Enterprise Strategy Group
Published: 10 Nov 2006
The time has come for enterprise tape encryption
Point solutions for encryption might work now, but can they scale to meet future needs?
Backup vendors supported encryption in their products for years, but few customers ever bothered with this type of protection in the past. Why? IT managers always assumed that tape-based data was relatively safe: Tapes were used by IT professionals and tape devices sat behind vulnerable IP networks. Encryption was also eschewed because it could lead to slower performance, additional IT operational chores and higher capital costs.
But times have changed. Interest in tape encryption is growing rapidly due to the following:
Increasing privacy regulations. Tape-based private data has long been subjected to well-established global privacy laws like the Japanese Bill to Protect Personal Data (2001) and the EU Directive on Privacy and Electronic Communications (2002). In 2005, 13 disparate bills were introduced in the U.S. Congress; and at the beginning of 2006, 23 states had privacy regulations in place.
Publicly disclosed data breaches. Regulations like the California Database Breach Act mandate that any data breach involving the private data of a California citizen must be publicly disclosed. Between February 2005 and August 2006 there were a total of 17 publicly disclosed data breaches as a result of lost/stolen backup tapes, which led to the exposure of more than 9 million Americans' private data (source: www.privacyrights.org).
New technology options. Cryptoprocessor technology has greatly improved and now offers high performance and lower prices. This has led to a slew of new hardware-based crypto-acceleration and encryption appliances.
Tape encryption must support the business
Numerous companies are jumping on the backup tape-encryption bandwagon: Encrypt your backup tapes and the threat of lost/stolen tapes, embarrassing data breaches and unexpected costs disappear. But while this is certainly logical, it's also shortsighted. Tape encryption must provide protection against accidental tape loss or criminal activities, but it should also be integrated into the security procedures of tape-based business processes such as:
Data sharing. Tape is still used as a means of data exchange among business partners, but this process shares the same risk of tape loss/theft as offsite solutions. To facilitate data exchange, tape-encryption solutions must share encryption keys among business partners.
Data archiving. Government regulations like HIPAA and SEC 17a-4 demand long-term records retention. Because tape media is often used for data archiving, tape encryption can keep the data confidential and tamperproof. In an archiving application, tape encryption must be supported with key lifecycle management features built for long-term encrypted data storage.
These functions will certainly add to the business value of a tape-encryption solution, but it's also important that they don't create an inordinate amount of IT operations overhead in the process. To accommodate the business and IT, tape-encryption solutions must:
Work with existing technologies. Tape encryption should be an integrated set of services that can be called by backup software, storage management systems, device drivers, libraries and tape drives. Tape encryption shouldn't add any undue burden or performance degradation to day-to-day backup, restore and archival operations.
Integrate into disaster recovery (DR) planning. Because encrypted data must be decrypted to be useful, tape-encryption operations must be part of the DR/business continuity process. This requires tight controls for key management, key backup and redundant key-restoration equipment. These steps must not impact business-critical recovery time objectives and recovery point objectives.
Allow flexibility for growth. When a file is archived for 10 years, for example, the tape drive, server and application technologies will certainly change during that timeframe. Tape encryption must accommodate inevitable technology churn while maintaining the integrity of encryption keys and administrative policies over the long haul.
When weighed against this set of enterprise requirements, most of today's tape-encryption solutions fall short.
Large firms need an ETE architecture
Tape-encryption products that provide little more than "antidisclosure" insurance may be in vogue today, but the encryption needs of large organizations will soon move beyond this limited scope. Rather than implement multiple tape-encryption solutions, Enterprise Strategy Group (ESG) believes savvy CIOs will look at a new class of security products we call Enterprise Tape Encryption (ETE). Unlike most self-contained point solutions, ETE is built as a set of encryption services. As such, ETE:
Separates encryption and administrative functions. ETE services like cryptographic processing, key management and administration are discrete objects. By distributing these services, the actual cryptographic processing can be performed on high-speed security processors, while key management and administration can be centralized for operational efficiency and high security. This model will be especially important over time because it offers scale and performance benefits as more data is encrypted. For scalability, today's all-in-one, server-based solution can migrate gracefully to a distributed model over time.
Provides for ease of integration. ETE services are easily accessible to systems that need to encrypt data and the devices that perform the actual encryption operations. ETE acts as encryption middleware with open APIs used for requesting or performing encryption services.
Virtualizes key management. To maintain the availability of critical key-management services, many of today's encryption appliance products must be configured in pairs for failover. Rather than clustering boxes, ETE uses a distributed database built on multiple distributed systems similar to the global Domain Name System (DNS) infrastructure. This architecture increases performance by localizing ETE service requests, thus minimizing latency. It also eliminates any single point of failure; if a local ETE system is offline, the ETE service simply calls another.
Accommodates key sharing. ETE recognizes the need for key sharing among enterprise data centers and business partners. ETE offers multiple technical solutions, including Public Key Infrastructure, Kerberos, shared secret keys and secure decryption utilities.
Leverages tape compression. Tape compression can provide a 300% improvement in throughput, reduce media costs and decrease the number of physical tapes. To take advantage of the operational benefits of compression and the security advantages of encryption, tapes must be compressed before being encrypted. To achieve operational and security goals, ETE can distribute encryption services where cryptographic processing can reside behind tape compression.
Like other distributed services architectures, ETE changes the way tape encryption is performed. ETE services are available for disparate systems, apps and devices as needed. Users can achieve operations and security benefits from centralized encryption management, while realizing performance advantages from distributed cryptographic processing.
The ETE architecture will consist of three independent service layers that communicate and cooperate to manage and execute encryption operations. They include:
Encryption service requesters. Various systems and apps that need to encrypt data can call the encryption services layer and relay which data needs to be scrambled.
Encryption services layer. The ETE services layer is the workhorse of the architecture and masks the complexity of enterprise tape encryption from applications and devices.
Cryptographic processing layer. Actual encryption operations can live anywhere in the infrastructure. When a cryptographic processor receives a request to encrypt data, it calls the key management server and asks it to generate an encryption key. Once it receives the encryption key, it performs the requested cryptographic operations.
Given the services-based architecture of ETE and the distributed nature of systems and devices in a typical enterprise, the goal of ETE is to provide flexibility for any-to-any tape-encryption requirements. For example, a backup system could ask for encryption services from any available drive in a tape farm comprising multiple libraries. Likewise, an archiving system could encrypt large files to a set of remote tape drives in a secure location. And as new servers, backup apps and tape drives are added across the enterprise, they can join the ETE process because it's controlled by the ETE services layer rather than hardwired into specific systems.
The bottom line
Smart companies understand that tape encryption is necessary today and will only become more critical in the future. But companies need to take a more strategic approach by building a services-based architecture that can meet current needs and scale to accommodate future needs.