Storage

12:29 PM
David Hill
David Hill
Commentary
50%
50%

Encrypting Backups Requires Key Planning

Some enterprises are adopting an "encrypt everything" policy to address the confidentiality and security of data, including on backups. A new backup product from Sepaton separates encryption from key management.

Confidentiality is a key objective of data protection. Encryption is the most commonly accepted technology for ensuring the confidentiality and security of data. Yet, even though enterprises recognize the need for and importance of encryption, the rate of adoption has been uneven to say the least. Concerns about proper key management, potential performance impacts, and cost are grains of sand in the gears of progress.

Yet progress is being made in different pieces of the IT information infrastructure puzzle. As part of the recent introduction of Sepaton's S2100-ES3 Series 2925, the latest member of its data protection appliance family, the company announced encryption of data at rest as an option. This will serve as a concrete illustration of the general approach that needs to be taken not only within the disk-to-disk backup piece of the information infrastructure puzzle, but should have applicability to other pieces as well.

Encrypt Everything?

The importance of maintaining the confidentiality and security of data is growing across the enterprise. Failure can result not only in public embarrassment, but also in serious financial costs.

While all that is true, why encrypt backups? An information thief would have a hard time gaining access to backup data and making sense of it, especially in a deduplicated format. However, what about disk drives that are removed from an array containing backup information for maintenance purposes? What about insiders who may be able to access the data from behind the firewall?

To prevent the possibility of both outsider and insider breaches, many enterprises are moving to an "encrypt everything" strategy. That means encrypting both sensitive and non-sensitive data.

Why protect information for which exposure would create no harm? One reason is that separating sensitive and non-sensitive data is time consuming. Plans to encrypt some data, but not all, could create compliance, process, and management headaches. Because governmental entities often mandate encryption for certain data types, and because what needs to be protected may change over time, encrypting everything enables an organization to increase the likelihood of meeting future compliance requirements.

Still, enterprises are moving carefully for cost and planning reasons. One of the main planning issues is ensuring that all the components in the chain can play nicely together.

Use Standards-Based Tools

Encryption is not only a task (write this set of data to disk in an encrypted manner), but also a process (make sure that the keys to decrypt the data are always available, even in the case of a disaster). A critical decision for an enterprise is to settle on an enterprise key manager that provides a single point of management for all keys. No one wants to have to worry about having to manage more than one set of key tools in an "encrypt everything" environment that spans all storage platforms. And that key manager has to work with a common protocol that enables communication between the encryption process itself and the key management tool.

Sepaton's S2100 encryption enables integration with enterprise key managers that are compliant with the Organization for the Advancement of Structured Information Standards Key Management Interoperability Protocol (OASIS KMIP) 1.0/1.1 specification. OASIS is an international, not-for-profit consortium for the development, convergence, and adoption for the global information technology world, and includes IT "household" names, such as EMC (RSA), HP, IBM, and NetApp.

Next page: Interoperability Rules

David Hill is principal of Mesabi Group LLC, which focuses on helping organizations make complex IT infrastructure decisions simpler and easier to understand. He is the author of the book "Data Protection: Governance, Risk Management, and Compliance." View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed