Enterprise Strategy Group
Published: 12 Jul 2007
You can't duck it any longer; it's time to encrypt your backup tapes.
When I joined the Enterprise Strategy Group (ESG) approximately four years ago, we had a burning suspicion that the storage layer of the technology stack wasn't very secure. Our day-to-day conversations with IT professionals reinforced this hypothesis, but that wasn't enough. Early in 2004, we embarked on a quantitative research project to compare our thoughts to real user data. Chalk one up for data and statistical analysis; this time we weren't just reading our own headlines, we were spot on.
ESG concluded that while the entire storage infrastructure was extremely vulnerable, one of the most ominous weaknesses was tape encryption. When enterprises (i.e., organizations with 1,000 or more employees) were asked if they encrypted backup data, only 7% respond-ed "Yes, always." A startling 60% of storage professionals said "No." This meant that the preponderance of data on tape was being carted to some offsite storage facility in cleartext, a proverbial accident waiting to happen.
Acceptance is growing
What's taken place since our initial study? There's good news and bad news.
When ESG Research revisited this topic in 2006, we found that 25% of enterprises had deployed tape-encryption solutions, 14% planned to deploy tape encryption in the next 12 months, and another 21% had no plans to deploy tape encryption but were interested in the technology.
I'd love to say ESG drove the behavioral change, but my guess is that it was related to three critical factors:
- Visible data breaches. In February 2005, Bank of America lost backup tapes containing the personal information of 1.2 million customers. The same thing happened to Citigroup in June 2005, only this time the tapes contained the personal data of 3.9 million customers. ESG estimates a per-record cost of between $30 and $150, which is a total cost of approximately $1 billion to more than $6 billion for the two breaches combined. Obviously, these incidents demonstrated that the risk of outsiders gaining access to backup tapes was real.
- More privacy laws. The granddaddy of U.S. privacy laws has the catchy name of California Senate Bill (SB) 1386. SB 1386 mandates that companies publicly disclose data breaches if any California citizen's private information is exposed. In effect, SB 1386 was behind the Bank of America and Citigroup disclosures. As of this writing, a total of 28 states have passed similar privacy laws, and there are more stringent regulations in effect in Europe and Asia.
- Boardroom jitters. When CEOs see data breach headlines emanating from Bank of America and Citigroup, they tend to be more willing to open the corporate wallet to scramble bits on their tapes.
Most still don't encrypt
Despite all of this progress, 75% of enterprises still don't encrypt their backup data. Why? Some are still hung up on the traditional objections--cost and performance--to any form of encryption. Enterprises may not have a budget for backup encryption or may feel that encryption will add too much overhead, slow down backup processing and throw a monkey wrench into an already tight backup window. Another obstacle to backup encryption is user confusion--encryption is still a black art to many storage professionals. Finally, storage managers can quickly assume a "deer in the headlights" look when confronted with a choice of encrypting backup tapes using backup software, file-system tools, cryptographic appliances or switches, or encrypting tape drives.
In spite of the fact that three-quarters of enterprises continue to eschew backup encryption, IT managers have become resigned to the inevitability of encryption technology. They recognize that the next LTO drive they buy will have encryption capabilities, while future disk arrays will support the Trusted Computing Group (TCG) storage security standards. The tape-encryption infrastructure will arrive within the next 24 months, whether you like it or not.
Given the certainty around tape encryption, organizations should begin their tape-encryption planning as soon as possible. Based on countless enterprise interactions, ESG recommends large organizations anticipate tape-encryption best practices through the following:
Assess risks. If you work in a regulated industry at a publicly traded firm where backup tapes are shipped offsite with a third-party service provider, you face a high degree of risk. Fast track a decision and proceed to implementation as soon as possible. If your organization doesn't fit this precise profile, you should still undertake a thorough risk assessment. For example, many firms entrust employees to deliver tapes from one data center to another. In cases like that, policy creation, signed employee agreements and background checks may be a logical first step toward safeguarding tape-based data. Make sure to assess future privacy legislation and international laws that may impact any near- or long-term plans.
Take a backup inventory. There are four basic options for tape encryption: software (i.e., backup software), file-system encryption at the media server, an encryption appliance or switch, or encrypting tape drives. Before choosing one, assess all backup technologies, amortization schedules and backup architectures. Which equipment is due for an upgrade? Is tape backup used as a primary or secondary backup medium? Be selective but open-minded; many large organizations will end up with a heterogeneous encryption architecture that includes more than one of these technologies.
Map tape-encryption plans to backup strategies. Encrypting tapes might not make sense if your organization plans to implement virtual tape or disk-to-disk backup in the near future. In that case, disk-based encryption may be a better fit.
Consider other tape applications. Tape may become the preferred medium for e-discovery and records retention, digitizing historical information or deep archival. Much of this data may be considered private or "company confidential," and it may also be regulated. If that's the case, do a risk assessment to see if encryption is required.
Get to know the chief information security officer (CISO). In terms of security, check with the CISO to see if the security team has any future plans for centralized encryption key management. If so, you may want to explore internal integration options and query vendors about their key management road maps. Remember that key management may also introduce some extremely tight processes that impact day-to-day operations. As the Boy Scouts say, "Be prepared."
The bottom line
In the near future, encryption technologies will closely mirror the old "death and taxes" cliché as one of those things that are inevitable. Approximately 25% of enterprises are there, but the vast majority are still on the sidelines. ESG recommends a proactive plan toward encryption that includes risk assessment, technology inventory, implementation planning and coordination with the security team. It's better--and cheaper--to be safe than sorry.