Published: 12 Jan 2006
Security. Performance. Affordability. Pick two. Storage administrators who have been instructed to secure their organization's backup tapes are grappling with this reality.
The bulletproof, high-performance encryption appliances offered by vendors like Decru (now owned by Network Appliance) and NeoScale Systems come at a cost of $25,000 or more per appliance (see "Encryption appliances reviewed," this issue). Encrypting data in software is cheap, but it places a huge load on the host, and can double the time it takes to complete a backup. Quantum's new DLTSage Tape Security represents the latest approach--it's fast and free, but may not pass muster with regulatory agencies or be an ample deterrent for a dedicated "black hat."
DLTSage Tape Security is a firmware addition to Quantum's existing DLT-V4 drives, and will be included on the next generation DLT-S4, due out this quarter. It works by embedding a 256-bit key in the header of the tape cartridge that can only be unlocked if the drive reading it has the same key. The data itself isn't encrypted, so you can still use the drive's compression capabilities, and you don't incur the performance overhead that comes with encryption. "It's analogous to putting a lock on the front door," says Mark O'Malley, Quantum's product marketing manager.
Quantum is also plugging other obvious holes in tape security. For example, it's adding user authentication and authorization to its tape drive and library management GUIs, and making it harder to out-and-out steal backup media by putting physical locks on its library doors and a specialized bezel on its DX series virtual tape library appliances.
"The storage industry is finally changing the way it builds storage," says Kevin Brown, Decru's VP of marketing.
But because the data behind the DLTSage Tape Security key is still in the clear, it's probably not appropriate for organizations with personal customer data like credit card numbers. Laws like California's SB 1386 exempt companies from having to disclose a data theft if the data was encrypted, and lawmakers have proposed similar laws at the federal level. If you're using only DLTSage Tape Security, "I'd imagine you'd probably have to disclose," says Jon Oltsik, senior analyst at the Enterprise Strategy Group, Milford, MA.
Perhaps more to the point, even though "you'd have to go through some real hoops to do it, there may be some forensic ways to get around this kind of security," Oltsik admits. Still, "this is way better than nothing," he says. "Quantum has moved the ball forward."
For enterprise shops, encryption is still the only choice, and the number of encryption offerings available to customers will continue to grow. Sun has announced native encryption on its new StorageTek T10000 drive, Spectra Logic offers it as part of its T120 and T950 libraries, and Quantum promises native encryption in both libraries and drives in the second half of this year.
Unfortunately, native hardware encryption doesn't signal the end of storage administrators' problems--key management is the real issue. "The encryption being built into tape drives is rudimentary," says Brown. "It turns out that tape drives aren't that smart." For example, one issue to consider is how keys are passed from one driveto another--is it in clear text or are they, too, encrypted? Increasingly, says Brown, "customers are saying, 'Great, you've encrypted the data. Now did you do the other 99 things to make sure it's secure?' "