Best Practices: Unraveling tape encryption


This article can also be found in the Premium Editorial Download "Storage magazine: A report on storage standards: SMI-S, XAM, encryption key management and FAIS."

Download it now to read this article plus other related content.

SAN-based encryption appliance: Encryption appliances offer line-speed encryption capabilities and key management capabilities. Veteran vendors such as Decru (a NetApp company) and NeoScale Systems have been joined by companies such as CipherMax and Crossroads Systems. These appliances sit in the data path between the backup server and tape library, and can encrypt the data stream in real time with little or no performance penalty. There's considerable variation among these products in terms of the number of ports available, which could impact scalability and configuration complexity. An advantage is that these appliances are agnostic with regards to backup software and tape hardware.

SAN switch-based encryption: An alternative to the SAN-based appliance has emerged in the form of the Cisco MDS 9000 Family Storage Media Encryption Package. Designed to run on multiservice modules available for Cisco 9000 switches, the device functions in a manner similar to that of an encryption appliance. The biggest difference is the ability to perform hardware-based encryption without the complexities of additional external devices and cabling.

Tape drive encryption: Perhaps the most eagerly awaited encryption development over the past year has been the introduction of tape drives with embedded encryption. Initially offered only in high-end ($30,000-plus) tape drives such as the

Requires Free Membership to View

IBM System Storage TS1120 and the Sun Microsystems StorageTek T10000, LTO-4 has brought this capability to the midrange level. Tape drives have included onboard compression for years and, all other things being equal, they seem logical targets for data encryption as well.

Has anyone seen my keys?
But all things aren't equal, and encryption presents significant management challenges due to the complexities of key management. Extremely long retention policies can increase the risk of key loss and, as a result, data by way of "lockout." Encryption appliance vendors have invested heavily in this area and tend to offer solid feature sets and safeguards, flexible key lifecycle management, key replication and validation, and access control. Among tape drive and backup vendors, key management ranges from minimal single-key encryption to comprehensive key management add-ons. From a security architecture perspective, some vendors are eyeing integration with third-party key managers from firms like nCipher and RSA (The Security Division of EMC) in anticipation that larger enterprises will opt for a centralized, more auditable key management authority.

Another factor to keep in mind is the lack of key portability among vendors. While there's an emerging IEEE standard (P1619.3) and most vendors have pledged to support it, it's reasonable to anticipate potential transitioning challenges depending on organizational tape-retention policies.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: