Symantec encrypts at the media server

By Dave Simpson

Symantec added another level of encryption this month with the introduction of Veritas NetBackup Media Server Encryption Option (MSEO). As the name implies, the software encrypts data at Symantec’s Media Server, a dedicated backup server that sits in front of tape drives/libraries. This is in contrast to approaches that encrypt at the client, hardware appliance, or tape drive/library levels. With all of these approaches, the goal is to protect the data on backup tapes that are transported off-site.

MSEO isn’t Symantec’s first venture into encryption. Earlier this year the company introduced NetBackup PureDisk Remote Office Edition, which provides in-flight and on-disk encryption, an integrated key management system, 256-bit agent-based encryption, and replication. And in mid-2004, Symantec added 128-bit and 256-bit encryption to its NetBackup Client Encryption Option (CEO).

Click here to enlarge image

Encrypting at the media server level overcomes some of the drawbacks to client-based encryption, which typically suffers from a manual key management process and consumes overhead on the clients. MSEO, which is integrated with NetBackup policies, includes centralized and automated key management and reduces the overhead caused by encryption because most sites have plenty of available CPU cycles on their media servers to handle encryption, according to Symantec officials.

Software-based encryption on the media server provides an alternative to dedicated, hardware-based encryption devices, which are available from vendors such as NeoScale and Network Appliance’s Decru division. While admitting that hardware-based encryption appliances provide the highest level of performance, Mike Adams, Symantec’s group manager of NetBackup product marketing, claims that MSEO can be as much as 50% less expensive than hardware-based appliances.

That doesn’t mean that MSEO is cheap. Pricing includes a one-time charge of $10,000 for the key management system, and pricing for MSEO starts at $5,000 for Windows or Linux platforms and $10,000 for Unix platforms. Pricing escalates depending on the number of clients.

Media Server-based encryption is also an alternative to encrypting at the tape drive/library level, an approach that is available from vendors such as Sun/STK and IBM (tape drive level), Spectra Logic (tape library level), and others. One advantage of encrypting at the media server vs. tape device level, according to Symantec’s Adams, is that MSEO is fully integrated with the NetBackup software.

Finally, encrypting on the backup server is an alternative to client-based encryption, an approach that is available from some of Symantec’s competitors, such as CA, EMC/Legato, and IBM/Tivoli (as well as Symantec).

Jon Oltsik, a senior analyst in the Enterprise Strategy Group’s information security practice, says performing encryption on the media server is unique to Symantec and some of the key advantages include centralized control and cryptographic processing.

“In the near future, all of the backup vendors will have to support many different encryption architectures,” says Oltsik. “Encryption can be done at the client or server, but you can also use an appliance or library- or drive-level encryption.

“It’s likely that large IT organizations will eventually have a mix of everything, and somehow these disparate solutions will need to be integrated,” adds Oltsik.

Additional feature of Symantec’s MSEO include support for compression, NDMP, disk staging, centralized key management across multiple NetBackup domains, 128-bit or 256-bit key sizes, and support for multiple media servers with one key manager.

The software works with NetBackup 5.1 and 6.0. MSEO is based on Vormetric’s CoreGuard technology.

This article was originally published on January 01, 2007