Secure data backup strategies for the enterprise: A backup security tutorial

By Dave Raffo

Data backup security is a rapidly evolving -- if not rapidly adopted -- piece of the enterprise data storage world. It largely revolves around encryption, and has spread in the past few years from tape to host to disk, and is now an issue for the young Cloud storage market.

Despite some highly publicized breaches involving lost unencrypted tapes a few years back-- with much of that publicity generated by data security vendors -- encryption has been slow to catch on among enterprise data storage pros. Hurdles blocking adoption include price and management difficulties involved with adding appliances to handle encryption, lack of standards for key management, and no consensus of the best place to handle encryption. Despite more options for encrypting data and standardization efforts underway, organizations are still taking a wait-and-see attitude. However, many see the need for encryption.

According to the latest Storage magazine purchasing survey last fall, 51% said they are encrypting some backup data -- up 7% from the previous year -- and 81% say they were either encrypting or planned to evaluate within the next year.

Market research firm The InfoPro's latest survey of Fortune 500 adoption shows 41% are using tape encryption now, and 47% do not plan to encrypt data on tapes. However, that does not take into account possible encryption of data on disk.

In this tutorial on secure data backup strategies, learn about encryption key management, encryption appliances, tape and disk encryption, cloud backup security, and secure data destruction options.

 SECURE DATA BACKUP STRATEGIES: TABLE OF CONTENTS

 Encryption key management standards
 Appliance-based encryption and data backup security
 Host-based encryption
 Tape and disk encryption
 Cloud backup security
 Secure data destruction

  Encryption key management standards

Industry experts, vendors and storage administrators agree that in a secure data backup strategy, widespread encryption adoption all comes down to encryption key management. A good encryption key management system would simplify the process of generating, rotating, backing up and securing keys required to decrypt data after it is encrypted. Anybody with access to encryption keys also has access to all encrypted data.

With key management commonly cited as the biggest problem for encryption, there is a lot riding on the work of standards groups such as the Organization for the Advancement of Structured Information Standards (OASIS). OASIS is working on a standard for interoperability between key management systems called the Key Management Interoperability Protocol (KMIP).

More on secure data backup Secure your data backups with encryption key management best practices How to back up encrypted files and how to use the Encrypting File System Criteria for choosing the right tape encryption solution for your data backup plan

 The goal of the KMIP initiative is to ensure interoperability between key management systems from different vendors and between different encryption technologies. The way it stands now, each vendor in the encryption space has its own key management system and none of them work with other vendors' keys. That means organizations still have to manage keys separately for any type of encryption they're using.

With EMC Corp.'s RSA Security, Brocade, Hewlett-Packard (HP) Co., IBM Corp., NetApp, Seagate, Thales Security and CA among the storage vendors involved, the KMIP standard should cover most encryption devices once it is complete. If adopted, KMIP would allow users to attach almost any encrypting device to one preferred key management system, regardless of the vendors involved.

"It's the key management that still continues to be an issue," Taneja Group founder and senior analyst Arun Taneja said. "Key management will be a bigger issue when you have a gazillion drives and each has its own key management. How do you manage the keys?"

 Editor's Tip: Learn about encryption key management standards in this article.

  Appliance-based encryption and data backup security

Encryption appliance vendors Decru, NeoScale Networks Inc., Vormetric, and Kasten Chase Applied Research Ltd. made an attempt at encrypting data backed up on tape in the wake of the early publicized breaches. That concept never took off, even after NetApp acquired Decru in 2005.

Still, the appliance approach isn't dead. NetApp still markets DataFort appliances it acquired from Decru, and Thales is still selling CryptoStor tape encryption devices first developed by Neoscale, and it has a key management appliance sold by Hitachi Data Systems with Brocade switches.

While appliances remain an option for large organizations that can integrate them into their storage networks, they are pricey and present an extra management layer that limit their appeal to smaller companies.

 Editor's Tip: Learn about encryption appliances and data backup security in this podcast.

  Host-based encryption

Not long after appliances hit the scene, data backup vendors such as Symantec Corp., IBM, EMC, CA and CommVault began supporting encryption in their software. That enabled host-based encryption, but the encryption process slows down backups and could require more media for backups because you can't compress encrypted data. That makes host-based more of an option for smaller data sets.

 Editor's Tip: Discover the differences between host-based vs. appliance-based encryption in this expert tip.

  Tape and disk encryption

Built-in encryption was considered one of the big selling points of LTO-4 tape drives when they hit the market, but while LTO-4 has taken over the tape market it hasn't been because of encryption -- mainly because putting encryption in the library doesn't solve the key management issue.

IBM and Sun StorageTek also offer native tape encryption for their high-end tape libraries. These libraries are used almost exclusively by large enterprises.

Self-encrypting hard drives can make encryption ubiquitous although it's relatively early days for this technology. <href="https://searchstorage.techtarget.com/news/1338474/Seagate-pushes-encryption-for-small-form-factor-SAS-drives">Seagate is at the forefront pushing self-encrypting disk but Fujitsu Computer Products of America Inc., and Hitachi Global Storage Technologies also sell them.

 Editor's Tip: Check out our sister site SearchStorage's article on storage encryption products to learn more about disk and tape encryption.

  Cloud data backup security

Data security is one of the frequently mentioned hurdles to implementing cloud storage and cloud backup, because moving data to the cloud means trusting it to an outside organization. Businesses are advised to investigate their provider's security methods before storing their data with a third-party. Security concerns range from physical security (how well is the cloud provider's data center protected), to its encryption policies and whether it supports secure user protocols such as SSL, TLS or SSH.

Organizations also want to know that their cloud provider is SAS 70-certified. A SAS 70 audit is a review of a service organization's policies, practices and security measures conducted by an independent auditor. SAS 70 audits have gained widespread usage among hosted IT service providers as a way to publicize security and accountability.

 Editor's Tip: Read our exclusive tip on cloud backup security concerns for more information.

  Destroying old tapes and disks

Data backup security goes beyond the media you're still using to store your data. You also have to make sure to wipe data off the tape cartridges and disks you want to get rid of. Options include software to overwrite data, degaussing, and outsourcing the job to destruction service providers. Dumping them in the garbage should not be an option, because the media can have sensitive data, and because of environmental concerns.

According to a June 2009 research report by the Enterprise Strategy Group called "Protecting Confidential Data Revisited," 53% of large enterprises surveyed used "brute-force" methods, such as physically destroying their disk drives and tapes. Other enterprises used data destruction software (35%) and homegrown tools and processes (25%). But whatever method they chose, 82% of respondents said they have formal policies and procedures in place for data destruction of storage media.

 Editor's Tip: Learn about secure data destruction of backup tapes in this article.