The demise of magnetic tape has been speculated and greatly exaggerated for years. The reality is that tape remains a viable data storage medium for different applications and environments. While network and disk-to-disk backup and archive solutions continue to proliferate, at least for the foreseeable future, there will remain some role for magnetic tape; it will be necessary for long-term data preservation and archiving to meet regulatory compliance or federal guidelines.,
Hardly a week goes by without some news of a lost or stolen laptop computer, magnetic tape, disk or USB thumb drive, or a data security breach. No matter how few tapes are actually stolen, the perception is that tape data is being lost and measures must be taken to protect data in transport or storage.
While many advocate moving away from tape using disk-based backup, network-based backup or electronic vaulting for archive, without introducing some form of encryption and enhanced security they're simply moving the problem from one medium to another. As a channel professional there are many things that you can do to help improve the security of data at rest and in transit for your clients. For example work with your clients to introduce encryption of data at rest on disk and tape, and data being transferred or removed from your premises.,
Options for encrypting tape data include host-based software, including applications, databases, and third-party encryption tools, network-based encryption appliances along with tape library and tape-drive encryption. Where to implement encryption will depend on yours and your clients' preferences (i.e. host software vs. appliance vs. drive-level encryption).
A benefit of host software encryption is that any data leaving a server assuming the software is configured to do so will be encrypted. The down side is that extra CPU cycles will be consumed to handle encryption activity. Appliance-based solutions, depending on implementation, could introduce extra latency. However, they can also offload host processors from performing encryption and being deployable to where and how necessary on a tactical and strategic basis. Drive-based encryption offloads host processors and eliminates appliances, but a concern may be its impact on tape-drive performance and key management.
Central to any encryption and data security strategy is encryption key management. Various approaches to key management are being offered by vendors to address vendor lock-in concerns and interoperability. In addition to using different keys to encrypt various tapes and data, part of a security strategy involves controlling who has access to the tapes and keys. Given that tapes are still part of some organizations disaster recovery and business continuance plans, key management must be part of a DR plan to facilitate timely data recovery.
An approach used by some involves listing or indicating which keys are required for which tapes. Note that this is not the actual key to unlock the data, but rather an indicator of which key to use, similar to a stamped indicator code you may find on your office or household key. If you have a tape and are authenticated and authorized to use the tape and have the keys, you know which key to use for which tape. A handy analogy is that of a key with a stamped code on it and a list of which locks are unlocked by that specific key on a key chain.
Many backup software vendors provide some form of encryption as do third-party providers BitArmor, RSA (now EMC), PGP, GFI and Innovation (IDP) among others. Appliances are available from vendors including Decru (Network Appliance) and NeoScale, which also provides key management for other vendors. Tape drive and library encryption is offered depending on specific models by IBM, Sun and Spectra Logic, among others. Look for encryption solutions that can work with open key management solutions, cross vendor interoperability and provide layers of protection and management granularity. Also look for vendors that have extensive partnerships with other technology providers to coexist with your client's current environment. Other items to consider include solution transparency, performance, reliability and certifications.,
Some items to look at and consider with regard to tape encryption include:
- Tape media and drive agnostic and interoperability;
- Ability to save and transport or replicate keys to a DR or alternative site;
- Assignable descriptors or monikers to identify which tapes require which key;
- Ability to assign different keys to separate tapes or groups of tapes;
- 128 and 256-bit Advanced Encryption Standard (AES) capabilities;
- Tamper-proof access and audit trail logs;
- Secure shredding of encrypted data;
- Flexible and easy to use key creation, assignment and escrow;
- Coexistence with other key management and encryption products;
- High-performance encryption to avoid bottlenecks.
If your clients are currently not encrypting tapes, ask them why and if the reason is fear of losing encryption keys, then have a discussion about key management. If clients are not encrypting data because they think no data is at risk, ask if they know for sure what data is on any given tape, including PCI, social security or other unknown data. Another common reason people may not encrypt their tapes or data is the perception that the tapes are safe in the hands of their own employees and no outside services are involved in tape and data handling.
Whether you or your clients are moving away from magnetic tape to optical or magnetic disk-based storage for data storage and preservation, given applicable threat risks, securing data has taken on new and visible importance. Look into encryption and key management solutions as a value-add service for your clients and make sure tapes are encrypted, especially if you do not know what is on the tape. In addition, look into encrypting data that is being stored on disk drives, removable media, laptops, USB thumb drives or data being sent over networks.
About the author: Greg Schulz is founder and senior analyst of the independent storage analyst firm the StorageIO group and author of the bookResilient Storage Networks, (Elsevier).
This was first published in February 2007