Encrypting backup tapes isn't
The two major approaches to tape encryption involve using software or specialized hardware. Both have drawbacks and the choice ultimately comes down to the balancing those drawbacks against the characteristics of the particular enterprise.
Drawbacks or not, tape encryption is bearing down on IT like a rapidly approaching freight train.
"This is one area where CEOs are not going to wait for regulations," Ravi Chalaka, vice president of marketing for Maxxan Systems, a San Jose, Calif.-based maker of virtual tape libraries (VTL) says. Recent legislation, notably in California, has forced companies to disclose losses of customer information, resulting in a flood of news reports as major banks and others have announced the possible compromise of tapes containing the data of millions of customers. The resulting bad publicity has helped to make companies extremely sensitive, Chalaka says, and is driving them to encrypt their backups.
However, Chalaka notes that only about 25% of companies encrypt their tapes today. The result is a mad scramble for tape encryption in enterprises of all sizes -- and a flood of announcements of tape encryption products.
There are a number of hardware and software approaches to encryption available. Most major tape software vendors offer encryption as an option, and there are a number of encryption appliances from companies like Avax International Inc. and Decru Inc. that use hardware to handle the encryption. There are also specialized hardware products, such as the one from Intradyn Inc., which encrypts e-mail backups. A number of stand-alone software packages, such as Alliance for the IBM iSeries from Patrick Townsend & Associates, are also available.
The major advantages of the encryption appliances are flexibility and speed. Their disadvantages are cost and lack of scalability. Software encryption is cheaper, but slower.
Encryption, to a secure level, is a compute-intensive process, especially when it's being done on the scale of a full backup. Software encryption is slower and can prolong an already-tight backup in progress. Furthermore, encryption appliances are usually able to handle anything that is being backed up, no matter what the operating system, file structure or other characteristics.
One way to work around the disadvantages of tape encryption is to limit what is encrypted. Rather than encrypting all the backed-up data, only encrypt the most critical information, such as customer data. This is a common strategy, especially in enterprises using software encryption.
Currently, Chalaka says, most enterprises that encrypt their tapes are using software encryption; hardware encryption is just beginning to take hold in the market.
Using any kind of tape encryption means dealing with key management. If the keys are lost or corrupted the tapes are unreadable, and if they are compromised the security is compromised as well. Before you begin using any type of tape encryption, you must have an effective, robust and secure method of key management in place.
"We need an architecture that will encrypt without any degradation of performance, [and] at the same time be able to scale and be able to do all this with simple, effective key management," Chalaka says.
Until that architecture arrives, storage administrators will have some painful choices -- but most of them will still encrypt their tapes.
For more information:
About the author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years, he has been a freelance writer specializing in storage and other computer issues.
This was first published in July 2005