To encrypt or not to encrypt

Over the last year or so we’ve been barraged by press releases from storage vendors that exploit the issue of lost tapes, which seemed to be an epidemic last year (e.g., Citigroup, Ameritrade, Bank of America, Time Warner, etc.). The releases often cite some dubious statistic such as “70% of the companies that lose data go out of business within 18 months.” (You think maybe there were other reasons for their demise?)

However, if you are paranoid about lost tapes, the answer is simple: Encrypt. It can be expensive and might negatively impact performance depending on how you implement it, but it will solve the problem. And you have many options for encryption: in the application itself, in the backup software (but watch out for performance issues), on the tape drives, or in dedicated encryption appliances such as those from Decru and NeoScale.

On the other hand-and I don’t have any statistics to prove this-I doubt that more tapes were lost or stolen in 2005 than in any other year. It’s just that in 2005, companies were more compelled (legally and otherwise) to report lost tapes. In other words, despite the rash of security breaches last year, you’re no more likely to lose tapes now than you were previously.

Exploiting the lost tapes epidemic is usually done by vendors of disk-to-disk backup/recovery. However, backing up to disk doesn’t solve the problem. I may be wrong, but I think it’s just as easy to break into a building and make off with a 1U disk array as it is to swipe tapes from a truck in transit. And it’s even easier if you happen to work for the company whose tapes you want to steal. Again, the only solution is encryption.

But whether your data is on tape or disk, you have to weigh the cost/performance issues associated with encryption against the paranoia issues.

Click here to enlarge image

In any case, with all the hype about lost or stolen tapes and the need for encryption you’d think companies would be flocking to this technology. Not so. A survey of 250 IT professionals conducted by TheInfoPro research firm asked storage professionals which security technologies were important and which weren’t. About half of the respondents said that access control was extremely important, while about 32% cited identity management and only about 21% cited data encryption (see figure). And almost 20% of the firms-most of which were larger enterprises-said that data encryption was “not at all” important.

For more information on storage security, see “IT sets sites on storage security,” on the cover.

Click here to enlarge image

Dave Simpson

This article was originally published on February 01, 2006