People's United Bank Turns to Encryption to Protect Backup Tapes

It seems the number of security breaches in recent years has been uncountable. While some breaches, such as the outright hacking of Web servers and databases, can be blamed on criminal hackers, many other breaches -- too many -- involve loss of customer data that could have been avoided if advanced precautions had been in place. One of the most common steps would have been to encrypt backup tapes. Once encrypted, tapes are a bunch of gibberish even if they are lost and end up in the hand of criminals.

Consider the year 2005. That year, online trading company Ameritrade disclosed that the vendor that handles its backup tapes misplaced a tape that contained information on about 200,000 of its customers. Financial firm Citigroup also had to admit that a backup tape holding data on nearly 4 million of its retail customers was lost. Even storage provider Iron Mountain has to admit that year that it lost a number of customer backup tapes. There were many more such gaffes that year, which also was the year that People's United Bank, based in Bridgeport, Conn., sought a way to ensure it didn't lose any unencrypted tapes.

"Our board decided that we had to do something to secure our backups, and that we had to do it fast," said Mark Depathy, senior infrastructure engineer at People's United Bank. "We knew that if they were encrypted and lost, whoever found them would just have a hunk of plastic."

At that time, surprisingly, there weren't many efficient ways to go about encrypting mainframe backup tapes. "The market wasn't filled with products to fill our need. What we initially wanted was the ability to encrypt and manage all of our backup tapes centrally, across all of our platforms. That capability wasn't there for us," Depathy said.

Depathy, whose responsibility includes managing the bank's z/OS mainframes, examined a number of options on the market. Most involved appliances that sit between the mainframe and the backup units and encrypt the tape as it flows through. But Depathy saw problems with that approach."The cryptography keys reside in the hardware. If a fire strikes, do you really want to be forced to go through the rubble searching for the appliance? For security and recovery purposes, we take our backup tapes off-site every day," he said. At the time, CA Inc. (Nasdaq: CA) offered Depathy the opportunity to trial a beta version of its new CA Tape Encryption software. Pricing for the software starts at $27,295.

Unlike tape encryption appliances, CA's software provided a seamless way for People's United Bank to manage its encryption keys off-site. As an added layer of security, the key is produced based on a number of attributes unique to the hardware on which it is being used. While the backup tape only holds a pointer to the key, the key also is written off-site to the bank's disaster recovery site. "Once the tape is encrypted and the key is generated, you not only have to have the key, but the key has to match the hardware," he said.

Many vendors now offer backup tape encryption, and some like Sun Microsystems Inc. (Nasdaq: JAVA), IBM Corp. (NYSE: IBM), Hewlett-Packard Co. (NYSE: HPQ), and Quantum Corp. (NYSE: QTM) have built encryption into their systems. That may be fine for small businesses, who can get away with using a single key and making sure its backed-up off-site. But larger companies often need to segregate data, which means multiple keys. Such companies can use CA's Tape Encryption, or look into an enterprise key management system from NetApp Inc. (Nasdaq: NTAP), nCipher Corp. Ltd. , or Spectra Logic Corp.

It turned out that the bank's gamble on CA's beta software paid off, but there was another problem.

"We had a mountain of tapes that were not encrypted," Depathy noted. That mountain consisted of 30,000 tapes, to be specific. And getting all of them encrypted proved quite the challenge. Because of its internal policies, the bank couldn't keep any one tape on-site for more than 24 hours. "Every other day, we recalled 300 tapes to be encrypted over a period of three months," he said.Was the effort worth it? The bank thinks so. Now if a tape can't be accounted for, falls off a truck, or is stolen, only the bank need worry, not regulators, nor most importantly its customers. "Now we encrypt everything," Depathy said.