Symantec encrypts at the media server

By Dave Simpson

—Symantec added another level of encryption this week with the announcement of its Veritas NetBackup Media Server Encryption Option (MSEO). As the name implies, the software encrypts data at Symantec's Media Server, a dedicated backup server that sits in front of tape drives/libraries. This is in contrast to approaches that encrypt at the client, hardware-based appliance, or tape drive/library levels. With all of these approaches, the goal is to protect the data on backup tapes that are transported off-site.

MSEO isn't Symantec's first venture into encryption. Earlier this year, the company introduced NetBackup PureDisk Remote Office Edition, which provides in-flight and on-disk encryption, an integrated key management system, 256-bit agent-based encryption, and replication. And in mid-2004, Symantec added 128-bit and 256-bit encryption to its NetBackup Client Encryption Option (CEO).

Encrypting at the media server level overcomes some of the drawbacks to client-based encryption, which typically suffers from a manual key management process and consumes overhead on the clients. MSEO, which is integrated with NetBackup policies, includes centralized and automated key management and reduces the overhead caused by encryption because most sites have plenty of available CPU cycles on their media servers to handle encryption, according to Symantec officials.

Software-based encryption on the media server provides an alternative to dedicated, hardware-based encryption devices, which are available from vendors such as NeoScale and Network Appliance's Decru division. While admitting that hardware-based encryption appliances provide the highest level of performance, Mike Adams, Symantec's group manager of NetBackup product marketing, claims that MSEO can be as much as 50% less expensive than hardware-based appliances.

That doesn't mean that MSEO is cheap. Pricing includes a one-time charge of $10,000 for the key management system, and pricing for MSEO starts at $5,000 for Windows or Linux platforms and $10,000 for Unix platforms. Pricing escalates depending on the number of clients.

Media Server-based encryption is also an alternative to encrypting at the tape drive/library level, an approach that is available from vendors such as Sun/STK and IBM (tape drive level), Spectra Logic (tape library level), and others. One advantage of encrypting at the media server versus tape device level, according to Symantec's Adams, is that MSEO is fully integrated with the NetBackup software.

Finally, encrypting on the backup server is an alternative to client-based encryption, an approach that is available from some of Symantec's competitors (as well as Symantec).

Other MSEO features include support for compression, NDMP, disk staging, centralized (vs. manual) key management across multiple NetBackup domains, 128-bit or 256-bit key sizes, and support for multiple media servers with one key manager. The software works with NetBackup 5.1 and 6.0 and will be available next month. MSEO is based on Vormetric's CoreGuard technology.

This article was originally published on December 14, 2006