Encryption is the best way to protect that tape data. Interestingly, options for tape encryption range from backup software that handles the encryption, to appliances on the network handling the encryption, to the tape drive itself handling the encryption. The biggest concern when evaluating encryption options should not be where the encryption takes place, but how the keys are handled. It is difficult to maintain hardware to access the archived data on old tapes, and it's even more difficult to find a key that may have been changed hundreds of times since the tape was written.
There are, however, plenty of options for key management, ranging from storing the keys on the physical tape--not on our list of suggested solutions--to centralized repositories that handle the storage, issuing and replacement of keys. If encryption is performed in several parts of your network, consider a product such as RSA's Key Manager or VeriSign's Key Management Services.
Storing keys on tape is extremely risky, and perhaps actually helpful to malicious hackers. Even encrypted keys stored on tape provide information that could be exploited by attackers to expose all the data on the tape.
In the end, by keeping abreast of available technologies and knowing what data is most critical, you can protect it. Today's tools are increasingly focusing on protecting important data first, so to take advantage of that approach, you need to actually know what data is most important. Regulations will certainly force more data into the "important" bucket than was there in the past, but if your architecture is well-thought-out, moving data from "highly protected" to "protected" or vice versa isn't a big deal. n
Don MacVittie is a senior technology editor at Network Computing. Write to him at dmacvittie@ nwc.com.
