Choices include software-based encryption, switch-based encryption, drive- or library-based encryption, and dedicated appliances.
By Michele Hope
Protecting personal and private customer or employee data has become something of a national crusade these days. Unfortunately, so has the need to publicly expose any company that fails to adequately protect the sensitive data under its care. Missing backup tapes are often the culprit, as are laptops whose mobility can also mean sensitive data ending up in the wrong hands.
Increasingly, companies have begun to turn to a growing line of encryption options to help them avoid the twin pains they might otherwise face: potential fines for non-compliance with various state or federal privacy regulations, and the loss of brand identity and customer loyalty that could result from costly public disclosure of a security breach.
In legal circles, an increasingly popular way to combat such risks is to encrypt sensitive data wherever you (or legislators) have determined there is a good chance of unwanted exposure. Stopping a few steps short of the Holy Grail of storage security, encryption of data-at-rest is nonetheless gaining momentum as a legal “safe harbor” that can simultaneously help prove a company’s good-faith efforts to comply with privacy rules while also significantly reducing the company’s risk of a data breach.
Encryption’s expanding reach
Previously the bastion of highly regulated financial, government, and healthcare industries, the need to encrypt data has now spread to other enterprises whose daily business consists of handling customer credit card numbers, employee social security numbers, salary information, highly sensitive intellectual property, etc.
Not surprisingly, the two areas where data encryption solutions are seeing the most activity of late include protection of data-at-rest on backup tapes and efforts to protect data stored on laptops, according to Jon Oltsik, senior analyst at the Enterprise Strategy Group (ESG). While some vendors also offer encryption of data-at-rest for both backup tapes and disk arrays, Oltsik doesn’t see array-based encryption attracting many users. “For every one company we find doing disk array-based encryption, we see 10 doing tape encryption,” he says.
In his assessment of the current growth areas for data-at-rest encryption, Oltsik is not alone. Rich Mogull, a research vice president of information security and risk at the Gartner Group IT consulting firm, also cites the same two market segments-encryption of backup tapes and laptops-as those currently getting the most traction among end users.
Focusing on the enterprise storage side of encryption, the remainder of this article explores how today’s IT organizations have decided to approach the many backup-related encryption solutions now available.
Solutions for encrypting backup data can occur at several points in the backup infrastructure. One of the oldest methods is software-based encryption, which is available in most backup applications.
However, analysts note that this approach has a number of drawbacks, at least for enterprises with large-scale backup and encryption requirements. For example, the amount of client or server CPU cycles needed to conduct software-based encryption could lead to backup performance penalties, not to mention tying up the clients or servers needed to run encryption. “The performance drag from software-based encryption can be around 20% on the CPU,” says Steve Norall, an analyst with the Taneja Group research and consulting firm.
Yet that hasn’t been the experience of Kevin Donnellan, assistant CIO at the Screen Actors Guild- Producers Pension and Health Plans (SAGPH). A long-time Veritas NetBackup shop, SAGPH had investigated encrypting its DLT backup tapes to help protect the sensitive salary and health information of both its famous and not-so-famous Hollywood members. Needing to back up close to 100 servers nightly within an already-tight, seven-hour backup window, Donnellan admits he wasn’t too keen on the idea of installing NetBackup’s client-based encryption option on each of his systems or adding much extra time to complete his backups.
That sentiment began to change when he heard that Symantec was working on a Media Server Encryption Option (MSEO) for NetBackup that placed encryption processing on a centralized server, as opposed to the client. After beta testing the impact of NetBackup MSEO on current backup jobs, Donnellan was happy to see encryption only add what he estimates was between 5% and 8% extra overhead to the company’s current backup window-as opposed to the 40% to 45% he’d seen when testing NetBackup’s client-based encryption option.
Encryption keys are replicated to a second media server at the company’s disaster-recovery site to help ease the pain of restoring previously encrypted tapes. “If we ever need to do a restore, we have the key in both of those servers. So you basically mount the tape, and NetBackup will find the key it needs to decrypt it.”
Although ESG’s Oltsik says he seldom sees software-based encryption of backup tapes as a solution for enterprise installations, he notes a few places this type of solution can still apply. “One exception is architectural changes with disk-to-disk backup, which then may get dumped to tape. In that area, we’re starting to see more software-based encryption,” he says, since backup windows tend to become less of an issue.
One customer fitting this profile is Naugatuck Savings Bank, an East Coast community bank with surrounding area branch offices. According to network manager Craig Wallace, the bank had been struggling for some time with the growing inefficiencies of managing backups to tape on a wide range of its servers at its main corporate site. With no networked tape drive or library, backups had become a time- consuming manual process, while still leaving open the prospect that the tapes could be compromised somewhere during their frequent trips to off-site storage.
Wanting to avoid making the headlines for data breaches like some of its larger bank counterparts, Naugatuck decided to convert its infrastructure to a disk-to-disk backup paradigm. Wallace reasoned this would simultaneously make backups more efficient and replace the company’s riskier tape process with what he thought would be a more secure disk-based solution.
Wallace turned to EVault’s InfoStage, an application-level software solution with the ability to encrypt backup data from end to end in the backup cycle. With InfoStage, users have the option to encrypt either when they are setting up a backup job or when it is transported over the wire to an InfoStage server-based vault via 128-bit encryption.
“InfoStage allowed for encryption in all phases-while doing the transport and during the backup process. Once on the backup medium, it was already encrypted. Then, if you were to archive the data off to a secondary storage system, it’s encrypted there also,” says Naugatuck Saving’s Wallace, who claims he hasn’t noticed any major overhead with backups using software-level encryption. Since EVault’s system backs up only block-level changes and new files with its DeltaPro technology, Wallace didn’t experience any challenges with backup windows or extra encryption processing overhead.
Other ways to encrypt
Another option for encrypting data on tape (and disk) is to use purpose-built encryption appliances from vendors such as NeoScale and Network Appliance’s Decru division. These inline appliances can encrypt backup data at wire speed and typically reside between the backup server and the tape media.
Yet-another option is hardware-based encryption at the tape library level, which is offered by Spectra Logic (see “R.C. Willey opts for library-based encryption,” above).
A more recent alternative is tape drive-level encryption, which is available on certain half-inch tape drives from vendors such as IBM and Sun/StorageTek, as well as the more recently introduced LTO-4 tape drives.
(For more information on LTO-4, see “Tape market update: LTO’s the bright spot,” p. 24.)
All of the LTO-4 tape drive manufacturers—including Hewlett-Packard, IBM, Quantum, and Tandberg—will offer drive-level encryption (at press time, IBM was the only vendor shipping LTO-4 drives), as will LTO library manufacturers such as Fujitsu, Hewlett-Packard, IBM, NEC, Overland Storage, Qualstar, Quantum, Spectra Logic, Sun/StorageTek, and Tandberg.
Tape drive-level encryption, which is implemented in hardware, is relatively inexpensive, although it may require a media upgrade, and does not incur the performance penalties of software-based encryption. Bruce Master, senior program manager for tape marketing at IBM, claims that encryption performed by an LTO-4 tape drive has a performance hit of less than 1%.
Encryption is also available from switch vendors such as CipherMax and Cisco. These vendors claim that encryption from within the storage fabric scales better than growing clusters of appliances. Switch vendors also argue that fabric-based encryption may be an option for companies that can’t afford to swap out their current investment in tape systems with the latest encryption-enabled drives or libraries.
CipherMax has been delivering encryption solutions for some time, and Cisco recently entered the fabric-based encryption space when it announced in May its Storage Media Encryption (SME) option. At the same time, Cisco announced a strategic alliance with EMC Security Division RSA to offer joint customers the choice to manage their encryption keys via RSA Key Manager or from within Cisco’s own fabric management tool set.
Which way to go?
All of the various encryption options have pros and cons, and advice from analysts is mixed. Gartner’s Mogull, for example, is quick to note that most encryption options are relatively new. Until the market matures and different approaches shake themselves out, he recommends ignoring the hype and says users should “stick with the stuff that’s already being deployed.”
ESG’s Oltsik tends to lean toward the use of high-speed encryption appliances, especially if you’re encrypting backups under a very tight backup window. However, he notes that “if you have a tight backup window and are switching out tape drives or libraries, then [you might want to] consider drive-level encryption. If you’re doing disk-to-disk backup and don’t need a lot of performance, you might want to consider software-based encryption.”
The direction you choose for encryption of data-at-rest depends not only on where you choose to perform the encryption process, but also on how and where you plan to decrypt the data that has already been encrypted.
“Encryption is actually pretty easy to do,” says Michele Borovac, director of marketing at Decru, “but decryption poses more of a problem.”
Focus on strategy
Beyond evaluating the pros and cons and costs of the various encryption options, the Taneja Group’s Norall recommends focusing on each solution’s (and vendor’s) key management strategy and implementation details.
“From a storage security ‘end-point’ perspective, we’ve found that most environments are very heterogeneous,” says Norall, referencing results from a March 2007 storage security survey the firm conducted. “We’re seeing backup software-level encryption, tape drive- level encryption, and dedicated appliances-sometimes all in use at the same enterprise.”
Although this diversified approach may stop the short-term bleeding for specific encryption needs in an organization, Norall believes it may also cost the enterprise in the long run.
“Yes, you need to stop the bleeding, but by just stopping the bleeding you may incur management issues down the road,” he says, especially in the area of managing the growing assortment of encryption keys from each disparate solution.
Some areas to focus on with regard to key management include the process to archive and back up encryption keys, how the key system will operate in case of a disaster, and how to perform secure key exchange or key sharing with business partners, when needed.
This is one reason why groups such as the IEEE 1619.3 committee and the Trusted Computing Group (TCG) are developing more-unified storage security standards surrounding key management. It’s also why a variety of vendors have begun to form strategic relationships to further a future key management world where data encryption keys co-exist and are jointly managed with other security keys on a more federated scale.
Michele Hope is a freelance writer covering enterprise storage and networking issues. She can be reached at email@example.com.
R.C. Willey opts for library-based encryption
After evaluating a number of encryption options, R.C. Willey Home Furnishings decided to go with tape library-based encryption.
Facing rapid business growth, IS director Ned Jones decided it was time to institute more enterprise-level practices to back up and protect the company’s data. Accustomed to hand-carrying backup tapes to the company’s small off-site location several miles away, Jones began to map out a plan for a new off-site disaster-recovery center at one of the company’s facilities in another state. As part of the plan, Jones knew his hand-carrying of backup tapes would have to be replaced by less trustworthy modes of transit-mail or trucks-where he’d need to encrypt the tapes to avoid a potential data breach.
Jones ended up selecting a Spectra Logic T950 tape library and two T120 libraries-with all encryption keys managed by Spectra Logic’s BlueScale Encryption software. The libraries include hardware-based encryption.
Although the libraries currently use S-AIT drives and tapes, Jones looks forward to switching to LTO-4 drives in the coming months for better capacity. Spectra Logic will continue to support library-level encryption in previous LTO generations, but will leverage drive-level encryption with LTO-4 drives. While Jones may benefit from the added performance that drive-level encryption provides, he notes that the hardware-based, library-level encryption solution he now uses has met his top-two concerns: cost and minimizing the impact that encryption has on existing backup jobs.
Jones compared the cost of encrypting with the Spectra Logic library against stand-alone encryption appliances. In the end, he felt the standalone appliances were too pricey, estimating they were as much as 2x or 3x the price of the Spectra Logic solution. The impact of encryption on backup jobs so far has also not been as much as he had expected.