Published: 10 Mar 2007
Very few storage managers use the encryption option in their backup software apps, fearing the performance penalty--swelling data volumes and exhausted processing cycles--if they do.
To alleviate this, some backup vendors are moving encryption from the client to the media server. But users are slow to get onboard.
"We've been toying with the idea [of encryption] for 18 months, but I am still really worried about performance," says Marty Scott, manager of network solutions for the department of transportation in Maricopa County, AZ. Scott performs a full 6TB backup over the weekend and is pushing a 60-hour window to get it done. "I am hesitant to add any more in there as it will take longer," he says. But he's ready to take a look at new offerings. "We need to do something."
Last December, Symantec announced its Media Server Encryption Option (MSEO) for Veritas NetBackup that offloads client-side encryption to the central backup server to speed up the process. "The media server is generally a bigger box ... so [encryption] has a negligible impact here," says Mike Adams, senior group manager for NetBackup product marketing at Symantec.
The Screen Actors Guild-Producers Pension and Health Plans (SAGPH) in Burbank, CA, had tested encryption via NetBackup prior to the release of MSEO. The older process increased its backup window almost 50%, which was "unacceptable," says Kevin Donnellan, SAGPH's assistant CIO. Using Veritas NetBackup MSEO, the organization has seen a minimal 6% increase in its backup window, and has added fewer than 30 minutes to its seven-hour window, which was "within reason," says Donnellan.
The minimal impact on SAGPH's backup operation is a small price to pay compared to the expense to the organization if its members' healthcare data is lost or stolen. "We have famous actors' health history in our databases ... a lot of people would like to get their hands on that," says Donnellan. SAGPH is also regulated by HIPAA regarding the protection of electronically stored health records.
Donnellan concedes that there are probably more technically superior ways to perform encryption, but SAGPH uses Symantec products for security as well as backup. "With the size of our organization, it is better to have a handful of business partners than trying to look at the whole world; you get better discounts," he says.
Doug Albright, systems engineer at Carlson Wagonlit Travel, deployed the CommVault Galaxy suite in June 2006, with encryption turned on for all backups. "All [encryption] processing is performed at the media server with minimal impact on the client," he says. Carlson Wagonlit backs up approximately 10TB per week, but as a green field site for CommVault, it's unable to compare the firm's current backup performance against previous practices.
Another big issue users have with encryption is key management. Some vendors have figured out how to centralize this task on the backup server so that administrators can set a key up once, store it, track it and centrally replicate it. CommVault has offered this feature for almost two years. The latest version of Veritas NetBackup offers centralized key management as does IBM's Tivoli Storage Manager (TSM) 5.4, released this past January. EMC's NetWorker 7.4 will offer centralized key management in the first half of 2007, while CA's BrightStor ARCserve will offer it by year's end, say company officials.
"If you haven't got good key management, the whole thing falls apart," warns Brian Brockway, senior director of product management at CommVault.
But while encryption processing and management in backup software is improving, the general wisdom still seems to be that whenever you can optimize a process in hardware, that's the best approach.
"The long-term nirvana is hardware assistance," says Gordon Arnold, product manager for IBM's TSM group. He believes encryption should be done at the last possible minute, after the data is compressed and deduplicated.
"There is some simplicity involved in doing it in the backup app," says Arnold, but he points to products like IBM's recently announced System Storage TS1120 tape drive, which performs encryption at the drive level, as the way of the future. Sun Microsystems' StorageTek T10000 offers similar functionality, while Spectra Logic offers encryption with its Spectra T120 and T950 libraries.
Symantec officials argue that while hardware might offer some performance benefits, the price tag for this benefit is high. Veritas NetBackup MSEO costs approximately half as much as encryption appliance products from the likes of Network Appliance/Decru and NeoScale Systems, and significantly less than drive-level encryption products. NetBackup MSEO costs $10,000 for the key management structure; NetBackup media server pricing begins at $5,000 for Windows and $10,000 for Unix.