Encryption: we know we need it—so now what? Encrypting backed up data stored to tape or other mobile media

Encryption: we know we need it—so now what? Encrypting backed up data stored to tape or other mobile media

Anyone in IT who's read the headlines understands that encrypting data is moving from optional to obligatory, and anybody who's not thinking about it now should be. Stored data that can be moved off-site--sometimes referred to as data at rest--is the most vulnerable. Once data has been backed up, it has to be stored, and that job may be handed off to a third-party business that securely stores data off-site, such as Iron Mountain. Regardless of who handles long-term storage, this data may be stored for years. That's a long time for an organization's data to be left unattended, so this data needs to be encrypted.

The next step is to figure out how to evaluate available encryption solutions. A few criteria are pretty easily identified:
* Robust Security: It makes sense to implement the strongest encryption method from the array of available options. The strength of encryption depends on the algorithm used, and AES-256 encryption is the gold standard. The Advanced Encryption Standard (AES) is approved by the National Institute of Standards and Technology (NIST) for use in protecting federal information. AES can be implemented with any of three key sizes: 128-bit, 192-bit, and 256-bit. The more complex the key, the harder it is to break the encryption; so AES with a 256-bit key length renders the algorithm unbreakable.
* Key Management: The hard part about encrypting data is not how to encrypt it--it's how to manage it. If you don't keep the keys safe, your encryption plan is ineffective. If you keep the keys too far out of reach, you can't decrypt your data, which renders your encryption plan impractical. So a complete key management application--that helps you manage and protect data and keys, while helping you safely match encrypted data with the right key--should be a requirement for any encryption system you're considering.
* Price: Most data centers have a limited budget and a maximized workload, so the selected encryption method needs to be affordable and simple to implement and manage, which limits administrative overhead and expense.
In addition, evaluate performance and any unique factors that a specific encryption solution might offer. With this framework, you can assess available encryption solutions.
What are the Choices?

AES encryption for stored data can be implemented at several locations in the data path as data moves from primary storage to a stored state:
* Just before data is sent to the server running backup software--for example, by a network encryption appliance.
* While the data is being processed by the backup software.
* After the data is formatted by the backup software, a network encryption appliance can encrypt data before it's sent to the library.
* The library, where the data is written to tape or other portable media. (Tape drives do not yet provide encryption.)

Network Encryption Appliances :
Some sites encrypt data across the entire network using network encryption appliances, such as those from Decru and NeoScale. These appliances can also be dedicated to encrypting stored data. Appliances can encrypt data before or right after data is processed by the backup software.
Advantages
* Robust Security: AES-256 encryption. This option provides encryption across the widest area, since it can also handle encrypting network traffic.
* Key Management: Supplies key management along with the hardware-based encryption.
* Performance: Uses fast hardware-based encryption that offloads the backup server from computation-intensive encryption processing, so that the server performance isn't affected; it also provides compression.
* Unique Factors: Certified at various levels with the Federal Information Processing Standards (FIPS) that specifies data security--specifically, FIPS 140-2.
Disadvantages
* Price: Can be costly. This may be warranted for high-security sites, but for many, cost may be a barrier. They are also very costly to scale, and may be overkill given the incremental data growth that data centers typically manage.
* Ease of Implementation and Management: Introducing another set of interfaces, limitations, management complexities, and another support/service-level agreement. These are added to management responsibilities for backup software and hardware. Cost is also increased by the appliance's use of data center space, which is particularly expensive in metropolitan areas.
* Possible security issue: If the appliance is used before the data is processed by the backup application, check how file data is stored. Some backup software applications leave file data in cleartext (un-encrypted), which can leave the file names exposed--a possible risk.
Encryption through Backup Software
Backup software can also encrypt data as it's backed up.

Advantages:
* Price: It's easy to scale software by simply purchasing additional licenses. Also, support for the encryption module may be more expensive, but no additional vendor contract is necessary.
* Ease of Implementation and Management: You've already got backup software, you're already using it, and you can keep on using it when you use it to encrypt data. An additional encryption-specific module may be added, but you won't have to learn new interfaces.