Backup tapes can't be neglected
These incidents drive home the need for more effective storage security practices, especially as it relates to backup tapes that leave or reside outside corporate data centers.
The heightened scrutiny and concern over corporate losses of consumer data stems from a dramatic rise in consumer identity theft. Between 2002 and 2004, the number of reported cases of identity theft rose by 52 percent, according to recent findings. Online security breaches, server attacks, and theft or loss of computers or media with sensitive data have been some of the ways that personal and corporate information end up in the wrong hands.
Unencrypted backup tapes stand out as an unaddressed vulnerability for many companies. Today, a single backup tape can easily hold millions of records; a single lost tape can compromise more personal information than many of this year's online break-ins.
While encryption seems like an obvious step, many storage professionals point out that the time, effort and costs required to encrypt backup tapes is not worthwhile. Fear about the inability to recover encrypted data due to a loss of encryption keys or the loss of the decryption engine also drives a lack of action.
The deployment of any type of data security measures will require additional management effort and IT resources. However, if you accept the need to secure backup data sent offsite, then the dialogue changes from one that compares the cost of security to the status quo, to one that evaluates and adjusts current processes in order to improve the security of offsite backup data. Encryption plays an important role in storage security, and a vital one with removable media such as backup tapes.
The decision to encrypt data on removable media sent offsite is only the first step to more effective storage security practices. Evaluating and preparing your backup environment for the use of encryption will be the longest and most important part of the process.
There are two approaches to encryption: using a hardware device in the network or within a tape library, and using software installed on a client or server. The best approach for you depends on your unique needs. Here are some important factors to consider when evaluating an encryption engine for your backup environment.
Scalability: How much data can the hardware device or server with software encrypt before performance degrades or you need another device?
Performance: How long does the encryption process take? Does the encryption process utilize processing cycles on the server?
Availability: What can you do if the encryption engine fails during a backup or restore? Can you locate the encryption engine at a disaster recovery site?
Key management: Should you use the same encryption keys across your environment and at different sites? How frequently should you change these keys? Where are the keys stored -- on the client, on a server, or in the device? Will they still be available five or 10 years from now?
Management: Can you identify which data you have encrypted within your backup environment using existing tools?
Cost: How much will you spend on the encryption engine? What resources will you use to deploy, test and maintain the encryption engine in the data center(s)?
As you evaluate the right approach for your company, balance the trade-offs between simple process changes and added costs and complexity. Starting this process now will help you put a short-term goal -- encrypting offsite backup tapes -- in the context of a larger goal -- running a backup environment designed for security and availability.
Peter Elliman is data protection product marketing manager at Symantec Corporation.