensive. Existing tape library systems may even be upgradeable to provide tape encryption. It's certainly something worth looking into if you already own a tape library.
If you've got more than a handful of tapes to encrypt, you also can't afford to overlook the need for a key management solution. The last thing you want is a set of backup tapes that are so "secure" that no one can access because the keys were lost, misplaced, or forgotten altogether.
Before you spend any money on tape encryption, one of the most important things to do is to ask yourself and your security committee, (you do have one, right?) "Do we need to encrypt all data backed up to every tape?" The answer is most likely no. But this is going to involve knowing exactly what data is located where, and this is something only an in-depth data classification and analysis is going to unveil.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent information security assessments and audits. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful backup tip, timesaver or workaround? Email the editors to talk about writing for SearchDataBackup.com.
This was first published in February 2009