This article can also be found in the Premium Editorial Download "Storage magazine: Survey says storage salaries are climbing."

Download it now to read this article plus other related content.

This summer, FalconStor added a specialized chip to its VirtualTape Library appliance that handles 128-bit AES encryption. Dubbed Secure Tape Transport Service (STTS), it allows encryption to be performed on the VTL appliance rather than on the clients or the backup server, which eliminates any performance hit on the production system. Furthermore, the VTL can also compress the data before it encrypts it, so as not to swell the size of backups on tape.

Moving encryption out of the backup software is a logical evolution, Lallier says. Once upon a time, compression was also the domain of backup software; but these days, the compression function has largely migrated to tape drives and libraries.

In fact, manufacturers are actively considering adding encryption to their tape drives. "If you move the encryption out closer to the hardware, you don't have to do hardware-specific things and it mitigates the performance characteristics," says Charlie Andrews, director of IBM TotalStorage product marketing. While IBM is still looking at how to implement it, the company's ultimate goal is to bring the encryption function "outboard" and couple it with systematic enterprise-wide key management, he says.

In the meantime, taking encryption off the host is the idea behind specialized encryption appliances such as Decru Inc.'s DataFort (Network Appliance Inc. acquired Decru last summer for $260 million) and NeoScale Systems Inc.'s CryptoStor. As SAN-attached devices, they

Requires Free Membership to View

sit in the fabric between the host and storage and encrypt the data stream at speeds as close to wire-speed as possible, adding virtually no latency. While neither of the companies' products was designed to encrypt backups per se, over time both companies have developed specific versions of their products designed for tape: Decru DataFort FC-Series for Tape and NeoScale CryptoStor Tape.

Decru's DataFort for Tape is no different than versions designed for primary disk. "It's a licensing issue," says Michele Borovac, Decru's vice president of marketing. The tape-specific version, however, is integrated with backup applications so it can be configured to encrypt specific backup jobs and tapes, or data coming from specific hosts.

NeoScale's CryptoStor Tape is architected differently than CryptoStor for primary disk. Whereas CryptoStor for primary disk is an inline appliance, CryptoStor Tape is built as a proxy that poses as the tape device, processes the data and then passes it on. That means CryptoStor Tape can be zoned among several hosts and tape devices, and it can also compress the data. The inline appliance is designed to transparently encrypt data between a host and storage; as such, "you can't change the length of the data" with compression, says Dore Rosenblum, NeoScale's vice president of marketing, because the disk is expecting data within a certain block range.

Another hardware-based tape encryption product is Assurency SecureData for Tape, from Kasten Chase Applied Research Limited in Toronto. Assurency consists of two products: the Assurency ACA 2400 Crypto-Accelerator and Driver, a board-level compression and encryption engine that sits inside the backup server; and the Assurency SecureData appliance, whose main role is key management and applying policies about which tapes get encrypted.

All of this performance and manageability comes at a cost: Expect to spend at least $25,000 per appliance, says GlassHouse's Preston. Pricing for NeoScale's CryptoStor Tape starts at $20,000 and goes up to $45,000, says Rosenblum, while Decru's DataFort for Tape is priced at approximately $25,000.

For a slightly more affordable approach to hardware-based backup encryption, users may want to consider a product from British firm Disuk Ltd., Northampton, U.K., which resells its wares in the U.S. through Digital Security International in Arlington, VA. The appliance, called Paranoia2, comes with SCSI, Fibre Channel or iSCSI connectivity, and features throughput of up to 68MB/sec. That won't fill a full 2Gb/sec Fibre Channel pipe, but may suffice for some backup jobs. Paranoia2 features Triple DES 256-bit encryption and retails for approximately $15,000. This June, the firm also announced SafeTape, which bundles the Paranoia encryption engine with a single SDLT, LTO or AIT tape drive for a retail price of $17,995.

This was first published in November 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: