Managing and protecting all enterprise data


Manage Learn to apply best practices and optimize your operations.

Best Practices: Unraveling tape encryption

With the emergence of new generations of tape drives featuring onboard hardware encryption, companies are revisiting their tape security practices in the hope that this new technology will solve security concerns at an affordable price.

Tape encryption technologies and practices are on the rise. But with more choices than ever, careful consideration of the options is critical.

Security and storage have traditionally been strange bedfellows, seemingly at odds despite so many efforts to sound the alarm concerning the risks inherent to networked storage environments. While awareness of the risks is on the rise, steps to address storage security holes have been slow to evolve. Still, the fear of being exposed on the pages of The New York Times and having to provide free Equifax credit checks to millions of consumers is incentive enough for most organizations to consider tape encryption.

Despite steadily growing interest, the number of companies that encrypt their tapes remains relatively small. When SAN-based encryption appliances were introduced a few years ago, there was a significant uptick in encryption interest. With the emergence of new generations of tape drives featuring onboard hardware encryption, companies are revisiting their tape security practices in the hope that this new technology will solve their current tape security concerns at an affordable price.

Technology options
Several factors play into the successful selection and deployment of a tape encryption technology. It's important to understand the strengths and weaknesses of the available solutions. The most difficult, and often unresolved, challenge is determining the scope of encryption.

A good place to start is with an overview of the landscape.

Backup software encryption: Many backup vendors offer basic client-side data encryption as a standard feature or option. Practically speaking, this function is of limited value due to the host/resource impact that's exacerbated by the necessary accompanying burden of host-based compression (software encryption renders tape drive compression ineffective). The bottom line is that this type of encryption is useful only in some cases.

Some vendors, such as CommVault and Symantec, have introduced data encryption on the media server, a choice that reduces the impact on client-side system performance. These options have the ability to compress and encrypt any combination of onsite and offsite tapes, and also provide some level of key management. Depending on media server configurations and data volume, this approach can be less costly than hardware encryption options. However, it carries some risk of media server performance impact.

SAN-based encryption appliance: Encryption appliances offer line-speed encryption capabilities and key management capabilities. Veteran vendors such as Decru (a NetApp company) and NeoScale Systems have been joined by companies such as CipherMax and Crossroads Systems. These appliances sit in the data path between the backup server and tape library, and can encrypt the data stream in real time with little or no performance penalty. There's considerable variation among these products in terms of the number of ports available, which could impact scalability and configuration complexity. An advantage is that these appliances are agnostic with regards to backup software and tape hardware.

SAN switch-based encryption: An alternative to the SAN-based appliance has emerged in the form of the Cisco MDS 9000 Family Storage Media Encryption Package. Designed to run on multiservice modules available for Cisco 9000 switches, the device functions in a manner similar to that of an encryption appliance. The biggest difference is the ability to perform hardware-based encryption without the complexities of additional external devices and cabling.

Tape drive encryption: Perhaps the most eagerly awaited encryption development over the past year has been the introduction of tape drives with embedded encryption. Initially offered only in high-end ($30,000-plus) tape drives such as the IBM System Storage TS1120 and the Sun Microsystems StorageTek T10000, LTO-4 has brought this capability to the midrange level. Tape drives have included onboard compression for years and, all other things being equal, they seem logical targets for data encryption as well.

Has anyone seen my keys?
But all things aren't equal, and encryption presents significant management challenges due to the complexities of key management. Extremely long retention policies can increase the risk of key loss and, as a result, data by way of "lockout." Encryption appliance vendors have invested heavily in this area and tend to offer solid feature sets and safeguards, flexible key lifecycle management, key replication and validation, and access control. Among tape drive and backup vendors, key management ranges from minimal single-key encryption to comprehensive key management add-ons. From a security architecture perspective, some vendors are eyeing integration with third-party key managers from firms like nCipher and RSA (The Security Division of EMC) in anticipation that larger enterprises will opt for a centralized, more auditable key management authority.

Another factor to keep in mind is the lack of key portability among vendors. While there's an emerging IEEE standard (P1619.3) and most vendors have pledged to support it, it's reasonable to anticipate potential transitioning challenges depending on organizational tape-retention policies.

Security breaches can also translate into legal liabilities. Privacy notification laws, beginning with California's SB 1386, have been enacted by 39 states. Those who know California's law might mistakenly believe that encryption provides indemnification from these customer notification regulations. While this may be the case in California, subsequent laws in other states have no such exemptions.

This confusion, combined with the complexities associated with key management, means some firms choose to avoid encryption. Retaining tapes on company property and eliminating the physical relocation of tapes in favor of electronic vaulting and replication have become attractive options. But depending on the amount of data at hand, that route is often cost prohibitive. Expect advances in technologies like deduplication to make this option more feasible.

Critical criteria
Here are some critical factors to consider when selecting an encryption solution.

Scalability: How predictable is your data growth? Backup software and tape encryption solutions typically offer a smoother growth curve, while appliances follow more of a step function.

Key management needs: From a security best practices perspective, key management should be an independent entity from backup. But due to complexity and organizational limitations, backup admins often become de facto key managers, and there are many cases where one key is in place for all backup. Assuming those organizational policies mature sometime in the future, does your new solution have key management capabilities to accommodate them?

Economic drivers: Organizations typically upgrade tape drives on a three- to five-year cycle, but tape library cycles usually stretch from five to seven years or longer. Unless you're at the right point in your technology depreciation and refresh cycle, tape drive encryption may not be feasible.

Operational integration and management: All encryption options have some operational impact, but the specifics vary. Tape drive encryption, for example, is simple from a physical integration perspective, but its success depends on some degree of backup software support (from basic hardware support to full key management control). Appliances are often transparent to the backup app, but require their own operational procedures to be integrated with the rest of the infrastructure. In all circumstances, the impact on disaster recovery and archiving practices, and the challenges of managing encrypted and unencrypted tapes, must be addressed.

Ultimately, your selection depends on the following:
  • How serious the organization is about security

  • Heterogeneity of the environment

  • Volume of data involved

  • Organizational structure

  • Existing infrastructure

  • Budgetary constraints
Data security is increasingly critical and encryption is a vital component, but tape encryption is more akin to marriage than a casual relationship--so it's a good idea to know what you're getting into.

Article 15 of 16

Dig Deeper on Tape backup and tape libraries

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All