Iron Mountain Encrypts Itself

After years of warning customers to protect their data, Iron Mountain is taking its own advice with 14 new security appliances from Decru, the Network Appliance subsidiary, to encrypt corporate information on internal backup tapes.

According to Iron Mountain CIO Kevin Roden, full-scale encryption will be implemented in April, across three data centers in northwestern Pennsylvania, Kansas City, and the U.K. These are all locations where corporate information is backed up. Information like human resources files.

In addition, extra security for data contained on laptops (accounting for roughly 60 percent of corporate information, according to Roden) is being secured through a partnership with Beachhead Solutions Inc., which makes software that encrypts laptop data and automatically destroys it when a computer goes missing.

It wasn't always this way. Formerly, Iron Mountain selectively encrypted internal data. But toward the end of 2005, the company had been part of at least one big story about compromised information -- the Time Warner Inc. snafu in which records on hundreds of thousands of employees were lost on the way to Iron Mountain's tape vault. (See The Year in Insecurity and Iron Mountain Keeps Truckin'.)

It was a wakeup call. Iron Mountain began encrypting all customer data it handled online and recommending the use of Decru appliances for tapes delivered to its sites. Internally, a review to better address what the firm was doing in house was begun.Roden's group had been using software-based encryption that went with its NetBackup software from Veritas, but it quickly became apparent that wouldn't work when it came to encrypting Iron Mountain's inventory of over 100,000 internal tapes. "It was very inefficient to use software encryption," Roden says. "It requires excess server capacity and it extends the backup and recovery windows."

Roden's group investigated the market and narrowed down his choice of encryption to appliances from Decru/NetApp and competitor NeoScale Systems. The appliances, which sit between the backup server and tape drive, encrypting without requiring changes to either unit, appealed to the group's desire to keep things as simple -- and as cheap -- as possible.

The choice of Decru wasn't easy, despite Iron Mountain's resale partnership. "Both Decru and NeoScale were fine products and would meet our criteria," Roden reports. But last summer when he looked at the NeoScale box, it required a bit of extra administration. To get all of the data to work with NeoScale's system would have required Roden's team to add an electronic tag to each file. That was just too much administrative overhead to make it worthwhile.

NeoScale says the problem has been fixed since Iron Mountain's evaluation. "We have upgraded the software substantially to include simple manageability with the backup apps [the problem noted above]... automated key catalogue for backup, and automated disaster recovery for multi-site applications. These features have been in the product since early summer last year," writes NeoScale CEO Barbara Nelson in an email.

NeoScale's fix didn't come in time. Roden installed eight Decru/NetApp appliances initially last summer, and his team just ordered six more. Roden's not saying what he paid for the total, but list prices for Decru units range from $25,000 to $100,000 apiece depending on the number of ports and the type of storage supported.Iron Mountain still uses Veritas, and Roden is clear about the fact that his evaluation might not have been the same if the choice were made today with improved NeoScale products. But he's content so far. "We have a new level of protection and no one had to learn anything new."

Mary Jander, Site Editor, Byte and Switch

Organizations mentioned in this article: