Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution NOTICE This Technology Brief may contain proprietary information protected by copyright. Information in this Technology Brief is subject to change without notice and does not represent a commitment on the part of Quantum. Although using sources deemed to be reliable, Quantum assumes no liability for any inaccuracies that may be contained in this Technology Brief. Quantum makes no commitment to update or keep current the information in this Technology Brief, and reserves the right to make changes to or discontinue this Technology Brief and/or products without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any person other than the purchaser s personal use, without the express written permission of Quantum.
CONTENTS Why Encrypt Backup Tapes?.................................................3 The Importance of Encryption Key Management.................................3 Quantum Encryption Key Manager (Q-EKM).....................................4 Backup Application Managed Encryption.......................................4 Conclusion..............................................................5 Encryption Key Management 2
Data security breaches are becoming increasingly expensive for organizations, and a variety of industry analysts agree that the costs of such incidents will continue to rise for the foreseeable future. While the legal, administrative and technology expenses resulting from lost data are significant, a new study claims the most significant cost may well be found in customer churn rates. According to a study by The Ponemon Institute, data breaches now cost organizations an average of $197 per compromised customer record, up from $182 in 2006. Most of the cost $128 out of the $197 is from lost business and having to acquire new customers. Average total per-incident costs of data breaches in 2007 were $6.3 million, compared to an average per-incident cost of $4.8 million in 2006. The cost of lost business accounts for nearly two-thirds of that total an average of $4.1 million, which represents a 30 percent increase over the previous year. Analysts say the rise in customer churn is easily explained. Increasingly tech-savvy consumers are quick to abandon organizations that fail to protect personal information. And they aren t likely to come back, either. Gartner analysts, meanwhile, estimate that the cost of sensitive data breaches will increase 20 percent per year through 2009 as financially motivated targeted attacks become more prevalent and new vulnerabilities continue to be reported. The good news is that encryption can dramatically reduce, if not eliminate, the risk of a data security breach. Furthermore, many organizations already have the tools in place to encrypt sensitive data. Nonetheless, organizations should develop sound encryption key management processes to minimize administrative overhead and maximize the value of data encryption. Why Encrypt Backup Tapes? When it comes to data management, today s enterprises must balance a number of divergent requirements that often compete for priority. Government and industry regulations, as well as sound business practices, mandate data security and privacy, while day-to-day operations demand data protection and fast recovery. Many organizations routinely store backup tapes off site to meet operational requirements and business continuity objectives. However, backup tapes can easily be lost during transport, and remote storage facilities may lack adequate security. As a result, lost or stolen backup tapes are an all-toocommon vector for data security breaches. Backup and archival solutions are designed only to preserve data; they don t protect against unauthorized access. Only data encryption can effectively safeguard sensitive data by rendering it unreadable without access to the encryption key. That s why experts recommend encryption as part of the routine backup process. The Importance of Encryption Key Management All Quantum LTO-4 tape drives encrypt data using the 256-bit AES algorithm recommended by the U.S. government for top secret data. The keys generated by the 256-bit AES algorithm are random strings of 256 bits that are essentially impossible to decipher through brute force. The data is useless without the correct encryption key to unlock the data. Encryption Key Management 3
As a result, encryption key management plays a vital role in any encryption solution. Simply writing down each key and its associated pass code defeats the purpose of encryption. The keys associated with each data set must be stored in a secure manner to ensure data privacy and security. Users of Quantum LTO-4 tape drives have two options for encryption key management: Quantum Encryption Key Manager (Q-EKM) and the encryption key management functionality built into leading backup applications. Each option offers unique benefits. Choosing the right solution depends upon the storage infrastructure and volume of data to be protected. Quantum Encryption Key Manager (Q-EKM) Q-EKM is a proven, easy-to-use, library-managed encryption solution designed to protect sensitive data throughout the enterprise. The Q-EKM software, which may be implemented on either a Windows or Linux server, is designed to generate and communicate encryption keys. It selects a pre-generated key from its key store, encrypts the key for transport and sends it to the LTO-4 drive, which decrypts the key and uses it to encrypt or decrypt the data. The key is not stored on the tape drive; an alias is used to relate each data set to the appropriate encryption key. The encryption keys generated by Q-EKM are transferred to each tape library out of band that is, outside of the backup data path with no impact to backup performance. Q-EKM s out-of-band methodology eliminates same system restore requirements, and enables the centralized storage, management and protection of encryption keys supporting multiple libraries across the distributed network. Administrators don t have to learn, support and manage multiple encryption solutions. Q-EKM was designed from the ground up for encryption key management. It is easy to set up, integrates seamlessly into the existing backup environment, and scales easily to meet changing demands. It can also be implemented in a redundant, high-availability configuration that replicates the key store for maximum protection. Most importantly, Q-EKM s set and forget design eliminates the need for administrators to manually track encryption keys and pass codes. This hands-off approach is ideal for organizations that back up large amounts of data, or have multiple, geographically dispersed tape libraries. Backup Application Managed Encryption A number of leading backup applications including CommVault, EMC Insignia, HP Data Protector, Symantec Backup Exec, Tivoli Storage Manager and Yosemite support data encryption and encryption key management. These solutions generate encryption keys using the AES-256 algorithm and transfer them in band, ahead of the data to be backed up. The software keeps track of the encryption key along with other information about the data set. A password or pass phrase is assigned to each key in order to protect the data set records and prevent access to the encryption keys. As a result, backup applications require a more hands-on approach to encryption key management than the Q-EKM solution. Administrators must keep a log of the pass codes associated with each key in order to decrypt the data. Furthermore, backup application managed encryption is not centralized. Because the keys are transferred in band, the encryption key management process is tied to a particular media server. Encryption Key Management 4
However, backup application managed encryption can be very effective for organizations that have a single tape library and modest backup demands. The encryption key management process is already built into the infrastructure there s no need to purchase, learn and manage a separate encryption product. And pass code tracking can easily be added to existing tape and data set management processes. Conclusion Securing data from unauthorized access is a critical issue for businesses in all industries. Regulatory compliance and customer loyalty all depend on keeping sensitive information safe and secure. With tens of million customer records compromised each year many of them on backup tapes businesses must take steps to improve data confidentiality and integrity. Luckily, the data encryption capabilities built into every Quantum LTO-4 tape drive can help organizations prevent a costly and embarrassing security breach. The right encryption key management solution can help minimize the impact of encryption processes on IT operations. The encryption key management capabilities built into popular backup applications provide a cost-effective approach for organizations with a single tape library. For customers with multiple tape libraries distributed throughout the organization, Quantum s Q-EKM solution provides a robust, transparent, fully automated approach to enterprise encryption key management. For contact and product information, visit quantum.com or call 800-677-6268 Backup. Recovery. Archive. It s What We Do. About Quantum Quantum Corp. (NYSE:QTM) is the leading global storage company specializing in backup, recovery and archive. Combining focused expertise, customer-driven innovation, and platform independence, Quantum provides a comprehensive range of disk, tape, media and software solutions supported by a world-class sales and service organization. As a long-standing and trusted partner, the company works closely with a broad network of resellers, OEMs and other suppliers to meet customers evolving data protection needs. 2008 Quantum Corporation. All rights reserved. Quantum, the Quantum logo, and all other logos are registered trademarks of Quantum Corporation or of their respective owners. Protected by Pending and Issued U.S. and Foreign Patents, including U.S. Patent No. 5.990.810. WP00124 Aug 2008