Data security is a critical
problem for large and small businesses alike. Corporations are
obligated to protect their sensitive information (and the
personally identifiable information of their individual clients)
against theft and loss. Better security controls, carefully
regulated
tape storage, and improved authentication
and rights management have greatly reduced the incidence of data
security ruptures.
However, you needn't look hard to find highly publicized
examples of lost tapes and hacked files, which led to expensive
legal problems. Encryption is one means of protecting data against
any loss -- even if a tape is lost or a server is hacked, sensitive
data cannot be read.
Encryption can also help to meet growing
regulatory requirements for data protection.
@42763 But encryption strategies differ by organization. When
selecting an encryption scheme, companies should consider several
factors: the point where encryption takes place, the amount of data
being protected, key management processes and the
corresponding effect on performance and cost.
This Buying Guide covers the major factors involved in
evaluating encryption products. Each chapter in the guide will
offer a set of buying points and product specifications that can
help readers identify prospective new encryption products in tape
drives, software and dedicated appliances. The first thing to do is
to identify the main concerns related to encryption.
Determine exactly which data needs to be encrypted. Not
all data needs to be encrypted -- only personally identifiable
information (names with birth dates and social security numbers),
or other sensitive information types delineated by industry
standards, government regulations or common business practices.
Reducing the encryption load can ease any impact on backup
performance or media utilization. IT should not make this decision
in a vacuum; each major department of the company should be
involved. A good time to discuss the need for encryption is when
setting retention policies for each file type.
Decide where to encrypt. Encryption can be
implemented through a specific application when data is actually
saved (such as Oracle), though that will only encrypt data for that
specific application. The broader form of "source" encryption takes
place at the backup server through backup software such as EMC
Corp.'s Legato, Symantec Corp.'s Veritas NetBackup or IBM's Tivoli
Storage Manager. Both types of "source" encryption can impair a
server's performance since encryption is CPU-intensive.
Data can also be encrypted at the media itself. For example,
LTO-4 tape drives incorporate AES-256 bit
encryption. This eases any performance impact on backup jobs,
and provides protected tapes that can be sent offsite.
Finally, data can be encrypted in-flight using a dedicated
security appliance such as Decru's DataFort , the StrongBox
TapeSentry from Crossroads Systems Inc. or the CryptoStor family
from NeoScale Systems Inc. While dedicated appliances can be more
expensive than software-only solutions, they typically offer
superior performance by encrypting/decrypting data at line speed --
imposing little (if any) performance penalty.
Determine the impact of encryption on compression.Compression works by removing redundant
elements of information from a data stream. Encryption, however,
randomizes the data stream and removes all redundancy. If you
implement encryption prior to compression, you'll lose the
compression feature in your drives or backup software. You then
need more media to complete the backup or time to transfer
across the wire.
Increased media requirements will raise the cost and maintenance
burden of any backup processes. Reducing the amount of compressed
data (e.g., encrypting only selected data) can mitigate this issue,
but implementing encryption after the compression process can also
help.
Encryption can affect performance. Encryption is a
mathematical process, and when implemented in software, can demand
significant processing power from the host server. This, in turn,
can affect performance. The penalty for software-based encryption
products can reach 40-50%, depending on the type of encryption and
the files being protected. (By comparison, a dedicated hardware
encryption box might impair performance by 10% or less.)
This performance hit means that encryption will take longer to
process backups or conduct remote data transfers, posing a dilemma
for storage administrators who already struggle with bloated backup
windows and WAN bandwidth limitations. Most storage professionals
resolve this quandary by encrypting only the most sensitive
data.
Weigh the implications of encryption key management. All
encryption requires the use of a unique "key," which seeds the
encryption algorithm. The key is also needed to decrypt the data
later on when files are read from tapes or disks; without it,
encrypted data is unreadable. Companies must impose strict controls
and policies (such as "key quorums") to ensure that the only folks
with access to the key are responsible storage professionals.
Return
to the beginning