Problem solve Get help with specific problems with your technologies, process and projects.

Where should you encrypt your data?

Because of high-profile losses of data through misplaced or stolen backup tapes, everyone is aware of tape encryption. There are many choices, so picking what's best for your organization can be challenging.

For a long time, practically no one bothered with tape encryption. But thanks to a few high-profile losses of data through misplaced or stolen backup tapes, regulators and everyone else are suddenly paying attention. But there are many choices when it comes to tape encryption, so picking what's best for your organization can be challenging.

Jon Oltsik, senior analyst, information security at the Enterprise Strategy Group, Milford, Mass., says tape encryption today is mostly done in appliances, with Decru Inc. (a division of NetApp Inc.) boasting one of the most substantial customer lists. Other companies with tape encryption appliances include Bosanova Inc. with its Q3, CipherMax Inc. CM100T and Vormetric Inc. CoreGuard. However, he notes, "I see this migrating to the tape drives themselves over time as customers implement new drives and libraries."

More on tape encryption
Encryption-enabled products

How can you ease encryption key management issues?

Five questions for evaluating an encryption product

Tape encryption FAQ podcast
He explains that tape drives imbed the cryptographic processing in the drive so the advantages are cost and performance. The disadvantages are that most existing tape drives don't have encryption functionality built in, which is why users choose to deploy encryption appliances. These appliances are relatively fast and transparent to tape/storage operations but are also rather expensive to buy and operate. "My view is that tape drive-based encryption wins by default over time," he adds.

Gartner Inc.'s Jeffrey Wheatman, research director for security, tells a similar story. He says once you determine you want to encrypt, the main decision points revolve around whether to accomplish that at the server (host-based), in an external appliance or within the tape drive.

He says historically, the primary approach to encryption has been through software as part of the backup itself. Indeed, the ability to encrypt may already be built in to your existing backup software or can be acquired inexpensively, he notes. Some examples of encryption-enabled backup software include Atempo Inc. Time Navigator 4.1, CommVault Simpana, EMC Corp. NetWorker and Symantec Corp. Veritas NetBackup 6.5, among others. The big problem, however, is that server-based, backup software encryption often has a substantial negative impact on speed, slowing the backup process and creating an unacceptably large backup window.

Like Oltsik, Wheatman sees backup appliances such as those offered by CipherMax Inc., Ingrian Networks Inc. (recently acquired by SafeNet Inc.) and NeoScale Systems Inc. (recently acquired nCipher Corp.) as the leading approach to the problem at the moment. Built around ASICs or even multi-core processors, they typically sit between the server and the backup library.

"Appliances are usually fast, operating sometimes at close to line speed, so they don't have much of a negative impact on backup windows," he notes. On the other hand, they are generally quite expensive -- even more so in the case where a matching appliance must be maintained at a backup site. Furthermore, Wheatman says some appliances appear to interfere with the compression of backup data, potentially adding cost and time to the process. "Compression usually takes advantage of the repetitive nature of most data but when you randomize things through encryption that can be a problem," so it is better to encrypt after compression if possible, he says.

Although tape drives with built-in encryption have begun to make an appearance, despite their speed, Wheatman says the market is mostly taking a wait-and-see approach because the writing of the tapes is already the place where failures are most common "so anything that adds complexity is viewed with caution." And, according to Oltsik, there are no clear leaders among the vendors, though he notes that both Hewlett-Packard Co. (with its StorageWorks 1840) and IBM Corp. (with its T1120) are among those offering encrypting tape drives and libraries.

Finally, although Wheatman says he hasn't studied any encryption approaches using a virtual tape library (VTL), "it is a concept that could work," he says.

Tape encryption implementation strategy

As you plan your investment in tape encryption capabilities, Wheatman stresses the importance of considering the entire enterprise encryption strategy. "You should put together a three-year roadmap and try to ensure that what you do will fit in your long-term encryption and security framework," he adds.

Wheatman says appliances usually fit better within an enterprise encryption strategy than software-based approaches because of performance and the fact that software encryption may not conform to norms such as the new IEEE 1610 standard. "Furthermore, software approaches don't usually mesh with an end-to-end approach to data encryption," he says.

Despite their cost and the market's cool reception to date, Wheatman says tape drive encryption also has the potential to provide performance and a good fit with an enterprise approach.

Last but not least, Wheatman says it's also important to pay attention to how keys are handled -- an area that has attracted vendors such as nCipher Corp. "You need to cycle keys periodically while being able to preserve keys for recoverability," he adds.

About the author: Alan Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.

Dig Deeper on Data backup security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.