Where should you encrypt your data?

Jon Oltsik, senior analyst, information security at the Enterprise Strategy Group, Milford, Mass., says tape encryption today is mostly done in appliances, with Decru Inc. (a division of NetApp Inc.) boasting one of the most substantial customer lists. Other companies with tape encryption appliances include Bosanova Inc. with its Q3, CipherMax Inc. CM100T and Vormetric Inc. CoreGuard. However, he notes, "I see this migrating to the tape drives themselves over time as customers implement new drives and libraries."

More on tape encryption Encryption-enabled products How can you ease encryption key management issues? Five questions for evaluating an encryption product Tape encryption FAQ podcast

He explains that tape drives imbed the cryptographic processing in the drive so the advantages are cost and performance. The disadvantages are that most existing tape drives don't have encryption functionality built in, which is why users choose to deploy encryption appliances. These appliances are relatively fast and transparent to tape/storage operations but are also rather expensive to buy and operate. "My view is that tape drive-based encryption wins by default over time," he adds.

Gartner Inc.'s Jeffrey Wheatman, research director for security, tells a similar story. He says once you determine you want to encrypt, the main decision points revolve around whether to accomplish that at the server (host-based), in an external appliance or within the tape drive.

He says historically, the primary approach to encryption has been through software as part of the backup itself. Indeed, the ability to encrypt may already be built in to your existing backup software or can be acquired inexpensively, he notes. Some examples of encryption-enabled backup software include Atempo Inc. Time Navigator 4.1, CommVault Simpana, EMC Corp. NetWorker and Symantec Corp. Veritas NetBackup 6.5, among others. The big problem, however, is that server-based, backup software encryption often has a substantial negative impact on speed, slowing the backup process and creating an unacceptably large backup window.

Like Oltsik, Wheatman sees backup appliances such as those offered by CipherMax Inc., Ingrian Networks Inc. (recently acquired by SafeNet Inc.) and NeoScale Systems Inc. (recently acquired nCipher Corp.) as the leading approach to the problem at the moment. Built around ASICs or even multi-core processors, they typically sit between the server and the backup library.

"Appliances are usually fast, operating sometimes at close to line speed, so they don't have much of a negative impact on backup windows," he notes. On the other hand, they are generally quite expensive -- even more so in the case where a matching appliance must be maintained at a backup site. Furthermore, Wheatman says some appliances appear to interfere with the compression of backup data, potentially adding cost and time to the process. "Compression usually takes advantage of the repetitive nature of most data but when you randomize things through encryption that can be a problem," so it is better to encrypt after compression if possible, he says.

Although tape drives with built-in encryption have begun to make an appearance, despite their speed, Wheatman says the market is mostly taking a wait-and-see approach because the writing of the tapes is already the place where failures are most common "so anything that adds complexity is viewed with caution." And, according to Oltsik, there are no clear leaders among the vendors, though he notes that both Hewlett-Packard Co. (with its StorageWorks 1840) and IBM Corp. (with its T1120) are among those offering encrypting tape drives and libraries.

Finally, although Wheatman says he hasn't studied any encryption approaches using a virtual tape library (VTL), "it is a concept that could work," he says.

Tape encryption implementation strategy

As you plan your investment in tape encryption capabilities, Wheatman stresses the importance of considering the entire enterprise encryption strategy. "You should put together a three-year roadmap and try to ensure that what you do will fit in your long-term encryption and security framework," he adds.

Wheatman says appliances usually fit better within an enterprise encryption strategy than software-based approaches because of performance and the fact that software encryption may not conform to norms such as the new IEEE 1610 standard. "Furthermore, software approaches don't usually mesh with an end-to-end approach to data encryption," he says.

Despite their cost and the market's cool reception to date, Wheatman says tape drive encryption also has the potential to provide performance and a good fit with an enterprise approach.

Last but not least, Wheatman says it's also important to pay attention to how keys are handled -- an area that has attracted vendors such as nCipher Corp. "You need to cycle keys periodically while being able to preserve keys for recoverability," he adds.

About the author: Alan Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.

Rate this Tip To rate tips, you must be a member of SearchDataBackup.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Backup and recovery Ten things you should ask a vendor before buying a tape library Encryption's impact on network backup can be high Bare-metal backup and restore options Backup and recovery basics: Testing your backups Data protection for financial organizations The pros and cons of file-level vs. block-level data deduplication Five signs you need to replace your data backup software Data backup options for remote sites The differences between block-based and file-based data backup How to implement VMware Site Recovery Manager Data backup security Encryption's impact on network backup can be high Data protection for financial organizations Tape drive encryption options Backup SaaS offers remote data destruction Data deletion or data destruction? Data protection implications when migrating to Windows Server 2008 How to back up laptops Centralizing data protection with VMware VDI Tape encryption FAQ podcast Five questions for evaluating an encryption product Tape backup and libraries Backups (not so) Anonymous Ten things you should ask a vendor before buying a tape library Data protection for financial organizations Tape drive encryption options Full, incremental or differential: How to choose the correct backup type Data backup strategies: Migrating from tape to disk The true role of a backup administrator The move to LTO-4 is no stampede Quantum disk revenues double, tape sales decline How to choose the right tape library RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.