Here's a look at some of the newest encryption technologies.
Companies that want blanket encryption coverage on the back end before it goes to backup should consider appliances that sit between servers and storage systems and encrypt the data as it moves back and forth, says Curtis Preston, vice president of data protection at storage services company GlassHouse Technologies.
Specialized encryption appliances like Decru's DataFort, which was acquired by Network Appliance last year, and NeoScale Systems' CryptoStor can run in storage-area network (SAN), network-attached storage (NAS), iSCSI and tape infrastructures. They encrypt data at close to wire speed, with little latency. Both vendors have also developed versions of their products that will encrypt backup tapes. Decru's offering encrypts NetApp storage, as well as EMC, Hewlett-Packard, Sun Microsystems and IBM storage.
Fusca says encrypting and decrypting data goes unnoticed by users at the centre. "When they get up on the analytical servers and start drawing data through either the tape library or the electronic storage through the DataForts, it is relatively transparent, and there are no discernable delays in accessing the data," he says.
Key management has been simplified. "Once we identify the appropriate client stations that are on the virtual private network that can draw requested encrypted data into their 'cryptainer' [a device that stores decrypted data on the desktop], it's relatively fast and painless for them," Fusca adds.
Appliances also trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed, which is a tape-drive space savings of 1.5 to 1. "These hardware devices have a compression chip in them, so they compress before they encrypt," Preston says.
Library-based tape encryption
In the highly competitive microprocessor market, protecting intellectual property is a serious concern, especially when sensitive data goes to an off-site storage facility.
At Advanced Micro Devices' Longmont Design Centre, IS manager Tom Dixon has been evaluating the beta version of Spectra Logic's BlueScale environment for three months. Spectra Logic is one of two library tape vendors that have recently incorporated security into tape drive and tape library hardware. Quantum's proprietary DLTsage architecture also offers a tape security feature at the drive level.
"Library-based encryption is a good idea for companies that need to lower the risk associated with sending tapes off-site," wrote analyst Galen Schreck in a January report for Forrester Research.
The Spectra Logic product performs data encryption within the library using an enhanced version of its Quad Interface Processor board. Three months into his evaluation, Dixon says the hardware was "fairly easy" to set up. "You don't have to do anything on the host," he says. "They set up the library, and you set up your keys. That's the biggest headaches. We haven't even talked about that yet."
The hardware's encryption keys are managed within the library and can be exported via a Universal Serial Bus flash drive or via an encrypted e-mail. The keys can then be imported into another Spectra library or used within a software decryption utility, in case no library hardware is available.
Library-based security has two big benefits over software-based alternatives, according to Schreck. First, there are no performance penalties. By embedding encryption in the tape subsystem, vendors can use encryption co-processors to process the data stream at wire speed. Second, security functions are completely transparent to the software. To outside applications and servers, they behave like just a regular tape library. No external software or operating system support is necessary.
But it also means that the tape vendor is completely responsible for managing security. So customers should look for products with strong key-management features, like quorum-based recovery, integration with backup and recovery tools, and automated replication of keys to an escrow service or tape library at a disaster recovery site.