IBM and Sun Microsystems have simultaneously introduced drive-level
encryption options for their high-end tape
drives. Both provide hardware-based encryption and come with key
management systems that work with mainframes and open systems.
The advantage of hardware-based encryption at the drive level,
as opposed to software-based encryption or third-party appliances,
is that it performs encryption after data is compressed and written
to tape. Hardware-based encryption in general also has a lower
performance impact on the backup server than software-based
products; both companies are claiming around a 1% performance
impact.
However, both systems, the IBM T1120 and the Sun T10000, which
is being marketed as part of its Titanium 10,000 product line, are
pricey. The T1120 drive has a list price of $35,500. The IBM
Enterprise Key Management (EKM) system, a Java application that can
run on commodity hardware, will be included in future IBM products
free of charge, but adding the encryption option to an existing
T1120 drive will cost $5,000 each.
The Sun StorageTek Crypto Ready T10000 tape drive starts at $37,000
-- adding the encryption option on an existing T10000 tape drive is
priced at $5,000 per drive. The StorageTek Key Management System
(KMS), an instance of Secure Solaris running on an UltraSparc
server plus with implementation services, will come with a price
tag of $45,000 when it ships sometime in the next 45 days. By
comparison, encryption appliances offered by vendors like Decru
Inc. (now owned by Network Appliance Inc.) and NeoScale Systems
Inc. come at a cost of $25,000 or more per appliance.
"I think these systems are pretty accurately priced for the
environments they run in," said W. Curtis Preston, backup analyst
with Glasshouse Technologies. Generally, these proprietary tape
systems are designed for large shops that usually use mainframes
and often require up to a 90% duty cycle for a tape drive, Preston
said.
Meanwhile, the LTO Consortium is promising that the next
generation of the more widely used
Linear Tape-Open (LTO) format, due out later
this year, will also be including native encryption.
Digital linear tape's (DLT) newest format,
DLTSage, released in January, also includes security features,
although they are not as complete as the new tape drives or
hardware appliances.
Still, it's unclear, despite vendor hype, how many users can
afford to or wish to unite storage and security more closely. IBM
said it surpassed its end-of-year sales goals for the T1120 even
before its official announcement this week but declined to say what
its goals were, either in terms of numbers or users. IBM also
declined to name any users of the new product, despite requests
from press on a conference call Tuesday.
"I really don't see too many users asking me, 'when is this
going to be available?' " when it comes to security, Preston
said.
New regulations in certain industries are driving some new
adoption of encryption, like a new Department of Defense regulation
drawn up in response to the loss of a laptop containing sensitive
information on veterans from a Department of Veterans Affairs'
clinic last June. According to Mark Stewart, backup and recovery
storage administrator at Randolph Air Force Base in Texas, that new
regulation lit a fire under his organisation to explore encryption
for his backups -- but that he still will probably not be going for
tape drive-level encryption.
"I absolutely love the idea of hardware encryption at the tape
device," Stewart said, adding that he had "fallen in love" with the
DLTSage product in particular. "[But] my leadership cannot afford
to give me the steamer-trunks full of cash that would be needed to
replace my current tape library, tape drives and media." Instead,
Stewart said, he's going with a third-party encryption
appliance.
Even if the target market for the first tape drive encryption
products is small, analysts point out that this is probably the
first phase of encryption as a standard feature within tape backup
products -- and, eventually, disk products, which IBM has already
hinted will be its next step.
"Encryption at the tape drive level is the cleanest, most
efficient approach," said Bob Abraham, analyst with Freeman
Reports. "Someday, I think you'll see it as a very common
capability, like compression, that's included in all systems -- and
it's unlikely users will deliberately disable the process."
The key differentiator: Key management
If and when encryption becomes ubiquitous, analysts emphasised,
the most important differentiator between products will not be the
process of encryption itself but key management.
So far, the most advanced of the tape drive encryption products
is the IBM T1120, which uses both public and private keys, a
process that allows the safe sharing of data between business
partners, IBM said. In the case of IBM, the private key is embedded
within the tape cartridge itself, and public keys are available to
everyone. Both keys would be needed to read the data. In the case
of Sun's T10000, which uses only the private key, the first time
users send a tape to a trusted partner, the key would also have to
be transported, which some analysts say could compromise
security.
Also, tape drive vendors still lack at least one key management
feature already included in the third-party appliances -- quorum
management of a global key, which unlocks the entire key management
system. If just one global key is issued, it presents a twofold
security hazard, according to Preston: One, it allows it to fall
into the wrong hands more easily, and two, in a disaster situation
it can be lost or destroyed too easily as well. Decru's box in
particular allows a global key to be split up among a quorum of
designated administrators, requiring a minimum number to be present
to open the encryption box in the case of a disaster.
"If you're evaluating security products, key management is the
number one thing," Preston said. "And the No. 1 thing there is how
easy it is to lose the key or give it to the wrong person."
Bob Venable, manager of enterprise systems at Blue Cross Blue
Shield in Tennessee, said there's considerable thought and planning
required around key management before encrypting tapes, and Blue
Cross -- an IBM shop -- plans to use the new tape encryption
product from IBM when it becomes available. But for regulatory
purposes he notes, "encrypted tapes are a huge relief, both
pragmatically, as well as politically."