A glossary of common storage-encryption terms
Sensitive data: depending on the type of business, sensitive data can include credit card information, financial records, health data, intellectual property documents or information about sexual orientation. Most companies will find an average of 8 to 12 bits of data per record that need encryption. The difficulty is locating every place where that information is stored.
Encryption appliance: this hardware sits between servers and storage systems and encrypts data as it moves back and forth. Many of these appliances can run in SAN, NAS, iSCSI and tape infrastructures. They encrypt data at close to wire speed with very little latency. In comparison, encryption software on servers and in storage systems slows backups.
Library-based tape encryption: Security features embedded in tape drive and tape library hardware are often used when data is stored at an off-site facility. Encryption co-processors process the data stream at wire speed as it enters the library. Security functions are completely transparent to the software. No external software or operating system support is needed. But it also means that the tape vendor is entirely responsible for managing security.
Edge encryption: this includes encrypting data at the point of entry on laptops, handhelds and desktop PCs. Basic encryption that requires a username and password offers little protection, but it's better than nothing, say industry watchers. A global key-management system for Windows offers better protection. Some laptop manufacturers are incorporating encryption capabilities in new models.
Enterprise digital rights management: this is the next big thing in key-management technology. Still in its early stages, DRM offers the potential for persistent encryption and security as data travels from laptop to e-mail, database and storage tape by assigning access rights to the file. DRM becomes more important as companies distribute protected documents beyond the enterprise to partners and vendors.
Quorum-based recovery: this is one of three key-management approaches that companies should consider. Quorum-based recovery requires a group of three to five administrators to grant permission before encryption keys can be recovered. Encryption specialists also advise that tape libraries shouldn't have to maintain the mapping of keys to tape volumes. This method adds another point of management and complicates long-term key escrow. It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in case the originals are lost.
Data compression: appliances trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed. Encryption hardware devices have a compression chip in them, so they compress before they encrypt, which is a tape-drive space savings of 1.5 to 1.