Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Encrypting Backups Requires Key Planning

Confidentiality is a key objective of data protection. Encryption is the most commonly accepted technology for ensuring the confidentiality and security of data. Yet, even though enterprises recognize the need for and importance of encryption, the rate of adoption has been uneven to say the least. Concerns about proper key management, potential performance impacts, and cost are grains of sand in the gears of progress.

Yet progress is being made in different pieces of the IT information infrastructure puzzle. As part of the recent introduction of Sepaton's S2100-ES3 Series 2925, the latest member of its data protection appliance family, the company announced encryption of data at rest as an option. This will serve as a concrete illustration of the general approach that needs to be taken not only within the disk-to-disk backup piece of the information infrastructure puzzle, but should have applicability to other pieces as well.

Encrypt Everything?

The importance of maintaining the confidentiality and security of data is growing across the enterprise. Failure can result not only in public embarrassment, but also in serious financial costs.

While all that is true, why encrypt backups? An information thief would have a hard time gaining access to backup data and making sense of it, especially in a deduplicated format. However, what about disk drives that are removed from an array containing backup information for maintenance purposes? What about insiders who may be able to access the data from behind the firewall?

To prevent the possibility of both outsider and insider breaches, many enterprises are moving to an "encrypt everything" strategy. That means encrypting both sensitive and non-sensitive data.

Why protect information for which exposure would create no harm? One reason is that separating sensitive and non-sensitive data is time consuming. Plans to encrypt some data, but not all, could create compliance, process, and management headaches. Because governmental entities often mandate encryption for certain data types, and because what needs to be protected may change over time, encrypting everything enables an organization to increase the likelihood of meeting future compliance requirements.

Still, enterprises are moving carefully for cost and planning reasons. One of the main planning issues is ensuring that all the components in the chain can play nicely together.

Use Standards-Based Tools

Encryption is not only a task (write this set of data to disk in an encrypted manner), but also a process (make sure that the keys to decrypt the data are always available, even in the case of a disaster). A critical decision for an enterprise is to settle on an enterprise key manager that provides a single point of management for all keys. No one wants to have to worry about having to manage more than one set of key tools in an "encrypt everything" environment that spans all storage platforms. And that key manager has to work with a common protocol that enables communication between the encryption process itself and the key management tool.

Sepaton's S2100 encryption enables integration with enterprise key managers that are compliant with the Organization for the Advancement of Structured Information Standards Key Management Interoperability Protocol (OASIS KMIP) 1.0/1.1 specification. OASIS is an international, not-for-profit consortium for the development, convergence, and adoption for the global information technology world, and includes IT "household" names, such as EMC (RSA), HP, IBM, and NetApp.

Next page: Interoperability Rules

  • 1