This article can also be found in the Premium Editorial Download "Storage magazine: RAID turns 20: Do you still need it?."
Download it now to read this article plus other related content.
Deciding where to implement encryption is only the first step; other decisions have to be made as well. For example, choosing a more complex encryption algorithm such as 256-bit AES can lengthen the time it takes to encrypt data, introduce unacceptable levels of server overhead and extend backup windows. User-selected encryption keys may be too easily hacked, negating whatever benefits encryption provides. And large organizations that are implementing encryption at multiple layers or in different locations in the backup infrastructure can create incompatible and ongoing encryption key management issues.
Other issues that must be resolved prior to implementing encryption include how to minimize the performance overhead encryption creates, how encryption keys are generated and what data to encrypt.
The best place to encrypt data in the backup infrastructure is generally determined by four factors: corporate risk thresholds, ease of implementation, price and the performance impact encryption has on the backup infrastructure. While encryption key management remains a near-term concern, new standards under discussion will likely evolve to permit the exchange of keys among different vendors' encryption key management systems.
The use of compression by backup software as it encrypts data is an important but subtle differentiator among backup software products. Encrypting native backup data typically increases the size of backed up data stores by 20% or more, so backup software products may also turn on compression when encryption is enabled. Compression reduces the size of the backed up data, but adds another 5% to 10% to the server CPU overhead on top of the 20% overhead encryption introduces.
This was first published in November 2007