Mainframe shops scramble to encrypt tapes

Laws across the country are prompting users to start encrypting mainframe backups, but getting tape encryption products to work with primary storage is causing headaches.

Mainframe shops, never known for their rapid embrace of change, are deploying tape encryption technology with uncharacteristic speed -- sometimes without waiting for their primary storage vendors to support the solutions.

Lighting the fire under mainframe shops' derrieres are auditors and senior executives eager to comply with laws like California's SB 1386, which requires organizations that store sensitive customer information to notify customers of possible security breaches, such as the loss of an unencrypted tape. As of last summer, 18 states had enacted similar laws and federal legislation is on the way. The Federal Trade Commission and organizations such as Visa PCI are also becoming increasingly stringent in their audits.

Related articles

Sun props up storage line in quarterly update

IBM and HP at odds on database storage


Guide to backup security
In Delaware, an SB 1386-like law took effect last June, forcing Jeff Moore, IT project manager at a Delaware-based bank to investigate a way to encrypt mainframe backups. "The auditors were screaming at us; senior management was screaming at us, 'Why can't you encrypt these tapes?' " he recalls.

Initial experiments with software-based encryption failed. Innovation Data Processing's FDRCrypt and MegaCryption's MegaCryption/MVS (Multiple Virtual Storage) showed a 300% runtime increase. "We just don't have the extra cycles," Moore said. Adding a dedicated cryptographic coprocessor to the mainframe helped, but not entirely. Furthermore, it would have required the firm to change its backup process from Innovation's FDR to an IBM process.

Sun Microsystems Inc., the bank's tape library supplier, told Moore to sit tight and wait for its StorageTek T10000 tape drive, which will support encryption on the drive itself. A Fibre Channel (FC) version of the drive is currently shipping. A FICON version won't ship until July and encryption is slated for the second half of 2006, according to a Sun spokesperson.

Meanwhile, over on the open systems side of the house, tape encryption was proceeding well using a NeoScale Systems Inc.'s inline encryption appliance between the media servers and an Advanced Digital Information Corp. tape library. As a stopgap, the bank purchased an ESCON-to-FC gateway from Luminex Software Inc. through which it now sends its mainframe backup streams to the NeoScale appliance and, finally, to a pair of Sun StorageTek FC tape drives.

In addition to working with Luminex, Decru Inc. (a Network Appliance Inc. company) has mainframe customers who encrypt mainframe tapes other ways, including working with a Fujitsu Siemens Computers CentricStor, a virtual tape library (VTL) that supports ESCON, FICON and FC; Bus-Tech Inc.'s Mainframe Appliance for Storage, which converts tape streams to open systems files; and Neartek Inc., another VTL player with roots in the mainframe world. Kevin Brown, Decru's vice president of marketing, said the firm hasn't ruled out developing a FICON version of its appliance.

For iSeries and Unisys shops, Englewood, Colo.-based Dynamic Solutions International (DSI) has a VTL offering based on software from FalconStor Software Inc. that can encrypt data before it's sent to tape. Chris Johnson, DSI's vice president of storage solutions, said the VTL offering has proved useful for cycle-strapped shops because "the VTL removes all that processing off the host."

Back in Moore's shop, the window of opportunity for encrypted tape may have come and gone. "If [Sun's] StorageTek had a working solution, we definitely would have gone that route," Moore said. But three years from now, when the NeoScale and Luminex equipment is finally depreciated, there's little chance he'll revisit the encryption-capable T10000. By that point, "I hope not to be shipping tapes anymore," he says. Instead, he's thinking about using Luminex's virtual tape capabilities and sending his backup streams directly over the wire to a virtual tape device at his disaster recovery facility. Even though the firm has never lost a tape, "it doesn't make sense to continue to ship tapes off site," he said.

Dig Deeper on Tape backup and tape libraries

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.