Cover

Storage encryption

Encrypting storage protects businesses from data losses on account of missing media. By Akhtar Pasha

The benefit of doing encryption at the storage layer is that all data access funnels down to storage and encrypting the same covers a lot of exposure all at once. Businesses have plenty of options to choose from—software-based encryption, switch-based encryption, drive- or library-based encryption, and dedicated appliances.

Organizations especially banks, telcos and to a lesser extent manufacturing companies in India, have started encrypting their tapes as a safe measure for all data that is in ‘in-transit’ to a storage facility.

In the last two years, there have been many instances of data loss in transit. In May 2007, Time Warner Inc. started encrypting all data saved to backup tapes after 40 tapes with personal information on about 600,000 current and former employees were lost in transit to a storage facility. Apparently, a shipping container that held the tapes was lost on March 22, 2007 during a routine shipment to an off-site facility by records management and storage firm Iron Mountain Inc.

On May 30 2008, the Bank of New York Mellon Corp. confirmed that a third-party vendor lost a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals during transport to an off-site facility.

No incidents of tapes being lost in transit have been reported in India, as our laws do not mandate public disclosure when a security breach potentially exposes unencrypted private data. However, some banks and ITES companies admitted that there have been some lapses in handling the tapes that leave their data centers, which have put them in a tight spot.

T G Dhandapani, CIO, TVS Motor, said, “Three years ago we had never thought about encrypting the tapes that leave our production site. However, we have seen and learnt from instances of tapes getting lost in transit that forced us to look into encryption of tapes about 18 months back. Today we think that any organization that has sensitive customer data, IP and production/CBS data has to consider doing it invariably [encryption]. We find it to be ‘safe practice’ to encrypt all the backup tapes that leaves our production site.”

He continued, “Today we are encrypting backup tapes, which contain production-related data (ERP), mail messaging, customized engineering designs (IP) that leaves our production site to the storage facility away from our data center. By encrypting data on tape, customers can be confident that ‘data at rest’—information not traversing the network—is secure and easily accessible. If disks are removed or stolen, the encrypted data is inaccessible and, therefore, protected. This encryption safeguards against loss of intellectual property and private information, and helps to protect corporate revenue and reputation.”

Andhra Bank and United India Insurance are using HP Secure Key Manager (SKM) as a solution in their core banking and core insurance deployment respectively. They are currently in the early stage of deployment.

The data residing on your storage systems and media, data-at-rest, presents serious security concerns. There is nothing worse than not being able to protect your stored data. That is why most organizations today are investing in encryption, at least for critical areas of their operations.

Tape encryption rules

Since we have covered data security through encryption—at the file, application and network level have got a lot of press and we find that there one of the big benefits of doing encryption at the storage layer is that it is a place where all data access funnels down to—it covers a lot of exposures all at once. Hence, we would like to restrict our story where it matters most at this point of time—tape and disks arrays. George Thomas, Managing Director, India & SAARC, NetApp India Pvt Ltd., commented, “The emphasis by large banks continues to be to prevent theft or loss of backup tapes that leave their premises. 85% of the encryption is happening on backup tapes as it is easier to handle and only 15% on disk drives.”

Not surprisingly, the two areas where data encryption solutions are seeing the most activity of late include protection of data-at-rest on backup tapes and now slowly the trend is catching up to secure data even at the disk array level. Focusing on the enterprise storage side of encryption, the remainder of this article explores how organizations have decided to approach the many backup-related encryption solutions now available.

A more recent alternative is tape drive-level encryption, which is available on certain half-inch tape drives from vendors such as IBM and Sun, as well as the more recently introduced LTO-4 tape drives.

All of the LTO-4 tape drive manufacturers—including Hewlett-Packard, IBM, Quantum, and Tandberg—will offer drive-level encryption (at press time, IBM was the only vendor shipping LTO-4 drives), as will LTO library manufacturers such as Hewlett-Packard, IBM, NEC, Quantum, Sun and Tandberg.

Tape drive-level encryption, which manufacturers implement in hardware, is relatively inexpensive, although it may require a media upgrade, and does not incur the performance penalties of software-based encryption.

Shailesh Agarwal, Country Manager-Business Systems, STG - IBM India/South Asia, said, “The adoption of encryption remains nascent in India and today it is limited to tape (in-transit) that leaves an organization’s premises for which most of the large business are using LTO-4 Ultrium that has in-built 256 bit AES (Advanced Encryption Standard). Most of the product data that an organization backs up, archives and moves offsite is encrypted. Most encryption initiatives are because of an RBI directive that mandates banks to keep all transactional data encrypted and stored for at least 6-7 years.”

Another option for encrypting data on tape and disk is to use purpose-built encryption appliances from vendors such NetApp (DataFort) or NeoScale. These inline appliances can encrypt backup data at wire speed and typically reside between the backup server and the tape media. Thomas said, “We had quite a success with DataFort in India in the banking and BPO verticals. It is a reliable, multi-gigabit-speed encryption appliance that integrates transparently into NAS, SAN, DAS and tape backup environments. By locking down stored data with strong encryption, and routing all access through secure hardware, DataFort radically simplifies the security model for networked storage.”

Disk array encryption

IBM has extended encryption features found in its tape libraries such as TS1120 into its DS range of disk arrays (DS 8000 series). While backing up data to VTL 7530 from the DS 8000 you can fully encrypt it without losing performance. Agarwal added, “Since many businesses are doing disk-to-disk backup we introduced SecureVTL which is configurable as disk-to-disk or disk-to-disk-to-tape with strong AES-256 encryption and optional 2:1 compression of data stored on disk or tape.”

HP is addressing the encryption of tapes and disk arrays with its Secure Key Manager (SKM) that can manage multiple keys from several tape libraries. Manoj Suvarna, Country Manager, HP Storage works Division, HP India, said, “Customers are using LTO-4 tape libraries that come with AES 256-bit encryption which has become the industry standard. However, we see traction in encrypting disk arrays. The new hardware encryption features, added to the HP StorageWorks XP24000 and XP20000 Disk Arrays reduce the risk of security breaches by protecting the data stored on each disk drive in the array. We do this without degrading the XP array’s high performance – a problem for competing solutions. By encrypting data on both disk and tape, customers can be confident that data at rest is secure and easily accessible. If disks are removed or stolen, the encrypted data is inaccessible and, therefore, protected. This encryption safeguards against loss of intellectual property and private information thus protecting corporate revenue and reputation.”

Prakash Krishnamoorthy, Business Manager, HP StorageWorks Division, Technology Solutions Group, HP India, added, “One of the issues faced in encryption is that of key management. For e.g. if you have 10 media then you would need 10 pairs of keys. SKM is a hardware solution, which automates encryption key management for HP LTO-4 enterprise tape libraries and it supports up to two million keys to ensure that multiple tape library installations and future encryption devices are protected.”

To address the mid-market, HP has an encryption add-on kit for small businesses running Tape Autoloaders and MSL Tape Libraries with LTO-4 tape. The MSL Encryption Kit consists of two USB devices that plug into the MSL library to make and retain encryption keys. You assign one device to generate keys, and the other for backup.

Vishal Dhupar, MD, Symantec India & SAARC, said, “Encrypting any data lying on the disk or tape will protect it from any sort of physical theft. Encrypting data and information on disks ensures that enterprises get scalable, enterprise-wide security that prevents unauthorized access by using strong access control and powerful encryption. Large enterprises need centralized management console, enabling safe, central deployment and management of encryption to endpoints.” With the Symantec advanced encryption solution, encryption and authentication are both transparent to the end user and performed with minimal performance impact. He added, “The practice of encrypting backup tapes is adopted across various industries including BFSI, Telecom, and ITES etc. The adoption of disk-based encryption is high for mobile devices (laptops and corporate mobile devices). This would help to prevent data being leaked out in case of physical theft.”

Thomas says that encryption at the disk array level would not be easy as it requires certain process changes in the organization, planning and project management in executing it.

Lastly, businesses should form a strategy around encryption and try to integrate the same with their BC and DR strategy. According to Dhupar, the key idea behind any encryption strategy would be to understand what it is you are trying to protect and its value. Any organization needs to understand the areas that are critical as far as data leakage is concerned and cover as many of them as possible. You can take care of physical theft by encryption-based technologies. However, you need complimentary technologies like data loss prevention to address data leakage from internal resources. Agarwal added, “Selling encryption technology requires CFO buy in and it is driven by the business needs on how you handle regulations, risk and compliance. The encryption strategy should be such that it integrates well with your backup and archival policy.”

akhtar.pasha@expressindia.com