1 White Paper: Unlocking Encryption A New Key to Data Security
2 Table of Contents Page Executive Summary 1 Overview: Encryption Defined 2 The Business Need For Encryption 3 A Banking Case Study 3 Real-World Examples 4 Implementing Encryption Successfully 5 Keys and Key Management 6 Encryption Methods 7 Implementation Methods 8 Planning a Successful Implementation 10 Unitrends InCrypt Tailored for Success in SMB 11
3 Executive Summary Encryption is an increasingly important set of technologies, used to safeguard private data in computers, across public or private networks, or in other machine-readable forms. The proliferation of data needing protection whether internal corporate data, or records containing information on customers or other associates means there is much more data at risk of being compromised than ever before. This, in conjunction with the increasing cost of a data breach, measured in both hard dollar terms like legal settlements, and soft costs such as loss of customer loyalty, makes the intelligent use of encryption and other data-protection technologies increasingly necessary for organizations of all sizes. In 2007, there were more than 320 cases of data loss documented by the Privacy Rights Clearinghouse, the largest of which affected more than 94 million credit and debit card account numbers, with breach costs estimated at $216 million, and an initial settlement with a single card issuer of $40.9 million. Clearly, the stakes are very, very large. There are specific and unique issues of data protection and encryption relating to data backup solutions; these need to be understood and integrated into an organization s broader businesscontinuity plans. And while the risk and cost of data loss through simple error or third-party theft continues to grow risks that encryption can mitigate there still exists far greater risk of data loss from issues of simple hardware failure, software corruption, or human error (in accidentally deleting a critical file, for example). For this reason, encryption should be thought of as an additional layer of protection, built on top of a solid core mechanism for data backup, protection, archiving, and disaster-recovery. All encryption methods depend on keys to perform the transformation of plain text (which is a term of art in cryptography, meaning unencrypted data, whether textual in nature or otherwise) into cipher text. Keys, like conventional passwords, can have varying degrees of strength. And like passwords, they must be carefully managed to ensure privacy, and to protect against loss of the key itself. Wellencrypted information simply cannot be unencrypted without the original key; for this reason, loss of the key represents an equally-large risk to the data owner as exposure of the underlying data itself may. For the small- and medium-sized market, the ideal data encryption approach would be both affordable and easily integrated into a comprehensive data backup and business systems continuity solution. It would include powerful, standards-based encryption, and offer a robust key management function. Unitrends InCrypt capability meets all these requirements, and is fully-integrated into the company s family of Data Protection Unit (DPU) and Data Protection Vault (DPV) appliances.
4 Overview: Encryption Defined In the world of information technology (IT), encryption refers to a process used to transform computer information into an unreadable form, yet one that can be reliably transformed back to its original state. In the 1940s, radio programs like Little Orphan Annie and Captain Midnight popularized decoder rings. These devices typically had two concentric rings, each of which had the letters A-Z, the numerals 0-9, and perhaps a period and a space character. The outer ring could be rotated around the inner ring. In the starting position, the letter A on the outer ring would be aligned with the A on the inner ring, and all the other characters would be aligned as well: B with B, 5 with 5, and so on. To scramble a message, one would turn the outer ring a certain number of characters clockwise relative to the inner ring. For example, three positions clockwise would align A with D, B with E, C with F, 5 with 8, etc. Then the letters in a plain text message could be mapped to the corresponding inner ring letters, producing cipher text. In this manner, D becomes G, A becomes D, and the phrase Data Protection Unit would be scrambled as gdwd#surwhfwlrq#xqlw. To unscramble the phrase, one needs a matching decoder ring, and needs to know how many positions clockwise the rings were turned relative to each other in the encoding process. In this example, the positional offset is what cryptographers call the key to the encryption algorithm. It s like the password that locks and unlocks your computer. The same principles apply to today s sophisticated encryption. There s plain text that is transformed into cipher text by an algorithm; the algorithm uses a key provided by person encrypting the data. Keeping the key secret while not forgetting it! is essential to the integrity and security of the process. But similarities aside, in today s world the decoder rings are, of course, much more technologically advanced.
5 The Business Need For Encryption Since the days of the Roman army, military organizations have used encryption methods to protect intelligence information. Today, enterprises of all sizes manage intelligence information. Any business that has a product or service for sale handles and stores its customers personally-identifiable information from names and addresses to more sensitive information like Social Security numbers, bank account and credit card numbers, etc. For most companies, the amount of information they retain has grown steadily over the years and the need for privacy of that information has also evolved. This smooth growth means that many companies fail to recognize the risk to which they re exposed. Imagine the information that a criminal could glean from a single backup tape from a florist shop: perhaps thousands of customer names, credit card numbers, and so on. Now think of the exposure a bank has with the customer information maintains. A set of backup tapes from a bank is potentially far more valuable than an armored car full of cash and unfortunately, also likely to be far more accessible. Businesses are increasingly looking to encryption technologies to meet the growing data security requirements, said Lauren Whitehouse, Enterprise Strategy Group analyst. With InCrypt, Unitrends is delivering a fully integrated, operationally simple solution that not only provides data security for data at rest and on its vault, but also for data in flight. This feature really sets Unitrends apart and provides its customers added protection. it The costs associated with data loss can be almost unimaginably high. Any loss of unencrypted data exposes a firm to severe damage to its customer relationships; creates a huge distraction to running the business; establishes potential legal liability for subsequent losses experienced by customers; and virtually guarantees significant damage to its reputation. Fortunately, encryption can protect against all these risks, and is easily implemented. Let s consider the extent to which a hypothetical regional bank might be at risk with respect to unencrypted data on its backup tapes. A Banking Case Study Imagine a bank with 20,000 customers, most with multiple accounts and bank cards. Every night, the bank makes a complete tape backup of its core information servers. In today s world, these servers would likely be Windows-based, and might contain Microsoft SQL databases. To capture all the data on tape, six to eight tape cartridges are used. These tapes are then placed in a storage box and prepared for pickup by a third-party tape storage company. Sometime during the day, a van driver from the tape storage firm drops off an older set of tapes (no longer needed), and picks up the box of new tapes. During the day, the van drives all over town making pickups and drop-offs. At the end of the day, the driver pulls into the storage warehouse where the day s pickups are unloaded and stored on shelves. The following day, the driver will repeat this process. Here are just some of the threats to the security of the bank s data in this scenario: The tapes are left in a box for pickup, without continuous supervision The pickup van is not armored
6 The driver is likely an hourly employee with uncertain reliability and commitment to his employer and the firm s customers Dozens of tape boxes are loaded and unloaded each day, in a manual process subject to human error and/or malicious intent Tapes are stored for an interval, not under continuous supervision, and then sent back to customers for reuse These risks could lead to: Tapes being mislaid or stolen from loading docks Tapes being accidentally dropped off at the wrong sites Tapes being lost or stolen from the delivery van Driver turnover leading to accidental misplacement or intentional theft of tapes Once the tapes are in the wrong hands, unencrypted data is easily compromised. Someone trained in basic information technology could, with little effort, capture, copy, post on the Internet, or sell data from the bank s backup tapes in as little as an hour. Real-World Examples Think these risks are theoretical? Let s take a sobering look at just two of the 320 cases of data loss documented by the Privacy Rights Clearinghouse in 2007, using information from the organization s Website: On June 15th, the State of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker had been stolen earlier in the month from a state intern s car. The tape was initially reported to contain personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers. But the news worsened in the next few days, when it was reported that the storage device also had the names and Social Security numbers of 225,000 taxpayers, a number that was later increased to 500,000. The state Hotline and the Ohio Consumers Counsel office were deluged with calls, and it is virtually certain that many of the individuals whose data was compromised suffered serious financial harm. On January 17th, The TJX Companies (the holding company for T.J. Maxx, Marshalls, and other retail stores) reported that it had, a month earlier, discovered an unauthorized intrusion into its computer systems that process and store customer transactions, including credit card, debit card, check, and merchandise return data. It was initially reported that about six months worth of data, covering 45.7 million credit and debit card account numbers, had potentially been compromised. But by February, the number of accounts had grown to more than 94 million, and it became clear that the hacking had begun as long ago as July In March, we learned that stolen information had been used fraudulently in an $8 million gift card scheme the previous November, one month before the company even learned of the breach. In April, three states banking associations filed a class action lawsuit against TJX to recover the costs of damages totaling tens of millions of dollars incurred for replacing customers debit and credit cards.
7 In May, an article in the Wall Street Journal noted that thieves were able to access data streaming between hand-held price-checking devices, cash registers and the store s computers. This was because TJX had an outdated wireless security system, and had failed to install data encryption technology on its computers [emphasis ours]. Twenty-one U.S. and Canadian lawsuits were filed, seeking damages from the retailer for reissuing compromised cards. In July, U.S. Secret Service agents found TJX customers credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims were from the U.S., Europe, Asia and Canada, among other places. This story continued to unfold throughout 2007, with TJX agreeing to pay for credit monitoring services for affected customers, reimbursing customers who had to replace driver s licenses, and paying $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General. TJX is a company with a $13 billion market capitalization, so it should be far better able to weather storms than most small- and medium-sized businesses. But in the days following the initial disclosure, its stock lost more than 13% of its value as daily trading volume nearly doubled; by the middle of March, shareholders had lost $1.75 billion in value. Clearly, no company is immune to either the risks or the costs of a serious data breach. So whether by simple theft of backup tapes from an intern s trunk, or a sophisticated multiyear hacking of corporate IT systems, unencrypted data is clearly at risk, and capable of producing potentially fatal consequences for the organizations that lose control of it. In Depth: Implementing Encryption Successfully Fortunately, encryption functionality can be easily integrated into an organization s backup processes, protecting all data on the company s servers and backup devices, and all data taken offsite for archiving. All encrypted data is rendered unintelligible until it is decrypted using the original keys. From a disaster recovery (DR) perspective, it is imperative to have your data backed up and stored offsite, preferably in a city far away. The historical approach to offsite backup using removable media such as disks or tapes is rapidly being supplanted by electronic data vaulting. But in either case, the data must be encrypted before it leaves your site. For small- and medium-sized organizations, the ideal data encryption approach must be both affordable, and easily integrated into a comprehensive data backup and business systems continuity solution. Let s examine the issues of keys and key management, and several alternative methods of encryption. Small and mid-sized companies face similar data security and protection challenges as their larger peers, but frequently have not implemented a reliable data protection and business continuity solution because of cost and implementation obstacles unique to smaller companies... - Laura DuBois, IDC Research Director for Storage Software.
8 Keys and Key Management A key is a piece of information, or parameter, which controls the operation of a cryptography algorithm. Modern encryption algorithms typically use either symmetric or asymmetric keys. Asymmetric key encryption uses a pair of keys, called a public key and a private key. The private key is kept secret, while the public key may be widely distributed to users. The keys are related mathematically, but the private key which is required to decrypt the data cannot be derived just from knowledge of the public key. Data encrypted with the public key can be decrypted only with the corresponding private key. Asymmetric key encryption is best suited for protecting data that has a wide audience, like web sites with secure access established for many users. Symmetric key methods use the same key for both encryption and decryption. Symmetric key encryption algorithms are typically much less CPU intensive, and therefore operate more quickly as much as 100 times faster than asymmetric key encryption algorithms. Symmetric keys are excellent for use with devices and appliances in which the need to share keys is very limited. This is the case with data backup devices, where one specifically does not need to have many parties with access to the key. It s Called the Key For a Reason If you lose your house key, a locksmith can pick the lock mechanically and help you regain access. If you lock your keys in the car, there are many specialized tools that can help you open the door. But any encryption method that allowed this kind of alternative access in the event of a lost key would be fatally insecure. The nature of today s methods is that well-encrypted data is essentially indecipherable to thieves and completely lost to the owner in the absence of the necessary key for decryption. This puts enormous pressure on the owner to not forget the key; at the same time, it s important to pick a strong key, often many, many characters long, which makes it harder to guess, but also harder to remember. And writing the key down brings its own obvious security risks. Unitrends recognized the importance of key protection and key management early in the development of its InCrypt product, and built a unique and powerful set of features to ensure the keys stay secure, and also help users avoid the loss of a key that could be so devastating to their business. We ll discuss this in more detail later. Key Escrow Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow by a third party, like a legal firm, so that a designated employee or executive can obtain the keys if they are otherwise lost. The process of placing encryption keys in escrow protects a company from any single employee being the sole access to vital, encrypted data. Using an outside party, like an organization s law firm, may present security risks, and should be implemented with great care. There are legal firms that specialize in this type of security management. Breaking a Key The simplest method of unscrambling encrypted data is what s called a brute force attack simply using computers with very high computational power to attempt decryption using every possible key. Let s go back to the decoder ring example under Encryption Defined. If the two rings had only the letters A-Z and the numbers 0-9, there would be only = 36 possible combinations of outer-ring position and inner-ring position. This is equivalent to having only 36 possible keys in this encryption algorithm. Obviously, it would be easy to try each combination on the first handful of scrambled letters, and it wouldn t take long to stumble upon the correct key. So short keys those with a limited number of possible combinations give less protection against brute-force attacks than longer keys.
9 Key lengths are measured in the number of binary digits ( bits ) they contain. Currently, key lengths of 128 bits (for symmetric key algorithms) and 1024 bits (for public-key algorithms) are thought to be adequate to render a brute force attack impractical, and the encryption algorithm essentially uncrackable. Nonetheless, Unitrends approach uses symmetric keys of double this length (256 bits) for extra security. Changing Keys Brute force attacks mean there is at least a theoretical risk of one s encryption being broken. But more often, the real risk comes from human compromise action by a disgruntled employee, an accidental publication of the key, etc. One of the best defenses against these risks is a simple periodic change of the key being used to encrypt information. By changing keys frequently yearly, quarterly, or even monthly, depending on the nature of the data and the needs of the organization the odds are in the user s favor that the key will have been changed before it is accidentally published or available to a malicious user. The best approach to encryption key management is to make your key or keys moving targets for potential threats. But: the more often keys are changed, the more the complexity of an encrypted backup solution increases. Which backup was encrypted with which historical key? Which vault data needs to be re-encrypted with the current key before new, changed blocks are added to the existing structure? Users need a solution that contemplates all these complexities and handles them without placing an unreasonable burden on the individuals involved humans with fallible memories. Encryption Methods Different types of encryption Encryption can be performed using a multitude of algorithms to protect the data. It can also be implemented at a number of different points in the data management process. Let s call these implementation algorithms and implementation methods, and examine several of each. Taken together, the software algorithm and the unique process that converts plain-text data into encrypted data are called, in cryptography, a cipher a cryptographic system. Implementation Algorithms Several different encryption algorithms are in use today, including Data Encryption Standard (DES) and Advanced Encryption Standard (AES). DES DES has been one of the prevailing encryption standards for the last 10 years. It was originally created by IBM, partly based on a request from the U.S. Federal government for a standardized data encryption tool that could be widely used by both the public and private sectors. DES was the first commercially-available cipher that used the concept of multiple, sequential encryption passes, with unique keys for each (also known as a multipass encryption method). In this approach, a single block of data is run through an encryption cipher initialized with a key. The results from this encryption cipher pass are then run through another cipher initialized with a different key. This process can be continued from one to 48 times (passes) in a row. Each pass makes it more difficult to crack the encryption. The number of passes is mostly dictated by the time available, since large amounts of processor (CPU) time are needed for the series of passes. AES In 1998, the National Security Agency (NSA) held a contest to find a new data encryption standard. Out of the three finalists, the Advanced Encryption Standard was selected. In 2001, the U.S. Federal government made AES its standard encryption process, and its official recommendation for all public and private data encryption efforts. Unitrends uses the AES approach.
10 In many ways, AES is an evolution of DES. It s based on the same principles, like multiple pass transforms and unique keys. But AES is unique in the degree to which the data is changed during each transform pass. While DES encryption is fairly linear, in that each transform pass operates in the same manner (but with a new unique key for that pass), AES adopts a new encryption pattern or methodology with each subsequent pass through the data. This makes reconstructing the original data far more difficult for someone on the outside. AES operates on data that has been brought into an array. Imagine taking 16 playing cards and placing them in a series of four rows and four columns to make a table. This is similar to the process AES encryption uses, placing 16 bytes of data (equal to 128 bits) in a 4-by-4 array. Each array then undergoes a series of transformations (or rounds, as they are referred to by AES), in which the actual order of the 16 bytes of data is altered using a pattern specific to that round. The new data pattern is then encrypted. The different types of rounds in AES encryption include: SubBytes a non-linear substitution step in which each byte is replaced with another according to a lookup table. ShiftRows a transposition step in which each row of the array is shifted (offset) a certain number of steps. MixColumns a mixing operation which operates on the columns of the array, combining the four bytes in each column. and others. The number of rounds used is controlled by the size of the key used. AES conducts 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. This combination of structure change and encryption removes the ability to calculate patterns, and renders the encryption virtually unbreakable. Implementation Methods Data encryption can be incorporated into your workflow in a variety of different ways, each with its own advantages and disadvantages. When implementing data encryption on a network, there are four basic ways to approach the process: File System Encryption on a Server File system encryption is probably the easiest to implement; the tools needed are often included with new Windows Server operating systems. But this type of encryption places very heavy CPU demand on the server, which often makes it impractical for a busy Exchange or SQL server because of the computing power required. Additionally, server file system encryption doesn t allow for centralized management rather, it must be implemented on a per-server basis, and managed only with respect to that system. And in a multiple-os environment, this kind of file system-based encryption may not be available for each OS used.
11 In-line Encryption In-line encryption is typically performed by a dedicated hardware appliance, and is fairly simple to implement. The appliance normally has two network connections, with plain text coming in through the network, and cipher (encrypted) text coming out of the device. These systems operate on the individual Internet Protocol (IP) packet level, and encrypt the non-header portion of each network packet (i.e., the payload, or the information that s being carried to its destination) as it passes through the device. Encryption appliances can also be set up between a company s servers and a backup device, to provide encryption of all the data that s about to be saved on tape or other media. In-line devices provide wire speed encryption, meaning that the servers and backup devices can operate at their own natural throughput, as if there was no encryption being performed. There are, however, important and intrinsic characteristics of this encryption methodology that make it a poor choice for some firms. These include the cost of implementation, and certain risks and time delays in the event of a real disaster. Due to the sheer CPU horsepower needed to keep up with a busy gigabit Ethernet segment, in-line devices require lightning-speed hardware to operate. This pushes the typical cost up to a base price of at least $25,000. And in the event of a real disaster, one affecting the functionality of the encryption appliance itself, a new unit must be procured before any file or system restoration can occur. This is because the encryption appliance provides the only means of decrypting the data that is now stored on the company s servers or backup media. Backup Media Encryption The most commonly used type of encryption takes place on the backup media either on the server driving the tape backup device (for example, the media server in a Veritas environment), or on the tape drive itself. When implemented on the tape server, encryption can dramatically reduce the performance of the backup system, since a large portion of the server s CPU resources are diverted to perform the encryption. Using a tape drive that provides its own encryption processing (such as certain IBM LTO units, in which each tape drive has a separate CPU responsible for encryption) can reduce the overall load on the tape server. These drives are expensive, however, and require that all tape units be of the same model or family to achieve full encryption. Backup Device Encryption The key difference between backup device encryption and backup media encryption is where the encryption is performed. Encryption at the backup device level provides much stronger overall data security. This is true because the data can be encrypted once (at the device), remaining encrypted regardless of its location at any future time. It remains fully encrypted on the online backup system; it s also encrypted when transferred to an archive disk or tape, or otherwise sent offsite (for example, electronically vaulted to a Unitrends Data Protection Vault in another city). If data is encrypted as it arrives at the device, than the data stored on the backup device for local rapid recovery is also protected from inside attacks. Although this does not secure the original data (still presumably residing on the company s servers), this approach avoids the performance degradation associated with file system encryption, and also removes the complexity of applying encryption tools across multiple operating systems. This is the approach that Unitrends offers in its InCrypt product. It offers the best combination of strength, ease of use, and cost efficiency for small and medium-sized businesses.
12 Planning a Successful Implementation There are six keys to implementing an encryption capability within your overall data protection and disaster recovery strategy. These represent the true critical success factors for most SMBs. Get these six right, and you ll have a very high probability of success. 1. Maintain universal data recovery Thought it seems obvious, this first rule is not automatically satisfied by some other encryption solutions. Simply put: wherever the encrypted data resides (local backup device, remote data center, offline media, or archive media), you must be able to reliably reverse the process and produce un-encrypted data. This can be proven by the testing protocol discussed below. 2. Select a single approach for all your sensitive data Encryption is too important, and too complex, to implement in multiple methods. Some systems only work with certain operating systems; some require dedicated hardware; some work only for local machines. Be sure to pick an approach that allows you to implement encryption once, and protect all your sensitive data through a single, integrated capability. 3. Minimize resource impact Encryption can come at a price. Be sure yours is acceptably small. For example: Device throughput be sure the CPU load from the encryption process is sufficiently lightweight to avoid a material decay in the rate at which your systems process their normal work. Network bandwidth Unitrends InCrypt saves network bandwidth in two ways: by compressing data before transmission, and by sending only changed blocks of data. 10 Disk space usage the same compression algorithms and changes-only vault synchronization help minimize disk usage at a time when data volumes are already growing almost 100% per year. Impact on IT staff a simple, powerful, and intuitive user interface like Unitrends Central Management Console allows your IT staff to implement encryption quickly, and keep your data secure without diverting excessive time from their main operational tasks. 4. Prevent unauthorized access to data Data should be encrypted so that a clear text copy may be reproduced only after proper authentication has been provided. And all possible scenarios including the potential theft of the backup device containing the encrypted data must be contemplated and planned for. 5. Have a key management strategy You should choose a solution with powerful key management capabilities, making it easy to change keys frequently, recover old files for which the original keys may have been lost, and otherwise strike a balance between safety and accessibility. 6. Test in advance Like testing your ability to actually recover information from your backup systems, testing the process of reversing your encryption system is critical. You need to prove that your solution can both encrypt (and store encrypted data in all the locations under #1 above), and also successfully create clear text from any of those encrypted sources. Only then can you truly sleep well, confident that your firm won t be the next TJX story to appear in the press.
13 Unitrends InCrypt Tailored for Success in SMBs Without going into great detail, we designed Unitrends InCrypt technology to satisfy each of these six keys, and to outperform other commercially-available encryption technologies in small and medium-sized businesses. Here s a quick overview of our approach, and the key benefits. The original data is typically transmitted from the customer s computers ( clients ) to the Unitrends DPU in clear text, and uncompressed. If these clients are connected to their DPU through an encrypted tunnel such as IPsec or VPN, their data is automatically encrypted in flight, without any involvement or configuration of the DPU software. Unitrends customers generally prefer that the security parameters of their LANs and client systems be defined and controlled by the customer, not by our devices. The Data Protection Unit appliance both compresses and encrypts your data, all in one pass. Compressing data before encryption results in less data to encrypt, and also obscures repeating patterns in the data. We do this through a special hardware co-processor, using a blockbased encryption algorithm, to avoid impacting overall device performance. As all businesses know, even in the most secure environments, backup data can be lost or stolen. That s why we believe it is smart to add an extra layer of security by encrypting sensitive data, said Richard J. Reiffer, Trivalent Group CTO/ Solution Delivery Manager. Unitrends continues to deliver innovative, marketleading data protection solutions. We are excited to add its turnkey encryption capabilities to our customers existing Unitrends Data Protection and Rapid Recovery systems, providing them with the utmost security and protection. This encryption is performed before the data is ever written to disk in the DPU, ensuring that all downstream instances of the data (for example, in flight to a remote Data Protection Vault, on that vault, or on a removable archive disk) are also fully encrypted. If the customer uses a tape drive attached to the DPU for archiving, the data will be automatically encrypted before being written to the tape. 11 For key management, Unitrends has developed a unique design that both offers unmatched security and protects the user to the greatest extent possible from inadvertent key loss. We ve designed a master key file, holding a history of encryption keys that were used at various points in time to encrypt the user s data. This file has its own master key, which is used only to lock and unlock the master key file, not to encrypt or decrypt user data. Upon creation of the master key file, the user is prompted to store it on removable medium such as CD- ROM, flash disk or any other media used for backup purposes. Unitrends strongly encourages users to store their master keys on a separate form of media. Using this scheme, a user with the most current master key can always decrypt old data, using the history of prior keys kept in the master key file. This provides important protection against loss of prior encryption keys, a real risk in a world where IT employees move on to other positions or other companies. Finally, we offer additional layers of protection, such as requiring the master key to be entered when the DPU is powered up. This ensures that, in the event of a DPU theft, the encrypted data remains inaccessible to a thief without the master key.
14 The key benefits of Unitrends approach to data backup and encryption include: Our DPU appliances offer integrated encryption, avoiding the need for additional hardware purchases. Encryption is performed automatically; no unencrypted data ever exists on the DPU. Unitrends uses standards-based AES 256-bit encryption, supported by the Federal government and the National Security Agency. Encryption is performed in co-processor hardware, minimizing the impact on CPU performance. Data is fully encrypted on all downstream media offsite vaults, removable archives, etc. We minimize network bandwidth requirements through compression and block-level synchronization. InCrypt includes a sophisticated key management capability, protecting the data while protecting the user against inadvertent loss of historical keys. The entire integrated system is simple to install and simple to use. Every day, we see more media stories of data breaches. A visit to indicates that data security breaches occur nearly every day in the U.S. Historically, the cost and difficulty associated with implementing encryption to augment a firm s data security was simply too daunting, especially for small and medium-sized enterprises. But now there s a solution that brings enterprise-class encryption technology to businesses of all sizes. Ask your Unitrends Regional Sales Manager about InCrypt an affordable, efficient and highlysecure encryption method, fully integrated into our family of Data Protection Units and Data Protection Vaults. 12 Visit for further product releases and enhancements. We welcome your suggestions. Please us anytime at
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
Technology Paper Self-Encrypting Hard Disk Introduction At least 35 U.S. states now have data privacy laws that state if you encrypt data-at-rest, you don t have to report breaches of that data. U.S. Congressional
White Paper LIVEVAULT Top 10 Reasons for Using Online Server Backup and Recovery Introduction Backup of vital company information is critical to a company s survival, no matter what size the company. Recent
The Essential Guide for Protecting Your Legal Practice From IT Downtime www.axcient.com Introduction: Technology in the Legal Practice In the professional services industry, the key deliverable of a project
Regulatory Compliance Security: From a security standpoint, disk, tape and DVD, none of them meet the regulatory requirements of Sarbanes Oxley or HIPAA simply because they are generally not encrypted.
ADVISORY Top 10 Reasons for Using Disk-based Online Server Backup and Recovery INTRODUCTION Backup of vital company information is critical to a company s survival, no matter what size the company. Recent
Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: firstname.lastname@example.org Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information
White Paper The SMB Market is Ready for Data Encryption By Mark Peters January, 2011 This ESG White Paper was commissioned by Tandberg Data and is distributed under license from ESG. 2011, Enterprise Strategy
CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY Varun Gandhi 1 Department of Computer Science and Engineering, Dronacharya College of Engineering, Khentawas,
Gold Lock Desktop White Paper TM EMAIL AND FILE ENCRYPTION SOFTWARE Effective Data Security in the 21st Century Evaluating the needs of appropriate data security and identifying the risks in the modern
HOW ENCRYPTION WORKS Technology Overview Strong Encryption BackupEDGE Introduction to BackupEDGE Data Encryption A major feature of BackupEDGE is the ability to protect archives containing critical client
REMOTE OFFSITE BACK-UP & VIRTUALIZED DISASTER RECOVERY BUSINESS CONTINUITY SERVICE WHITE PAPER Fully Managed & Monitored Solution that provides you with cost-effective World Class Protection Highlights
White Paper EMC DATA DOMAIN ENCRYPTION A Detailed Review Abstract The proliferation of publicized data loss, coupled with new governance and compliance regulations, is driving the need for customers to
Remote Data Backup Introduction Computers are the default storage medium for most businesses and virtually all home users. Because portable media is quickly becoming an outdated and expensive method for
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
Security Watch Deploying EFS: Part 1 John Morello By now, everyone has heard reports about personal or sensitive data being lost because of laptop theft or misplacement. Laptops go missing on a regular
WHITE PAPER Is Online Server Backup Appropriate for Your Business? Backing Up Your Servers: Why It s Essential Businesses of all sizes depend on their computer data for their very existence. Whether it
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
Pros 4 Technology Online Backup Features Introduction Computers are the default storage medium for most businesses and virtually all home users. Because portable media is quickly becoming an outdated and
Beyond: Optimizing Gartner clients using deduplication for backups typically report seven times to 25 times the reductions (7:1 to 25:1) in the size of their data, and sometimes higher than 100:1 for file
CONTENT SECURITY KRAMER S APPROACH TO SECURING DATA WITHIN WIRELESS TRANSMISSION KRAMER WHITE PAPER WWW.KRAMERUS.COM Executive Summary There has been a fundamental shift in how people collaborate in today
Best practices for protecting network data A company s value at risk The biggest risk to network security is underestimating the threat to network security. Recent security breaches have proven that much
Cyber Security: Guidelines for Backing Up Information A Non-Technical Guide Essential for Executives, Business Managers Administrative & Operations Managers This appendix is a supplement to the Cyber Security:
Introduction Within the last ten years, there has been a vast increase in the accumulation and communication of digital computer data in both the private and public sectors. Much of this information has
Local Government Cyber Security: Guidelines for Backing Up Information A Non-Technical Guide Essential for Elected Officials Administrative Officials Business Managers Multi-State Information Sharing and
CCC Technologies, Inc. 700 Nicholas Blvd., Suite 300 Elk Grove Village, IL 60007 877.282.9227 www.ccctechnologies.com Online Backup Solution Features Introduction Computers are the default storage medium
REMOTE BACKUP-WHY SO VITAL? Any time your company s data or applications become unavailable due to system failure or other disaster, this can quickly translate into lost revenue for your business. Remote
Abstract: Although most businesses scrupulously protect the personal customer information that they collect and store onsite, companies often do not consider the security issues involved when sending backup
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
1221 John Q. Hammons Drive Madison, WI 53717 P.O. Box 44966, Madison, WI 53717 P: 608.826.2400 TF: 800.366.9091 F: 608.831.4243 www.sva.com Introduction Computers are the default storage medium for most
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
Disk-to-Disk-to-Offsite Backups for SMBs with Retrospect Abstract Retrospect backup and recovery software provides a quick, reliable, easy-to-manage disk-to-disk-to-offsite backup solution for SMBs. Use
Silverton Consulting, Inc. StorInt Briefing An examination of information security issues, methods and securing data with LTO-4 tape drive encryption Introduction Each month many companies, big or small,
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
Key Steps to a Secure Remote Workforce Telecommuting benefits the employee and the company, the community and the environment. With the right security measures in place, there s no need to delay in creating
MODULE 13 ELECTRONIC COMMERCE OBJECTIVE QUESTIONS There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
Establishing a Data-Centric Approach to Encryption Marcia Kaufman, COO and Principal Analyst Sponsored by Voltage Security Voltage Security: Many data breaches occur at companies that already have a data
PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION
Network Storage for Business Continuity and Disaster Recovery and Home Media White Paper Abstract Network storage is a complex IT discipline that includes a multitude of concepts and technologies, like
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
One Stop Data & Networking Solutions PREVENT DATA LOSS WITH REMOTE ONLINE BACKUP SERVICE Prevent Data Loss with Remote Online Backup Service The U.S. National Archives & Records Administration states that
Why cloud backup? Top 10 reasons HP Autonomy solutions Table of contents 3 Achieve disaster recovery with secure offsite cloud backup 4 Free yourself from manual and complex tape backup tasks 4 Get predictable
A Cyphertite White Paper February, 2013 Cloud-Based Backup Storage Threat Models PG. 1 Definition of Terms Secrets Passphrase: The secrets passphrase is the passphrase used to decrypt the 2 encrypted 256-bit
2007 Microsoft Office System Document Encryption June 2007 Table of Contents Introduction 1 Benefits of Document Encryption 2 Microsoft 2007 Office system Document Encryption Improvements 5 End-User Microsoft
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
WHITE PAPER: ENTERPRISE SECURITY Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities White Paper: Enterprise Security Symantec Backup Exec 11d for Windows Servers Contents Executive
Topic 8 Database Security LEARNING OUTCOMES When you have completed this Topic you should be able to: 1. Discuss the important of database security to an organisation. 2. Identify the types of threat that
Data Security using Encryption in SwiftStack May 2015 Copyright 2015 SwiftStack, Inc. swiftstack.com Page 1 of 11 Table of Contents Introduction... 3 Defining Three Threat Models... 3 Encrypted Data and
Encryption and USB Drives: Whitepaper Countering the Threat to the Digital Lifestyle Encryption and USB Drives 8GB of Data 2,000 songs - or your company marketing strategies 2,500 vacation pictures - or
Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company
Cryptographic process for Cyber Safeguard by using PGP Bharatratna P. Gaikwad 1 Department of Computer Science and IT, Dr. Babasaheb Ambedkar Marathwada University Aurangabad, India 1 ABSTRACT: Data security
WHITEPAPER: SecureD Technical Overview WHITEPAPER: SecureD Technical Overview CONTENTS section page 1 The Challenge to Protect Data at Rest 3 2 Hardware Data Encryption Provides Maximum Security 3 3 SecureD
Is it Safe? The business impact of data protection. Bruce Master IBM LTO Program Linear Tape-Open, LTO, LTO Logo, Ultrium and Ultrium Logo are trademarks of HP, IBM and Quantum in the US and other countries.
Version 6 Jan 2012 Table of Content 1 Introduction... 3 2 DFW Backup Offsite Backup Server Secure, Robust and Reliable... 4 2.1 Secure 128-bit SSL communication... 4 2.2 Backup data are securely encrypted...
Strong Data Protection Protecting for Microsoft Windows Server Microsoft 2012: Unitrends Enterprise Exchange Backup Server ESCAPE ALL LIMITATIONS Protecting Windows Microsoft Growth in data for Microsoft
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
10 Things Your Data Center Backup Solution Should Do Reliable, fast and easy backup is only the beginning Table of Contents Ten Things Your Data Center Backup Should Do 1 #1: Reduce Hours Spent on Backup
UBISTOR WHITE PAPER: Reducing Corporate Risk: Best-practices Data Protection Strategy for Remote and Reducing Branch Corporate Offices (ROBOs) Risk: Best-practices Data Protection Strategy for Remote and
Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution NOTICE This Technology Brief may contain proprietary information protected by copyright. Information
WHITE PAPER TrustNet CryptoFlow Group Encryption Table of Contents Executive Summary...1 The Challenges of Securing Any-to- Any Networks with a Point-to-Point Solution...2 A Smarter Approach to Network
Are You Prepared to Recover from a Disaster? Offsite Backup of Your Data is Essential. There was no sign of fire when our client, a podiatrist, closed the doors that Thursday night. No smoke, no smell,
BUSINESS ADVISOR REPORT Provided as an educational service by: Rick Reynolds, General Manager Read this guide and you ll discover: What remote, offsite, or managed backups are, and why EVERY business should
Aegis Padlock for business Problem: Securing private information is critical for individuals and mandatory for business. Mobile users need to protect their personal information from identity theft. Businesses
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
Big Data, Big Security: Best Practices for Enterprise Data Encryption Introduction Big Data is a big topic right now and well it should be. The ebb and flow of commerce and other interactions around the
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
Information Security It s Everyone s Responsibility The University of Texas at Dallas Information Security Office (ISO) Purpose of Training Information generated, used, and/or owned by UTD has value. Because
Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing
TOP FIVE RECOMMENDATIONS FOR ENCRYPTING LAPTOP DATA A BEST PRACTICES GUIDE TODAY S HIGHLY MOBILE WORKFORCE IS PLACING NEW DEMANDS ON IT TEAMS WHEN PROTECTING LAPTOP DATA To guard this corporate data at
Solutions for Encrypting Data on Tape: Considerations and Best Practices NOTICE This white paper may contain proprietary information protected by copyright. Information in this white paper is subject to
eztechdirect Backup Service Features Introduction Portable media is quickly becoming an outdated and expensive method for safeguarding important data, so it is essential to secure critical business assets
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
What You Should Know About Cloud- Based Data Backup An Executive s Guide to Data Backup and Disaster Recovery Matt Zeman 3Fold IT, LLC PO Box #1350 Grafton, WI 53024 Telephone: (844) 3Fold IT Email: Matt@3FoldIT.com
Manufacturers Need More Than Just Backup... But they don t need to spend more! axcient.com Introduction Manufacturers need to keep their businesses up and running more than ever now. Automating work processes
Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics
BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS Disasters happen. Don t wait until it s too late. OVERVIEW It s inevitable. At some point, your business will experience data loss. It could
Lenovo Corporation March 2009 security white paper Management of Hardware Passwords in Think PCs. Ideas from Lenovo Notebooks and Desktops Workstations and Servers Service and Support Accessories Introduction
Managing the information that drives the enterprise STORAGE Buying Guide: DEDUPLICATION inside What you need to know about target data deduplication Special factors to consider One key difference among
How Deduplication Benefits Companies of All Sizes An Acronis White Paper Copyright Acronis, Inc., 2000 2009 Table of contents Executive Summary... 3 What is deduplication?... 4 File-level deduplication