This article can also be found in the Premium Editorial Download "Storage magazine: RAID turns 20: Do you still need it?."
Download it now to read this article plus other related content.
How much data to encrypt|
A major decision Chad Sturgill, network engineer at Corporate One Federal Credit Union, had to make when implementing encryption was how much of his company's data to encrypt. Although Sturgill knew Corporate One didn't need to encrypt all of its data, he also realized that Corporate One's data wasn't perfectly classified. With that in mind, Sturgill instituted a policy where all of Corporate One's data was encrypted to ensure it was protected. "If you leave your house and lock the door, do you leave your garage door open?" queries Sturgill.
Supporting that encryption policy required Sturgill to verify that Decru could handle the overhead associated with the encryption and not impact backup windows. He ran a series of tests and found that using an encryption appliance in the data path had minimal or no effect on backup times and, in some instances, actually improved the overall speed of backups.
Sturgill's experiences support encryption appliance vendor claims that their appliances have minimal or no impact on backup speeds. NetApp finds that as many as one-third of its Decru DataFort customers generally see +/- 5% performance impact on backup times, which is generally acceptable to most users.
Companies with high-performance FC SAN environments that are hesitant to introduce encryption appliances may find Cisco Systems Inc.'s new Storage Media
| Encryption (SME) more suitable. SME is available on Cisco's MDS 9222i Multilayer Fabric Switch or its MPS-18/4 director blade, and is managed as another fabric service in Cisco's SAN-OS. Cisco's SME uses a central ASIC on the fabric switch or director blade that provides up to 10Gb/sec of throughput with key creation and management handled externally by EMC's RSA Key Manager or Cisco's own key management application (due out this month). Although encrypting in the switch avoids the need to introduce appliances, the current implementation encrypts data to whatever storage devices are attached to these ports.
Purchasing new tape drives that natively support encryption may be the simplest and easiest way for a company to encrypt all of its data. New tape drives often eliminate some of the internal justifications administrators need to provide when purchasing encryption appliances or switches. Tape drives such as the IBM T1120 also include an encryption ASIC that, according to Bradley Johns, IBM System Storage tape market management, keeps the performance impact at or under 1% in most customer environments.
This was first published in November 2007