The good news: Quantum Corp. just announced a bevy of new security enhancements to its tape libraries, and at least one offering will be free. The bad news: full native encryption of tapes at the tape hardware level, perhaps the most desired security feature in today's storage market, isn't slated for announcement until at least mid-2006.
The product that will kick off what Quantum is calling its new "security framework" is called DLTSage Tape Security, an access control feature that places a unique, encrypted "header" on each tape cartridge, rendering it readable only by one specific drive. The feature will be provided in the company's newest DLT tape drives and supported in its tape automation systems at no additional cost to customers.
Besides the price, the fact that the feature is transparent to the backup system is most intriguing to users. "It'll make my life that much easier," said Bill Dedi, senior systems administrator for Tellabs. "Especially since there's no extra time involved."
Still, it's not the full tape encryption that would be the ideal security application for many environments. "It's kind of an in-between solution," Dedi said. "Although for a lot of people, it may be enough."
Agreed O'Neill, "there are some small and medium customers who lack the resources or sophistication to support a full encryption scheme that changes their environment. This would be good for that type of customer."
What about recovery? After all, there's always a fine line between protecting one's data and protecting it so well the intended user can't get to it. What about a disaster recovery (DR) scenario in which the drive is destroyed?
In that event, DLTSage requires the IT manager to create a policy-based system for creating and managing all of the keys for each device. The recovery process would then have to go through that IT administration system, find the right key based on device and execute the decryption.
"It's analogous to what is done today for user access controls," O'Neill said. "And most DR processes require a ton of device-level management anyway. However, it definitely means you have to have a good key management structure in place for your tape media."
Quantum's new security roadmap also includes administrative controls, such as role-based access privileges. While access controls are nothing new, "this allows the administrator to create multiple roles, so you know who's done what when, instead of everyone logging into one admin account," Dedi pointed out. "With regulations like [the] Sarbanes-Oxley [Act], they already want to know when and how your backups are done. It's only a matter of time before they want to know who did what."
Other administrative controls will include audit logging and Secure Socket Layer/Secure Shell (SSL/SSH) support. Audit logging enables tracking of all attempts to access Quantum systems, whether successful or not, as well as tracking of activity once access is granted. SSL/SSH support provides secure network-based access and login access to administrative information about Quantum's storage systems. SSL encrypts traffic between a Web browser and an http server, while SSH is a version of the same technology for TelNet.
Farther off, Quantum said its security framework will include a new partnership with Decru (owned by Network Appliance Inc.) for native encryption on Quantum's DLT tape drives, as well as joint sales and marketing between the two companies. However, this partnership isn't expected to get going until at least the second quarter of next year and native encryption on Quantum's tape drives is slated for "subsequent quarters."
"It'll be another year for full native encryption," O'Neill said.