| Tape encryption technologies and practices are on the rise. But with more choices than ever, careful consideration of the options is critical.
Despite steadily growing interest, the number of companies that encrypt their tapes remains relatively small. When SAN-based encryption appliances were introduced a few years ago, there was a significant uptick in encryption interest. With the emergence of new generations of tape drives featuring onboard hardware encryption, companies are revisiting their tape security practices in the hope that this new technology will solve their current tape security concerns at an affordable price.
A good place to start is with an overview of the landscape.
Backup software encryption: Many backup vendors offer basic client-side data encryption as a standard feature or option. Practically speaking, this function is of limited value due to the host/resource impact that's exacerbated by the necessary accompanying burden of host-based compression (software encryption renders tape drive compression ineffective). The bottom line is that this type of encryption is useful only in some cases.
Some vendors, such as CommVault and Symantec, have introduced data encryption on the media server, a choice that reduces the impact on client-side system performance. These options have the ability to compress and encrypt any combination of onsite and offsite tapes, and also provide some level of key management. Depending on media server configurations and data volume, this approach can be less costly than hardware encryption options. However, it carries some risk of media server performance impact.
| SAN-based encryption appliance: Encryption appliances offer line-speed encryption capabilities and key management capabilities. Veteran vendors such as Decru (a NetApp company) and NeoScale Systems have been joined by companies such as CipherMax and Crossroads Systems. These appliances sit in the data path between the backup server and tape library, and can encrypt the data stream in real time with little or no performance penalty. There's considerable variation among these products in terms of the number of ports available, which could impact scalability and configuration complexity. An advantage is that these appliances are agnostic with regards to backup software and tape hardware.
SAN switch-based encryption: An alternative to the SAN-based appliance has emerged in the form of the Cisco MDS 9000 Family Storage Media Encryption Package. Designed to run on multiservice modules available for Cisco 9000 switches, the device functions in a manner similar to that of an encryption appliance. The biggest difference is the ability to perform hardware-based encryption without the complexities of additional external devices and cabling.
Tape drive encryption: Perhaps the most eagerly awaited encryption development over the past year has been the introduction of tape drives with embedded encryption. Initially offered only in high-end ($30,000-plus) tape drives such as the IBM System Storage TS1120 and the Sun Microsystems StorageTek T10000, LTO-4 has brought this capability to the midrange level. Tape drives have included onboard compression for years and, all other things being equal, they seem logical targets for data encryption as well.
Another factor to keep in mind is the lack of key portability among vendors. While there's an emerging IEEE standard (P1619.3) and most vendors have pledged to support it, it's reasonable to anticipate potential transitioning challenges depending on organizational tape-retention policies.
| Security breaches can also translate into legal liabilities. Privacy notification laws, beginning with California's SB 1386, have been enacted by 39 states. Those who know California's law might mistakenly believe that encryption provides indemnification from these customer notification regulations. While this may be the case in California, subsequent laws in other states have no such exemptions.
This confusion, combined with the complexities associated with key management, means some firms choose to avoid encryption. Retaining tapes on company property and eliminating the physical relocation of tapes in favor of electronic vaulting and replication have become attractive options. But depending on the amount of data at hand, that route is often cost prohibitive. Expect advances in technologies like deduplication to make this option more feasible.
Scalability: How predictable is your data growth? Backup software and tape encryption solutions typically offer a smoother growth curve, while appliances follow more of a step function.
Key management needs: From a security best practices perspective, key management should be an independent entity from backup. But due to complexity and organizational limitations, backup admins often become de facto key managers, and there are many cases where one key is in place for all backup. Assuming those organizational policies mature sometime in the future, does your new solution have key management capabilities to accommodate them?
Economic drivers: Organizations typically upgrade tape drives on a three- to five-year cycle, but tape library cycles usually stretch from five to seven years or longer. Unless you're at the right point in your technology depreciation and refresh cycle, tape drive encryption may not be feasible.
Operational integration and management: All encryption options have some operational impact, but the specifics vary. Tape drive encryption, for example, is simple from a physical integration perspective, but its success depends on some degree of backup software support (from basic hardware support to full key management control). Appliances are often transparent to the backup app, but require their own operational procedures to be integrated with the rest of the infrastructure. In all circumstances, the impact on disaster recovery and archiving practices, and the challenges of managing encrypted and unencrypted tapes, must be addressed.
| Ultimately, your selection depends on the following: