Encryption is an increasingly important set of technologies that enables customers to safeguard private data in computers, across public or private networks, or in other machine-readable forms.
There is much more data at risk of being compromised than ever before. This, in conjunction with the increasing cost of a data breach, measured in both “hard” dollar terms like legal settlements, and “soft” costs such as loss of customer loyalty, makes the intelligent use of encryption and other data-protection technologies increasingly necessary for organizations of all sizes.
For the small- and medium-sized market, the ideal data encryption approach would be both affordable and easily integrated into a comprehensive data backup and business systems continuity solution. It would include powerful, standards-based encryption, and offer a robust key management function.
Imagine a bank with 20,000 customers, most with multiple accounts and bank cards. Every night, the bank makes a complete tape backup of its core information servers. The tapes are then placed in a storage box. Sometime during the day, a van driver from the tape storage firm drops off an older set of tapes (no longer needed), and picks up the box of new tapes.
Any such practice could lead to tapes being mislaid or stolen from loading docks, being accidentally dropped off at the wrong sites, or being lost or stolen from the delivery van, among other things. Once the tapes are in the wrong hands unencrypted data is easily compromised.
Fortunately, encryption functionality can be easily integrated into an organization's backup processes, protecting all data on the company's servers and backup devices, and all data taken off site for archiving.
Keys and key management
A key is a piece of information, or parameter, that controls the operation of a cryptography algorithm. Modern encryption algorithms typically use either symmetric or asymmetric keys. Asymmetric key encryption uses a pair of keys, called a public key and a private key, and is best suited for protecting data that has a wide audience -- such as web sites with secure access established for many users.
Symmetric key methods use the same key for both encryption and decryption. Symmetric keys are excellent for use with devices and appliances in which the need to share keys is very limited. This is typically the case with data backup devices, for which one specifically does not need to allow many parties access to the key.
If you lose your house key, a locksmith can pick the lock mechanically and help you regain access. If you lock your keys in the car, there are many specialized tools that can help you open the door. But any encryption method that allowed this kind of “alternative access” in the event of a lost key would be fatally insecure. These days, most encrypted data is essentially indecipherable to thieves and completely lost to the owner in the absence of the necessary key for decryption. This puts enormous pressure on the owner to not forget the key. It's important to pick a “strong” key, often many, many characters long, which makes it harder to guess, but also harder to remember. And writing the key down brings its own obvious security risks.
Data encryption can be incorporated into your workflow in a variety of different ways, each with its own advantages and disadvantages. When implementing data encryption on a network, there are four basic ways to approach the process:
File system encryption on a server. File system encryption is probably the easiest to implement. But this type of encryption places very heavy CPU demand on the server, which often makes it impractical for a busy Exchange or SQL server because of the computing power required.
Additionally, server file system encryption doesn't allow for centralized management — rather, it must be implemented on a per-server basis, and managed only with respect to that system. And in a multiple-OS environment, this kind of file system-based encryption may not be available for each OS used.
In-line encryption. In-line encryption is typically performed by a dedicated hardware “appliance,” and is fairly simple to implement. The appliance normally has two network connections, with plain text coming in through the network, and cipher (encrypted) text coming out of the device. Encryption appliances can protect all the data that's in line be saved on backup media. And the servers and backup devices can operate at their own speed, as if there was no encryption being performed.
But this encryption methodology is a poor choice for some firms. In-line devices require lightning-speed hardware to operate, pushing the typical cost up. And in the event of a real disaster, a new unit must be procured before any file or system restoration can occur.
Backup media encryption. The most commonly used type of encryption takes place on the backup media — either on the server driving the tape backup device (for example, the media server in a Veritas environment), or on the tape drive itself.
When implemented on the tape server, encryption can dramatically reduce the performance of the backup system, since a large portion of the server's CPU resources are diverted to perform the encryption. Using a tape drive that provides its own encryption processing can reduce the overall load on the tape server. These drives are expensive, however, and require that all tape units be of the same model or family to achieve full encryption.
Backup device encryption. The key difference between backup device encryption and backup media encryption is the location at which the encryption is performed. Encryption at the backup device level provides much stronger overall data security. This is true because the data can be encrypted once (at the device), and remain encrypted regardless of its location at any future time.
If data is encrypted as it arrives at the device, then the data stored on the backup device for local rapid recovery is also protected from inside attacks. This approach avoids the performance degradation associated with file system encryption, and also removes the complexity of applying encryption tools across multiple operating systems.
Planning a successful implementation
There are six keys to implementing an encryption capability within your overall data protection and disaster recovery strategy. These represent the true “critical success factors.” Get these six correct and you'll have a very high probability of success.
1. Maintain universal data recovery. Wherever the encrypted data resides (local backup device, remote data center, offline media, or archive media), you must be able to reliably reverse the process and produce unencrypted data.
2. Select a single approach for all your sensitive data. Be sure to pick an approach that allows you to implement encryption once, and protect all your sensitive data through a single, integrated capability.
3. Minimize resource impact. Encryption can come at a price. Be sure yours is acceptably small. Be sure the CPU load from the encryption process is sufficiently “lightweight” to avoid a material decay in the rate at which your systems process their normal work. Save network bandwidth by compressing data before transmission, and by sending only changed blocks of data. Choose a simple, powerful, and intuitive user interface.
4. Prevent unauthorized access to data. Data should be encrypted so that a “clear text” copy may be reproduced only after proper authentication has been provided.
5. Have a key management strategy. You should choose a solution with powerful key management capabilities, making it easy to change keys frequently, recover old files for which the original keys may have been lost, and otherwise strike a balance between safety and accessibility.
6. Test in advance. You must prove that your solution can both encrypt (and store encrypted data in all locations) and successfully create clear text from any encrypted sources.
Historically, the cost and difficulty associated with implementing encryption to augment a firm's data security was simply too daunting, especially for small- to medium-sized enterprises. But now solutions exist that bring enterprise-class encryption technology to businesses of all sizes.