Tape Encryption Choices
I’m a proponent of tape elimination solutions that entirely remove tape from the data protection design or at least eliminate the tape export and transport to offsite storage. There are several solution paths you can go down like deduplication with replication or online backup service to name a few.
What if you just can’t get around the tape shuffle two-step though? Whenever humans like you or me get our hands on a tape, we open ourselves to the risk of tape loss. If you’re worried about tape loss, the next solution to consider is tape Encryption. So what are your design options for implementing tape encryption? Here are four competing tape encryption design approaches to consider.
Backup software encryption: This is usually performed on the backup client but some vendors can encrypt on the media server as well. Most backup software vendors have a software option for encryption.
SAN appliance based encryption: A device that resides in the data path of the Backup Server and the Tape Drive. The device intercepts and encrypts the data stream onto the tape drive.
Tape drive hardware encryption: Some tape drives include optional hardware specifications for encryption as data is written to tape. Hardware Encryption requires software to support the encryption management function.
SAN network encryption: SAN port traffic is rerouted through the encryption engine within the SAN switch with no rewiring of the SAN. Encryption is implemented as a port-by-port service, as apposed to the SAN appliance solution described above.
With all these solutions, Key Management is an important consideration. Remember that key management will inevitably add to the recovery process which is managed by your backup team on a daily basis as well as in a DR situation. Be sure to include the operational cost of encryption and key management into your recovery overhead.
- James Brissenden, GlassHouse Senior Consultant, Storage and Data Protection
3 Comments »
RSS feed for comments on this post. TrackBack URL
Leave a comment
May 22nd, 2009 at 1:53 pm
Tape encryption and/or alternate ways of backing up data like deduplication and disk-based methods are fine, but completely eliminating tape is just not doable from a financial standpoint for most businesses. It’s just too expensive, especially if your entire system is already set up to back up data using tape drives.
May 29th, 2009 at 9:57 pm
security encryption…
I can’t believe I missed this! I’m going to have to do some more reading me thinks….
June 1st, 2009 at 3:55 pm
Joe, I agree. It’s a rare thing to see a company go tapeless. I’ve seen it implemented as departmental initiatives or for branch offices. In some sectors like large Financials or Federal, budgeting for a tapeless solution can look very different from the rest of the public sector though.
Another alternative to the daily manual offsiting of tapes would be cross site backup. Automatic tape offsiting would obviously require a few things like at least two datacenters at sufficient distance, connected by large pipes, with duplicate equipment (libraries, tapes, drives…). I’ve seen this solution to the offsiting problem work really well. As the financials of tapeless solutions change, and regulations like HIPPA or the California Security Breach Information Act (aka CA SB 1386) become more stringent, tapeless solutions should get more consideration. In the meantime, backup to tape, and the risk of tape loss and breach of sensitive information will prevail.
Stayed tuned. I have another blog coming soon that discusses encryption key management. Thanks for your input
-James