Encrypting tape: Software vs. hardware and key management

Encrypting backup tapes isn't so much a question of "if" but "when," which means a lot of enterprises are struggling with the question of "how."

The two major approaches to tape encryption involve using software or specialized hardware. Both have drawbacks and the choice ultimately comes down to the balancing those drawbacks against the characteristics of the particular enterprise.

Drawbacks or not, tape encryption is bearing down on IT like a rapidly approaching freight train.

"This is one area where CEOs are not going to wait for regulations," Ravi Chalaka, vice president of marketing for Maxxan Systems, a San Jose, Calif.-based maker of virtual tape libraries (VTL) says. Recent legislation, notably in California, has forced companies to disclose losses of customer information, resulting in a flood of news reports as major banks and others have announced the possible compromise of tapes containing the data of millions of customers. The resulting bad publicity has helped to make companies extremely sensitive, Chalaka says, and is driving them to encrypt their backups.

However, Chalaka notes that only about 25% of companies encrypt their tapes today. The result is a mad scramble for tape encryption in enterprises of all sizes -- and a flood of announcements of tape encryption products.

There are a number of hardware and software approaches to encryption available. Most major tape software vendors offer encryption as an option, and there are a number of encryption appliances from companies like Avax International Inc. and Decru Inc. that use hardware to handle the encryption. There are also specialized hardware products, such as the one from Intradyn Inc., which encrypts e-mail backups. A number of stand-alone software packages, such as Alliance for the IBM iSeries from Patrick Townsend & Associates, are also available.

The major advantages of the encryption appliances are flexibility and speed. Their disadvantages are cost and lack of scalability. Software encryption is cheaper, but slower.

Encryption, to a secure level, is a compute-intensive process, especially when it's being done on the scale of a full backup. Software encryption is slower and can prolong an already-tight backup in progress. Furthermore, encryption appliances are usually able to handle anything that is being backed up, no matter what the operating system, file structure or other characteristics.

One way to work around the disadvantages of tape encryption is to limit what is encrypted. Rather than encrypting all the backed-up data, only encrypt the most critical information, such as customer data. This is a common strategy, especially in enterprises using software encryption.

Currently, Chalaka says, most enterprises that encrypt their tapes are using software encryption; hardware encryption is just beginning to take hold in the market.

Using any kind of tape encryption means dealing with key management. If the keys are lost or corrupted the tapes are unreadable, and if they are compromised the security is compromised as well. Before you begin using any type of tape encryption, you must have an effective, robust and secure method of key management in place.

"We need an architecture that will encrypt without any degradation of performance, [and] at the same time be able to scale and be able to do all this with simple, effective key management," Chalaka says.

Until that architecture arrives, storage administrators will have some painful choices -- but most of them will still encrypt their tapes.

For more information:

How to keep stored data out of enemy hands

About the author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years, he has been a freelance writer specializing in storage and other computer issues.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Backup and disaster recovery Disaster recovery planning in a virtualized environment Leveraging storage replication for VM disaster recovery Four disaster recovery strategies to consider when using data deduplication Comparing different backup strategies Troubleshooting automated tape libraries How to choose a Web-based email archiving vendor How to choose an e-discovery tool How to conduct a disaster recovery test Outsourcing backup: Get the right service level agreement Using WAN clustering for disaster recovery Secure data storage Storage Decisions New York 2008 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (New York 2008) Our View: Whom do you trust? Brocade bolsters security with fabric-based encryption switch Get a grip on encryption keys What is the most interesting recent development in data protection technology? Why are Storage as a Service vendors targeting secondary storage applications? Why are dense storage platforms like storage grids becoming popular? How will the market for virtual tape libraries change? Any unexpected developments in the data protection market? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.