MAINFRAME SHOPS, never known for their rapid embrace of change, are deploying tape encryption technology with uncharacteristic...
speed--sometimes without waiting for their primary storage vendors to support the solutions.
Lighting the fire under mainframe shops' derrieres are auditors and senior executives eager to comply with laws like California's SB 1386, which requires organizations that store sensitive customer information to notify customers of possible security breaches, such as the loss of an unencrypted tape. As of last summer, 18 states had enacted similar laws and federal legislation is on the way. The Federal Trade Commission and organizations such as Visa PCI are also becoming increasingly stringent in their audits.
In Delaware, an SB 1386-like law took effect last June, forcing Jeff Moore, IT project manager at a Delaware-based bank to investigate a way to encrypt mainframe backups. "The auditors were screaming at us; senior management was screaming at us, 'Why can't you encrypt these tapes?'" he recalls.
Initial experiments with software-based encryption failed. Innovation Data Processing's FDRCrypt and MegaCryption's MegaCryption/MVS showed a 300% runtime increase. "We just don't have the extra cycles," says Moore. Adding a dedicated cryptographic coprocessor to the mainframe helped, but not entirely. Furthermore, it would have required the firm to change its backup process from Innovation's FDR to an IBM process.
Sun Microsystems, the bank's tape library supplier, told Moore to sit tight and wait for its StorageTek T10000 tape drive, which will support encryption on the drive itself. A Fibre Channel (FC) version of the drive is currently shipping; a FICON version won't ship until July and encryption is slated for the second half of 2006, according to a Sun spokesperson.
Meanwhile, over on the open-systems side of the house, tape encryption was proceeding well using a NeoScale Systems' inline encryption appliance between the media servers and an ADIC tape library. As a stopgap, the bank purchased an ESCON-to-FC gateway from Luminex through which it now sends its mainframe backup streams to the NeoScale appliance and, finally, to a pair of Sun StorageTek FC tape drives.
In addition to working with Luminex, Decru (a Network Appliance company) has mainframe customers who encrypt mainframe tapes other ways, including working with a Fujitsu Siemens CentricStor, a virtual tape library (VTL) that supports ESCON, FICON and FC; Bus-Tech's Mainframe Appliance for Storage, which converts tape streams to open-systems files; and Neartek, another VTL player with roots in the mainframe world. Kevin Brown, Decru's VP of marketing, says the firm hasn't ruled out developing a FICON version of its appliance.
For iSeries and Unisys shops, Englewood, CO-based Dynamic Solutions International (DSI) has a VTL offering based on software from FalconStor that can encrypt data before it's sent to tape. Chris Johnson, DSI's VP of storage solutions, says the VTL offering has proved useful for cycle-strapped shops because "the VTL removes all that processing off the host."
Back in Moore's shop, the window of opportunity for encrypted tape may have come and gone. "If [Sun's] StorageTek had a working solution, we definitely would have gone that route," says Moore. But three years from now, when the NeoScale and Luminex equipment is finally depreciated, there's little chance he'll revisit the encryption-capable T10000. By that point, "I hope not to be shipping tapes anymore," he says. Instead, he's thinking about using Luminex's virtual tape capabilities and sending his backup streams directly over the wire to a virtual tape device at his DR facility. Even though the firm has never lost a tape, "it doesn't make sense to continue to ship tapes offsite," he says.