|
SAN-based encryption appliance: Encryption appliances offer line-speed encryption capabilities and key management capabilities. Veteran vendors such as Decru (a NetApp company) and NeoScale Systems have been joined by companies such as CipherMax and Crossroads Systems. These appliances sit in the data path between the backup server and tape library, and can encrypt the data stream in real time with little or no performance penalty. There's considerable variation among these products in terms of the number of ports available, which could impact scalability and configuration complexity. An advantage is that these appliances are agnostic with regards to backup software and tape hardware.
SAN switch-based encryption: An alternative to the SAN-based appliance has emerged in the form of the Cisco MDS 9000 Family Storage Media Encryption Package. Designed to run on multiservice modules available for Cisco 9000 switches, the device functions in a manner similar to that of an encryption appliance. The biggest difference is the ability to perform hardware-based encryption without the complexities of additional external devices and cabling.
Tape drive encryption: Perhaps the most eagerly awaited encryption development over the past year has been the introduction of tape drives with embedded encryption. Initially offered only in high-end ($30,000-plus) tape drives such as the IBM System Storage TS1120 and the Sun Microsystems StorageTek T10000, LTO-4 has brought this capability to the midrange level. Tape drives have included onboard compression for years and, all other things being equal, they seem logical targets for data encryption as well.
Has anyone seen my keys?
But all things aren't equal, and encryption presents significant management challenges due to the complexities of key management. Extremely long retention policies can increase the risk of key loss and, as a result, data by way of "lockout." Encryption appliance vendors have invested heavily in this area and tend to offer solid feature sets and safeguards, flexible key lifecycle management, key replication and validation, and access control. Among tape drive and backup vendors, key management ranges from minimal single-key encryption to comprehensive key management add-ons. From a security architecture perspective, some vendors are eyeing integration with third-party key managers from firms like nCipher and RSA (The Security Division of EMC) in anticipation that larger enterprises will opt for a centralized, more auditable key management authority.
Another factor to keep in mind is the lack of key portability among vendors. While there's an emerging IEEE standard (P1619.3) and most vendors have pledged to support it, it's reasonable to anticipate potential transitioning challenges depending on organizational tape-retention policies.
|
