Encrypt the Hard(ware) Way

Unless you've been living on Mars, it should be clear by now that sensitive corporate data especially data archived on tape – should be encrypted.

As the October Byte and Switch Insider, Storage Security: Pay Attention or Pay the Price, points out, more than 50 million Americans have had their personal information compromised since February. Some of the largest breaches involved lost tape, according to the non-profit consumer information and advocacy organization Privacy Rights Clearinghouse (PRC).

Although only one piece of effective data security, encryption is the most logical solution for preventing problems caused by lost tape. Encrypted data can't be read by unauthorized eyes, and it spares the organization that loses the data from having to make a humiliating public admission.

The decision about encryption shouldn't be if, but rather how – and even that shouldn't be much of a debate anymore. Tape encryption can be handled in backup software applications or in hardware appliances that plug into the SAN.

But data security experts say the best way to encrypt is through hardware-based encryption, via appliances such as those sold by Decru, NeoScale, Kasten Chase, and Vormetric. Appliances have built-in processors to handle encyrption as well as management of decryption keys."Encryption appliances are the only effective way of doing it," says Jim Damoulakis, CTO of storage consultant Glasshouse Technologies. "Software is too painful to use on a large scale."

Damoulakis says there are two problems with software encryption. Software uses CPU cycles, and this overhead slows down backups. The other problem is that backup applications require users to shut off compression when encrypting. In the case of backup applications, that means more storage capacity is needed, and backups take significantly longer.

Still, backup software applications are adding encryption options. EMC added encryption to its latest version of Legato NetWorker backup announced today after offering encryption with its Dantz Retrospect application in June. (See EMC Pulls Forward With Backup.)

Symantec, Hewlett-Packard, CommVault, BakBone, and Atempo all build encryption into backup software. (See Backup Encryption Mulled.) None of them argue that software encryption is more efficient.

"The advantage of an appliance is it has a processor in it, so you're shifting that load to the appliance," Symantec director of product marketing Glenn Groshan admits. "But if you look at cost at some of the appliances, it's not free." Encryption appliances start at around $25,000.EMC software product marketing director Rob Emsley says software encryption can suffice for small amounts of data. "Whether you use hardware or software encryption depends a lot on the amount of data being encrypted," he says.

Encryption appliances are increasingly building their capabilities to handle larger and more dispersed loads. Decru, in its first major product release since it was acquired by Network Appliance in June, today rolled out a ten-port appliance for tape libraries and a six-port appliance for SAN disk and tape. (See NetApp Buys Decru.) All of its previous appliances were two-port configurations. Decru and NeoScale also beefed up disaster recovery capabilities by letting customers replicate their decryption keys to remote sites.

Iron Mountain has been calling for the encryption of tapes since it lost truckloads of Time Warner backup tapes containing information on hundreds of thousands of employees. (See A Tale of Lost Tapes.) Last month, Iron Mountain announced it is encrypting its own tapes with Decru's tape appliance. (See Iron Mountain Calls for Encryption.) Iron Mountain CIO Kevin Roden says his firm evaluated all types of encryption before determining the appliance route was best.

"Using an appliance didn't change our business process," Roden says. "We back things up the same way we did before. We didn't lose the value of compression. One of the most important things is we didn't add additional overhead to our backup windows or recovery time. We didn't have to add servers."

Still, he stresses, even the best encryption is not a total data-security program. "The encrypting of portable data is one step of the overall security process," Roden says. "Other things you have to consider range from how you protect your perimeter with a firewall, to how you deal with denial-of-service attacks, to how you set up access rights and privileges inside your company."— Dave Raffo, Senior Editor, Byte and Switch

Organizations mentioned in this article:

The report, Storage Security: Pay Attention or Pay the Price, is available as part of an annual subscription (12 monthly issues) to Byte and Switch Insider, priced at $1,350. Individual reports are available for $900. To subscribe, please visit: www.byteandswitch.com/insider0