Since tape cartridges are most often exposed outside the physical security of the data center while in transit and in storage, they are most often the first point of attention for storage security projects.
Deploying encryption for any type of storage media requires consideration of how well the technology will be able to support a dynamic operations environment over time.
Until recently, options for deploying tape encryption have been limited to software-based applications, most typically integrated into backup applications, and in-line appliances that accelerate encryption processing with dedicated hardware.
Now, alternative solutions are coming to market that will provide more options with significantly reduced total cost of ownership (TCO).
These include SAN-based encryption solutions that deliver storage security as a service from within the fabric, and next-generation tape drives that integrate encryption processing technology.
While these technologies hold great promise for simplifying the process and reducing the cost of securing backup tapes, each approach offers its own set of pros and cons that users need to consider in advance to avoid unneeded hardships farther down the line.
Software-based encryption for tape storage is typically integrated into data protection (backup) applications deployed by an enterprise. There are two options for implementing encryption with these applications: client-based or server-based.
Client-based solutions involve implementing the encryption function in the backup client or agent in the individual applications servers (database, filers, etc.) before sending the data to backup media servers for storage on tape.
This is an affordable approach that allows encryption to be deployed only where absolutely required, but the identification and management of information requiring protection becomes complex and expensive. In addition, the computing overhead required to support encryption will have a strongly negative impact on the application server’s performance.
Server-based solutions for software-based encryption move the encryption function to the backup media servers that move backup data to tape.
This approach removes the burden of encryption from the client servers, but requires either more media servers to support the environment or the use of more powerful computing platforms to support the high-bandwidth requirements of encrypted backup data streams.
Thus, this solution tends to be become dramatically more expensive as the scope of the secure backup environment increases.
Compounding the performance impact of software-based encryption is the need to compress data prior to encryption, since the random data patterns of ciphertext no longer provide an effective basis for compression. While software can provide an affordable solution for limited requirements, larger organizations with multiple hosts or short backup windows will likely continue to find this an impractical solution.
In-line encryption appliances:
Encryption appliances offered by companies such as Decru and NeoScale provide transparent, high performance data compression and strong encryption processing for a small number of Fibre Channel links per appliance.
While these dedicated appliances have worked well as point solutions for limited deployments and departmental-level applications, inserting multiple appliances into the storage fabric can have a serious impact on SAN management, particularly with regard to zone configuration and LUN masking.
In addition, their low port counts require the deployment of multiple appliances for even modest sized environments, resulting in a linear rise in the cost of equipment, power, cooling, and rack space.
Furthermore, the management overhead and associated costs rise dramatically as the environment grows in order to sufficiently share and manage security policies, encryption keys and configurations among these devices.
This leaves organizations that maintain large volumes of sensitive data with the choice of applying security selectively or undertaking expensive and complex projects to integrate appliances that consume rack space and power. The use of native drive-based encryption to replace dedicated appliances as point solutions is a natural migration path over time.
Tape drive-based encryption: Native tape-drive based encryption has just begun to appear on the market. IBM and StorageTek offer products for the high-end half-inch cartridge drives, and emerging LTO-4 technology is also starting to become available from multiple tape drive vendors including IBM and HP.
The integration of encryption into the drive itself offers considerable savings in capital equipment costs and, in the long-term, promises to ease the security management burden compared to the deployment of dedicated encryption appliances.
In the near term, however, there are several challenges that users will want to consider before initiating a move to this new generation of tape drive technology.
1. The implementation of encryption is not entirely consistent or compatible across different vendors and models of tape drives, even for LTO-4 drives. Unless you are standardizing on a single vendor and model, check to ensure that encrypted tapes can be read across all models of drives that will be deployed.
2. The complete cost of migrating to new drives includes not just the initial capital investment in the drives themselves, but also encryption licensing fees, key management applications or appliances and replacement tape media. LTO-2 media, for example, is not write-compatible with LTO-4 equipment and LTO-3 media is only read/write compatible in cleartext form. To use the data encryption, legacy media will need to be replaced from the tape pool.
3. Ensure that libraries in use are compatible with the newer drives. Many currently deployed libraries do not support new encrypting tape drives.
4. Key management standards for encryption of data-at-rest are still in development for most vendors. Most key management mechanisms being deployed with initial encrypting tape drives are stopgap solutions that are difficult to support on an enterprise scale.
In addition, key management solutions from different tape manufacturers are not interoperable, making multi-vendor support impossible. Furthermore, there is no consistency in key management systems for tape and disk environments, preventing a coherent, enterprise-wide secure storage solution.
Fabric-based Storage Security Services: Fabric-based security for tape offers an alternative to other hardware-accelerated technologies. Solutions are currently available from CipherMax and Cisco has announced its intention to provide a fabric-based solution by the end of 2007.
By adding encryption into a highly integrated switching platform, SAN fabric-based security systems offer a very cost effective solution that provides high bandwidth and low power with minimal cooling and rack space requirements.
Because SAN fabric encryption is provided as part of infrastructure devices like fabric switches and directors, they provide the ability to implement widespread tape storage security.
This eliminates the need for labor-intensive identification and classification of confidential information stored throughout the enterprise. In this mode, SAN fabric-based solutions also load-balance encrypted traffic uniformly throughout the environment with minimal impact to servers and storage systems.
Alternatively, CipherMax systems support the ability to install and operate transparently to the network in "controller mode," similar to that of an inline appliance, to meet the needs of the user’s network.
Fabric-based storage security’s single-pane-of-glass management interface provides the additional benefit of facilitating a global configuration across multiple devices, dramatically lowering the overhead costs for managing enterprise-class secure storage environments.
By offering a single point of key management for heterogeneous tape as well as disk devices, this approach is expected to gain the most traction with enterprise environments that desire to maintain a heterogeneous mix of storage devices, or that require a bridging solution from their current tape drives and libraries to next generation technology with integrated encryption processing.
As options for storage security increase, the decision for where to deploy encryption becomes increasingly complex. While migration between encryption architectures is possible, it becomes increasingly challenging over time.
Before deploying a solution, it is critical to look three to five years out and consider how the system, including key management, will be able to adapt to inevitable changes in the environment.
Software-based encryption will provide an economical solution for users with very limited requirements and budget. In-line encryption appliances provide sophisticated key management, but as point solutions will soon be replaced by more cost-effective solutions. Drive-based encryption will become increasingly popular over time, as drives, libraries and tape media are migrated to the next generation of technology.
Finally, the option of integrating security services like encryption into the fabric offers unique benefits for certain types of implementations. Its SAN-aware intelligence and centralized administration with visibility across the storage network enable easy scaling of security services for larger organizations, and cost-effective consolidation of security services for tactical deployments.
Greg Farris is director of marketing at CipherMax
Weighing the options for securing back-up data
By Greg Farris, on Sep 10, 2007 3:03PM