By Dave Raffo
Data backup security is a rapidly evolving -- if not rapidly adopted -- piece of the enterprise data storage world. It largely revolves around encryption, and has spread in the past few years from tape to host to disk, and is now an issue for the young cloud storage market.
Despite some highly publicized breaches involving lost unencrypted tapes a few years back-- with much of that publicity generated by data security vendors -- encryption has been slow to catch on among enterprise data storage pros. Hurdles blocking adoption include price and management difficulties involved with adding appliances to handle encryption, lack of standards for key management, and no consensus of the best place to handle encryption. Despite more options for encrypting data and standardization efforts underway, organizations are still taking a wait-and-see attitude. However, many see the need for encryption.
According to the latest Storage magazine purchasing survey last fall, 51% said they are encrypting some backup data -- up 7% from the previous year -- and 81% say they were either encrypting or planned to evaluate within the next year.
Market research firm The InfoPro's latest survey of Fortune 500 adoption shows 41% are using tape encryption now, and 47% do not plan to encrypt data on tapes. However, that does not take into account possible encryption of data on disk.
SECURE DATA BACKUP STRATEGIES: TABLE OF CONTENTS
Industry experts, vendors and storage administrators agree that in a secure data backup strategy, widespread encryption adoption all comes down to encryption key management. A good encryption key management system would simplify the process of generating, rotating, backing up and securing keys required to decrypt data after it is encrypted. Anybody with access to encryption keys also has access to all encrypted data.
With key management commonly cited as the biggest problem for encryption, there is a lot riding on the work of standards groups such as the Organization for the Advancement of Structured Information Standards (OASIS). OASIS is working on a standard for interoperability between key management systems called the Key Management Interoperability Protocol (KMIP).
The goal of the KMIP initiative is to ensure interoperability between key management systems from different vendors and between different encryption technologies. The way it stands now, each vendor in the encryption space has its own key management system and none of them work with other vendors' keys. That means organizations still have to manage keys separately for any type of encryption they're using.
With EMC Corp.'s RSA Security, Brocade, Hewlett-Packard (HP) Co., IBM Corp., NetApp, Seagate, Thales Security and CA among the storage vendors involved, the KMIP standard should cover most encryption devices once it is complete. If adopted, KMIP would allow users to attach almost any encrypting device to one preferred key management system, regardless of the vendors involved.
"It's the key management that still continues to be an issue," Taneja Group founder and senior analyst Arun Taneja said. "Key management will be a bigger issue when you have a gazillion drives and each has its own key management. How do you manage the keys?"
Encryption appliance vendors Decru, NeoScale Networks Inc., Vormetric, and Kasten Chase Applied Research Ltd. made an attempt at encrypting data backed up on tape in the wake of the early publicized breaches. That concept never took off, even after NetApp acquired Decru in 2005.
Still, the appliance approach isn't dead. NetApp still markets DataFort appliances it acquired from Decru, and Thales is still selling CryptoStor tape encryption devices first developed by Neoscale, and it has a key management appliance sold by Hitachi Data Systems with Brocade switches.
While appliances remain an option for large organizations that can integrate them into their storage networks, they are pricey and present an extra management layer that limit their appeal to smaller companies.
Not long after appliances hit the scene, data backup vendors such as Symantec Corp., IBM, EMC, CA and CommVault began supporting encryption in their software. That enabled host-based encryption, but the encryption process slows down backups and could require more media for backups because you can't compress encrypted data. That makes host-based more of an option for smaller data sets.
Built-in encryption was considered one of the big selling points of LTO-4 tape drives when they hit the market, but while LTO-4 has taken over the tape market it hasn't been because of encryption -- mainly because putting encryption in the library doesn't solve the key management issue.
IBM and Sun StorageTek also offer native tape encryption for their high-end tape libraries. These libraries are used almost exclusively by large enterprises.
Self-encrypting hard drives can make encryption ubiquitous although it's relatively early days for this technology.
Data security is one of the frequently mentioned hurdles to implementing cloud storage and cloud backup, because moving data to the cloud means trusting it to an outside organization. Businesses are advised to investigate their provider's security methods before storing their data with a third-party. Security concerns range from physical security (how well is the cloud provider's data center protected), to its encryption policies and whether it supports secure user protocols such as SSL, TLS or SSH.
Organizations also want to know that their cloud provider is SAS 70-certified. A SAS 70 audit is a review of a service organization's policies, practices and security measures conducted by an independent auditor. SAS 70 audits have gained widespread usage among hosted IT service providers as a way to publicize security and accountability.
Data backup security goes beyond the media you're still using to store your data. You also have to make sure to wipe data off the tape cartridges and disks you want to get rid of. Options include software to overwrite data, degaussing, and outsourcing the job to destruction service providers. Dumping them in the garbage should not be an option, because the media can have sensitive data, and because of environmental concerns.
According to a June 2009 research report by the Enterprise Strategy Group called "Protecting Confidential Data Revisited," 53% of large enterprises surveyed used "brute-force" methods, such as physically destroying their disk drives and tapes. Other enterprises used data destruction software (35%) and homegrown tools and processes (25%). But whatever method they chose, 82% of respondents said they have formal policies and procedures in place for data destruction of storage media.