Feeds

Unlock the secrets of data encryption

Be safe rather than sorry

Business security measures using SSL

Encrypting your backup data always sounds like a good idea. It protects data and appears to be cost-free. So what's not to like?

In practice, it isn't always a good idea, it doesn't always protect your data and it is not free. There is a time and a place to deploy encryption, but it needs planning and thought.

The walls have ears

Protecting data on the move is usually advisable because you can have no clear idea of who might be listening in. It does have a cost, however, as it needs computing power to process.

If you are encrypting data at the server before sending it, you may need to specify, for example, an eight-core rather than a four-core box if you want to minimise the encryption overhead and the effect it can have on the backup window. This is not a cheap option.

If you are certain that the data travels only over your corporate network, you might get away with encrypting only when the data arrives at its destination.

This can be cheaper as most tape drives and other backup data repositories will include encryption hardware, and it can help shorten the backup window by allowing data to flow at full wire speed.

Protecting data at rest is a different matter. As old as war itself, encryption scrambles data so it can't be read unless you possess the keys. And that is at the heart of the problem.

Five-year plan

Encrypting at the end-point – whether on tape or disk – offers a number of benefits, including security, a shorter backup window and no more hardware to buy.

It also means that the data can be deduplicated or compressed before it arrives (encryption's scrambling process renders deduping and compression pointless), although many prefer to rehydrate the data before storing it as an archive because this removes dependencies on proprietary technologies that might not be around in five years time.

However, encrypting early in the data path offers better protection and is more device-agnostic. It gives you control over both the type and strength of the encryption, and means you can back up encrypted data to disk drives now and archive to tape drives across the WAN later, for example.

You need to ensure that the keys will still be available

You also gain control over which data is encrypted, which reduces compute overheads. You might for example want to encrypt only sensitive data.

Major key

But the hidden gotcha is key management. If you are encrypting long-term data, then you need to ensure that the encryption keys will still be available to the correctly privileged individuals in five or ten years time, or maybe even more.

Key management means describing who has access to which keys; those that grant access to databases will be held by database administrators, for example.

Duties need to be allocated too, so access rights should be set up for storing, backing up, referencing and rotating keys. To add to the complexity, keys need to be rotated regularly, and different encryption technologies are mandated in different geographies.

It doesn't help that there are few standards to simplify matters, although KMIP, a standard ratified in October 2010 by the open standards body Oasis, is a step in the right direction.

So is tape or archive encryption good thing?

Yes, if it is properly managed and organised, but the costs can be higher than anticipated. It is not just about the amount of CPU you can throw at the problem. ®

New hybrid storage solutions

More from The Register

next story
4K-ing excellent TV is on its way ... in its own sweet time, natch
For decades Hollywood actually binned its 4K files. Doh!
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
Apple's big bang: iPhone 6, ANOTHER iPhone 6 Plus and WATCH OUT
Let's >sigh< see what Cupertino has been up to for the past year
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Get your Indian Landfill Android One handsets - they're only SIXTY QUID
Cheap and deafening mobes for the subcontinental masses
Apple's SNEAKY plan: COPY ANDROID. Hello iPhone 6, Watch
Sizes, prices and all – but not for the wrist-o-puter
A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
4Gb/s speeds on a consumer drive, anyone?
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.