Tape Encryption Choices
22. May, 2009 
3 Comments
I’m a proponent of tape elimination solutions that entirely remove tape from the data protection design or at least eliminate the tape export and transport to offsite storage. There are several solution paths you can go down like deduplication with replication or online backup service to name a few.
What if you just can’t get around the tape shuffle two-step though? Whenever humans like you or me get our hands on a tape, we open ourselves to the risk of tape loss. If you’re worried about tape loss, the next solution to consider is tape Encryption. So what are your design options for implementing tape encryption? Here are four competing tape encryption design approaches to consider.
Backup software encryption: This is usually performed on the backup client but some vendors can encrypt on the media server as well. Most backup software vendors have a software option for encryption.
SAN appliance based encryption: A device that resides in the data path of the Backup Server and the Tape Drive. The device intercepts and encrypts the data stream onto the tape drive.
Tape drive hardware encryption: Some tape drives include optional hardware specifications for encryption as data is written to tape. Hardware Encryption requires software to support the encryption management function.
SAN network encryption: SAN port traffic is rerouted through the encryption engine within the SAN switch with no rewiring of the SAN. Encryption is implemented as a port-by-port service, as apposed to the SAN appliance solution described above.
With all these solutions, Key Management is an important consideration. Remember that key management will inevitably add to the recovery process which is managed by your backup team on a daily basis as well as in a DR situation. Be sure to include the operational cost of encryption and key management into your recovery overhead.
- James Brissenden, GlassHouse Senior Consultant, Storage and Data Protection
Related posts:
- Data Deduplication, Backup, Disaster Recovery, Archive, and Tape Elimination in 500 Words or Less:(part 4 of 5) Tape Elimination (VTL and encryption) Many of our customers are...
- Data Deduplication, Backup, Disaster Recovery, Archive, and Tape Elimination in 500 Words or Less: Part 1 of 5 Data Deduplication Data deduplication is one of the most...
- Data Deduplication, Backup, Disaster Recovery, Archive, and Tape Elimination in 500 Words or Less:(part 2 of 5) Data replication and DR solutions The impact of disk based...
- Data Deduplication, Backup, Disaster Recovery, Archive, and Tape Elimination in 500 Words or Less:(part 3 of 5) Archiving Should backup and archive be the same service? The...
Related posts brought to you by Amazon plugin.
Tape encryption and/or alternate ways of backing up data like deduplication and disk-based methods are fine, but completely eliminating tape is just not doable from a financial standpoint for most businesses. It’s just too expensive, especially if your entire system is already set up to back up data using tape drives.
Joe, I agree. It’s a rare thing to see a company go tapeless. I’ve seen it implemented as departmental initiatives or for branch offices. In some sectors like large Financials or Federal, budgeting for a tapeless solution can look very different from the rest of the public sector though.
Another alternative to the daily manual offsiting of tapes would be cross site backup. Automatic tape offsiting would obviously require a few things like at least two datacenters at sufficient distance, connected by large pipes, with duplicate equipment (libraries, tapes, drives…). I’ve seen this solution to the offsiting problem work really well. As the financials of tapeless solutions change, and regulations like HIPPA or the California Security Breach Information Act (aka CA SB 1386) become more stringent, tapeless solutions should get more consideration. In the meantime, backup to tape, and the risk of tape loss and breach of sensitive information will prevail.
Stayed tuned. I have another blog coming soon that discusses encryption key management. Thanks for your input
-James