Best Practices for choosing and implementing a storage encryption solution
Once you decide that a solution is required in order to meet regulatory or good business governance requirements you must choose between a single platform or a corporate-wide solution. It is usually better to standardize on one solution for all platforms.
Next you must determine which option is best for your environment - software-only or hardware.
Software often does not offer compression.
Hardware units—whether built into the drive or of an inline design—use hardware compression prior to encryption.
Software compression relies upon the system processing power to do the work.
Hardware compression is not system-reliant.
Software normally involves several updates during the life of the system.
Hardware does not change even if the complete system or OS is changed.
Software encryption is not available for all systems.
Hardware encryption works on all system types.
Some backup packages do not include encryption and therefore require a change of package.
Hardware encryption works on all backup solution packages without the need for any configuration changes.
With software, the user key is kept on the system, so the system or network is open to attack.
With hardware tape encryption, the key can be kept in the device and so cannot be read from any external device.
Software is normally restricted to a single operating system type.
Hardware is system-independent.
Software encryption usually needs to be upgraded when the OS is upgraded.
Hardware, being platform-independent, does not need to be changed when the OS is upgraded.
Software is often a low cost solution, and dependent on the OS being used.
Hardware is normally the same cost whatever the OS.
Software costs are often based on the capacity of the attached library.
Hardware costs are fixed.
What to Encrypt?
Another issue raised is whether to encrypt only the sensitive data or to encrypt everything.
The concept of encrypting only the sensitive data appears to be very attractive because it minimizes the amount of extra processing. The downside is that someone has to make the decision as to what is sensitive and what is not.
Another area of contention is when to implement a solution. Should you look at what is readily available and “field proven” or wait for the availability of the “ultimate solution” real soon?
From the beginning, it should be understood that there may be individuals within the business who will not understand the risks and will fight against any attempts to integrate a solution into the infrastructure. Many MIS departments see backup as non-productive. Another potential issue is the funding for this solution.
A vital point to consider is what to do with the existing pool of tapes used for backups and archives.
Is it possible to reuse the existing media?
Does the solution require continual monitoring and operational input?
Does your solution take into consideration migration to a new system?
An external hardware solution with dedicated compression and encryption engines will not suffer from the problems and complexities that software may suffer from.
The DR Implications
Any good tape encryption solution must be such that it does not hinder or overcomplicate this already stressful operation.
Statistics show that if you fail to restore your business data and get your business back up in a timely manner, the result 80% of the time is the total collapse of your business.
Be cautious against choosing a solution that is over-complex, needs specialists to install on the DR site, or has a difficult key-management system.
Where Should a Hardware Solution Reside?
In the Server
When encryption is built into the server, it is system-dependant and will be very disruptive to install.
The downside is that it must also reside in any DR or development systems in order to be utilized for DR or development.
With host-based encryption using a standard encryption card, any user who has decided to implement the same methodology will have exactly the same physical hardware as you.
In the Drive
There are only a limited number of truly integrated drive-based solutions on the market, and these are new and, so far, unproven. Most solutions are limited to a new media type in order to allow encryption.
The whole system’s security is based on a single external key, and as the drives are standard; hence, key management of such a product is of paramount importance.
With drive-based encryption using a standard encryption card, any user will have exactly the same physical hardware as you.
These devices are normally the simplest to install and cause the least disruption and the keys can be securely loaded into the appliance, which needs no network connection to the system so is inherently more secure. These systems are transparent, and drives can be rolled out across a heterogeneous environment very easily. These solutions also offer the easiest use in a DR situation.
Encryption is the best way for businesses to meet the increasing need for privacy protection.
10ZiG offers two storage security solutions to protect your data at rest. The Q3 is a stand-alone storage encryption appliance. The Q3i is a tape drive with built-in PCI compliant encryption. For more details, visit www.theq3.com or contact 10ZiG at email@example.com.
Contact us at 866-865-5250 or for a free 30-day trial or for more information.