Encryption and off-site tape storage

Glasshouse Technologies (UK) consultant Brian Sakovitch says it makes more fiscal sense to encrypt tape than to eliminate tape. But encryption is not as easy as vendors would have you believe. There are cost implications, performance issues and administrative concerns.

By the end of 2007, a clear majority of businesses were willing to give away millions of pounds for nothing in return. The recent FSA million-pound fines for exposing customers to risk and outright hardware theft prove that the loss of personal data is a very real threat to any firm's public reputation. The widely accepted way of protecting any firm's public reputation is to render the data useless to the hands it falls into by encryption.

In the past few years, we've seen a rash of headlines made by large financial firms losing one backup tape. . .or a batch of them. Seeing how thousands of these tapes change hands on a daily basis, it really is only a matter of time before it happens again. Some notable financial firms have taken the drastic approach of eliminating tape from their backup environments altogether, but most companies don't have the resources to eliminate physical tape. The only fiscally logical option left is to encrypt outgoing data.

Sounds great! All the new vendors that provide ways to encrypt data make it sound like a snap. But the reality is that it takes a good deal of determination to get this type of technology implemented.

The cost implications are obvious. For example, tape drives that provide encryption cost about 10% more than their already expensive counterparts, and purchasing a whole new third-party encryption service and the accompanying server takes up that much more space in your datacentre.

A lot of worries also revolve around the effect on performance. Encryption at the backup server will shred that server's CPU, and encryption over the backup data stream puts that much more strain on an already secondary saturated network connection. Furthermore, with a VTL involved, encryption in front of that backup stream is going to negate any gains that are made through deduplication.

Even if everything is put into place, who's going to administer this new technology? Keeping track of encryption keys, monitoring your third-party encryption and dealing with data restores were difficult even before adding another layer of complexity. The list is endless. As it is, most storage and backup teams are short-staffed. Adding such a significant layer to the data protection suite requires training and more personnel cycles that may not exist.

Despite all the roadblocks, there really is no reason not to encrypt. Encryption has already entered the back end of the VTL space, and trading in old tape drives for newer encryption-ready devices cuts the initial costs and doesn't add any more kit to the floor. Some backup software offers encryption built-in, and outside of upgrading a few backup servers, there's not much more than some training involved in order to protect backup data. The UK Data Protection Act even has a loophole where personal data encrypted with asymmetric cryptography using a third party's key is not itself personal data.

Ultimately, cost drives most business decisions and businesses are left with a 'pick your poison' type of situation. There are technologies available that restrict the flow of venom, but with regulators becoming more and more powerful, there really is no 'good' excuse for dragging one's feet. Weigh those mighty budgetary concerns against the potential of essentially wasting millions, and the decision whether or not to encrypt is an easy one to make.

About the author: Brian Sakovitch is a senior consultant at Glasshouse Technologies (UK), a global provider of IT infrastructure services. Brian has followed a 6-year path in backup technologies ranging from hands-on installation and implementation, to design and theory. Three of those years have been with GlassHouse US, where he focused on predominantly backup-related engagements for companies of all sizes.

Read more on Data protection, backup and archiving