Encryption: we know we need it--so now what? Encrypting backed up data stored to tape or other mobile media.Anyone in IT who's read the headlines understands that encrypting data is moving from optional to obligatory obligatory /ob·lig·a·to·ry/ (ob-lig´ah-tor?e) obligate. obligatory unavoidable; something that is bound to occur. , and anybody who's not thinking about it now should be. Stored data that can be moved off-site--sometimes referred to as data at rest--is the most vulnerable. Once data has been backed up, it has to be stored, and that job may be handed off to a third-party business that securely stores data off-site, such as Iron Mountain. Regardless of who handles long-term storage, this data may be stored for years. That's a long time for an organization's data to be left unattended, so this data needs to be encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science . The next step is to figure out how to evaluate available encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. solutions. A few criteria are pretty easily identified: * Robust Security: It makes sense to implement the strongest encryption method from the array of available options. The strength of encryption depends on the algorithm used, and AES-256 encryption is the gold standard. The Advanced Encryption Standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES. (AES) is approved by the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ) for use in protecting federal information. AES can be implemented with any of three key sizes: 128-bit, 192-bit, and 256-bit. The more complex the key, the harder it is to break the encryption; so AES with a 256-bit key length renders the algorithm unbreakable. * Key Management: The hard part about encrypting data is not how to encrypt See encryption. it--it's how to manage it. If you don't keep the keys safe, your encryption plan is ineffective. If you keep the keys too far out of reach, you can't decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. your data, which renders your encryption plan impractical im·prac·ti·cal adj. 1. Unwise to implement or maintain in practice: Refloating the sunken ship proved impractical because of the great expense. 2. . So a complete key management application--that helps you manage and protect data and keys, while helping you safely match encrypted data with the right key--should be a requirement for any encryption system you're considering. * Price: Most data centers have a limited budget and a maximized workload The term workload can refer to a number of different yet related entities. An amount of labor While a precise definition of a workload is elusive, a commonly accepted definition is the hypothetical relationship between a group or individual human operator and task demands. , so the selected encryption method needs to be affordable and simple to implement and manage, which limits administrative overhead and expense. In addition, evaluate performance and any unique factors that a specific encryption solution might offer. With this framework, you can assess available encryption solutions. What are the Choices? AES encryption for stored data can be implemented at several locations in the data path as data moves from primary storage to a stored state: * Just before data is sent to the server running backup software--for example, by a network encryption appliance. * While the data is being processed by the backup software See backup program. (tool, software) backup software - Software for doing a backup, often included as part of the operating system. Backup software should provide ways to specify what files get backed up and to where. . * After the data is formatted by the backup software, a network encryption appliance can encrypt data before it's sent to the library. * The library, where the data is written to tape or other portable media. (Tape drives do not yet provide encryption.) Network Encryption Appliances Some sites encrypt data across the entire network using network encryption appliances, such as those from Decru and NeoScale. These appliances can also be dedicated to encrypting stored data. Appliances can encrypt data before or right after data is processed by the backup software. Advantages * Robust Security: AES-256 encryption. This option provides encryption across the widest area, since it can also handle encrypting network traffic. * Key Management: Supplies key management along with the hardware-based encryption. * Performance: Uses fast hardware-based encryption that offloads the backup server A computer in a network used to store copies of files from client machines or other servers. Such servers typically have their disks set up in a RAID configuration to provide fault tolerance. See backup program, RAID, SAN and LAN free backup. from computation-intensive encryption processing, so that the server performance isn't affected; it also provides compression. * Unique Factors: Certified See certification. at various levels with the Federal Information Processing Standards (standard) Federal Information Processing Standards - (FIPS) United States Government technical standards published by the National Institute of Standards and Technology (NIST). (FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. ) that specifies data security--specifically, FIPS 140-2. Disadvantages * Price: Can be costly. This may be warranted for high-security sites, but for many, cost may be a barrier. They are also very costly to scale, and may be overkill overkill Vox populi An excess of anything given the incremental Additional or increased growth, bulk, quantity, number, or value; enlarged. Incremental cost is additional or increased cost of an item or service apart from its actual cost. data growth that data centers typically manage. * Ease of Implementation and Management: Introducing another set of interfaces, limitations, management complexities, and another support/service-level agreement. These are added to management responsibilities for backup software and hardware. Cost is also increased by the appliance's use of data center space, which is particularly expensive in metropolitan areas. * Possible security issue: If the appliance is used before the data is processed by the backup application, check how file data is stored. Some backup software applications leave file data in cleartext (un-encrypted), which can leave the file names exposed--a possible risk. Encryption through Backup Software Backup software can also encrypt data as it's backed up. Advantages: * Price: It's easy to scale software by simply purchasing additional licenses. Also, support for the encryption module may be more expensive, but no additional vendor contract is necessary. * Ease of Implementation and Management: You've already got backup software, you're already using it, and you can keep on using it when you use it to encrypt data. An additional encryption-specific module may be added, but you won't have to learn new interfaces. * Unique Factor: For stored data, this method has been around for the longest time. Disadvantages: * Robust security: Not all software packages supply strong encryption--some use older encryption algorithms A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making , such as DES or Triple-DES. Further backup applications encrypting with AES may not support 256-bit keys. Key security may be a risk, as some applications store keys in clear-text. Also, backup software may not store keys securely. * Performance: Software encryption is extremely CPU-intensive and may limit throughput unacceptably. Also, check the availability of compression: backup software may not compress data prior to encrypting it. Encrypting backed up data without compression means that you use a lot more media. Decrypting data is just as CPU-intensive as encrypting it. Software-based decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. may not perform acceptably. * Key Management: Depending on the software, very little support is available for key management. IT staffs are left to develop their own procedures for creating, saving, storing, and expiring encryption keys--as well as transporting them. Encryption through a Library You can elect to encrypt data at the point of storage, either in a library or its drives. Drive encryption is not currently available, however; and disk may encrypt and serve as secondary storage, but typically can't be moved off-site. Advantages: * Robust Security: Library-based encryption implements AES-256. * Performance: Excellent performance, since the encryption is hardware-based. * Key Management: End-to-end key management software, completely integrated with the library's internal software. * Ease of Implementation and Management: No extra point of management is added, with no new tools or interfaces to learn. * Price: This solution is affordable, scales well, and requires no extra third-party vendor support contract. Library interfaces, which supply the encryption hardware, can be increased incrementally as additional performance is needed. * Unique Factor: Assuming that tape drives will eventually handle encryption, the library will continue to supply key management software that also manages tape-drive based encryption keys and files. Also, unlike encryption through individual tape drives, libraries encrypt all backed up data. Encryption Choice Analysis The method you use to encrypt data depends on what you need. Table 1 lists a few requirements and encryption methods that may be best-suited to each. After you've identified a method of encryption to use on your site, you still need to set up and manage encryption processes and keys. To do this effectively, examine the key management software you'll use with your encryption solution. Matt Starr is CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. , Spectra Logic Corporation (Boulder Boulder, city, United States Boulder, city (1990 pop. 83,312), seat of Boulder co., N central Colo.; inc. 1871. A Rocky Mountain resort and a suburb of Denver, it is the seat of the Univ. of Colorado (1876). , CO). www.spectralogic.com
Requirement Method Some Vendors
Encrypting a small Backup software CommVault, Veritas,
amount of data for encryption EMC-Dantz (and more)
on-site or off-site
storage
Encrypting all data, Backup software CommVault, Veritas,
but can't afford to encryption EMC-Dantz (and more)
invest much Library Spectra Logic (Library with
BlueScale Encryption)
Encrypting a lot of Library Spectra Logic (Library with
data to be sent BlueScale Encryption)
off-site
Encrypting data at a Network encryption NeoScale, Decru
high-security facility appilance
on the network or on
disk
Table 1.
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion