Where encryption fits best
This article can also be found in the Premium Editorial Download "Storage magazine: RAID turns 20: Do you still need it?."
Download it now to read this article plus other related content.
Backup software provides a number of options to circumvent this performance overhead. One option offered by Symantec Corp.'s Backup Exec 11d and CommVault's Galaxy 7.0 is to simply turn off compression. The compression and encryption features are individual checkboxes in these backup software products, so admins can choose to turn off compression on the backup clients but still encrypt the data. However, this reintroduces the problem of increased backup storage capacities and lengthens backup windows.
To address these issues, some backup software products offload the compression and encryption to a designated server. Backup software products that perform deduplication--such as Asigra Inc.'s Televaulting, EMC Corp.'s Avamar and Symantec's Veritas NetBackup PureDisk--compress and encrypt data as part of the deduplication process. The overhead associated with the compression and encryption is then offloaded to a designated server in the backup infrastructure. But using deduplication in the initial backup of a client can sometimes take hours or even days to complete as data is deduplicated, compressed and encrypted for the first time. It's a lengthy process that not every application can withstand.
|Important questions to ask before|
selecting an encryption product
|As you evaluate the different places in your backup infrastructure where encryption can reside, here are some important questions to ask:
Where in the storage infrastructure should you encrypt data? This is the most fundamental question in selecting an encryption product. Each encryption architecture introduces significantly different considerations. Encryption key generation and management, increased backup windows, Fibre Channel SAN reconfigurations and heightened server overhead are just some of the factors a company needs to consider prior to adding encryption to its backup infrastructure.
How does the encryption software or appliance support key escrow and management for long-term data access and disaster recovery? Key management is a compelling issue during any recovery, disaster or otherwise. If and when a company is required to recover data years later at its existing facility or during a disaster, it needs to have the keys used to encrypt the data before that data can be recovered.
How much space is required to encrypt the data? Adding storage space in the form of more tape or disk isn't prohibitively expensive, but with encryption potentially increasing backed up data footprints by 20% or more, controlling the impact of encryption on storage growth is paramount. Compression is almost always part of the encryption process, so ascertain what capacity savings compression will provide and if that offsets the hit on backup performance and lengthier backup windows.
Is deduplication done prior to encryption? In the long term, deduplication should offer better performance characteristics than compression, but on the initial pass backup windows can be horrific. Verify how deduplication products generate and manage encryption keys and what options administrators have to change them over time.
What is the likelihood of searching and accessing data after it's encrypted? If data is encrypted and stored on tape without being indexed first, it's prohibitively expensive to search and index the data later.
This was first published in November 2007