Encryption: we know we need it—so now what? Encrypting backed up data stored to tape or other mobile media

Anyone in IT who's read the headlines understands that encrypting data is moving from optional to obligatory, and anybody who's not thinking about it now should be. Stored data that can be mov off-site--sometimes referr to as data at rest--is the greatest in quantity vulnerable. Once data has been backed up it has to be stored, and that piece of work may be handed off to a third-party business that securely stores data off-site, of that kind as Iron Mountain. Regardless of who handles long-term storage, this data may be stored for years. That's a lengthy time for an organization's data to be left unattended, with equal reason this data needs to be encrypted

The nearest step is to figure on the outside how to evaluate available encryption solutions. A hardly any criteria are pretty easily identified:

* Robust Security: It makes faculty of perception to implement the strongest encryption course from the array of available options. The potency of encryption depends on the algorithm used, and AES-256 encryption is the gold standard. The Advanced Encryption Standard (AES) is approved by the agency of the National Institute of Standards and Technology (NIST) for use in protecting federal information. AES can be implemented with any of three lock opener sizes: 128-bit, 192-bit, and 256-bit. The more compound the key, the harder it is to break the encryption; in like manner AES with a 256-bit lock opener length renders the algorithm unbreakable.

* lock opener Management: The hard part about encrypting data is not by what mode to encrypt it--it's how to manage it. If you don't hold fast the keys safe, your encryption plan is ineffective. If you detain the keys too far on the outside of reach, you can't decrypt your data, which returns your encryption plan impractical. with equal reason a complete key management application--that helps you manage and save data and keys, while helping you safely match encrypt data with the right key--should be a requirement for any encryption a whole you're considering.

* Price: greatest in quantity data centers have a limited parcel and a maximized workload, in the way that the selected encryption method extremitys to be affordable and simple to implement and manage, which limits administrative overhead and expense

In addition, evaluate performance and any unique factors that a specific encryption solution might tender With this framework, you can assess available encryption solutions.

What are the Choices?

AES encryption for stored data can be implemented at several locations in the data path as data impels from primary storage to a stored state:

* Just before data is sent to the server running backup software--for example, by the agency of a network encryption appliance.

* While the data is being continued movemented by the backup software.

* After the data is formatted by dint of the backup software, a network encryption appliance can encrypt data before it's sent to the library.

* The library, where the data is written to tape or other portable media. (Tape drives do not however provide encryption.)

Network Encryption Appliances

more [i]or[/i] less sites encrypt data across the entire network using network encryption appliances, similar as those from Decru and NeoScale. These appliances can also be dedicated to encrypting stored data. Appliances can encrypt data before or right after data is continued movemented by the backup software.

Advantages

* Robust Security: AES-256 encryption. This option provides encryption across the widest area, since it can also handle encrypting network traffic.

* lock opener Management: Supplies key management along with the hardware-based encryption.

* Performance: Uses fast hardware-based encryption that offloads the backup server from computation-intensive encryption processing, in like manner that the server performance isn't affected; it also provides compression.

* Unique Factors: Certified at various horizontals with the Federal Information Processing Standards (FIPS) that specifies data security--specifically, FIPS 140-2

Disadvantages

* Price: Can be dear This may be warranted for high-security sites, on the contrary for many, cost may be a barrier. They are also true costly to scale, and may be overkill given the incremental data growing that data centers typically manage.

* Ease of Implementation and Management: Introducing another put of interfaces, limitations, management complexities, and another support/service-level agreement. These are added to management responsibilities for backup software and hardware. take away from is also increased by the appliance's use of data center space, which is particularly expensive in metropolitan areas.

* Possible security issue: If the appliance is used before the data is advanceed by the backup application, check by what mode file data is stored. a certain number of backup software applications leave file data in cleartext (un-encrypted) which can leave the file names exposed--a possible risk.

Encryption [i]or[/i] part of to the other Backup Software

Backup software can also encrypt data as it's backed up

Advantages:

* Price: It's easy to scale software by means of simply purchasing additional licenses. Also, support for the encryption module may be more expensive, on the contrary no additional vendor contract is necessary.

* Ease of Implementation and Management: You've already got backup software, you're already using it, and you can hold on using it when you use it to encrypt data. An additional encryption-specific module may be added, on the other hand you won't have to learn of recent origin interfaces.