Solutions for Encrypting Data on Tape: Considerations and Best Practices



Similar documents
Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution

Quantum DXi6500 Family of Network-Attached Disk Backup Appliances with Deduplication

Extended Data Life Management:

WHITE PAPER WHY ORGANIZATIONS NEED LTO-6 TECHNOLOGY TODAY

Quantum Q-Cloud Backup-as-a-Service Reference Architecture

Energy Efficient Storage - Multi- Tier Strategies For Retaining Data

DXi Accent Technical Background

Backup and Recovery: The Benefits of Multiple Deduplication Policies

A Best Practice Guide to Archiving Persistent Data: How archiving is a vital tool as part of a data center cost savings exercise

Data Sheet: Backup & Recovery Symantec Backup Exec 12.5 for Windows Servers The gold standard in Windows data protection

WHITE PAPER. BIG DATA: Managing Explosive Growth. The Importance of Tiered Storage

QUICK REFERENCE GUIDE: KEY FEATURES AND BENEFITS

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

Quantum StorNext. Product Brief: Distributed LAN Client

The ROI of Tape Consolidation

WHITE PAPER. Effectiveness of Variable-block vs Fixedblock Deduplication on Data Reduction: A Technical Analysis

DEDUPLICATION BASICS

Optimized data protection through one console for physical and virtual systems, including VMware and Hyper-V virtual systems

IBM TSM DISASTER RECOVERY BEST PRACTICES WITH EMC DATA DOMAIN DEDUPLICATION STORAGE

Data Protection Report 2008 Best Practices in Data Backup & Recovery

Mayur Dewaikar Sr. Product Manager Information Management Group Symantec Corporation

Data Deduplication Background: A Technical White Paper

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

WHITE PAPER. DATA DEDUPLICATION BACKGROUND: A Technical White Paper

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

WHY DO I NEED FALCONSTOR OPTIMIZED BACKUP & DEDUPLICATION?

Business-centric Storage FUJITSU Storage ETERNUS CS800 Data Protection Appliance

Storage Backup and Disaster Recovery: Using New Technology to Develop Best Practices

Many government agencies are requiring disclosure of security breaches. 32 states have security breach similar legislation

<Insert Picture Here> Refreshing Your Data Protection Environment with Next-Generation Architectures

Turnkey Deduplication Solution for the Enterprise

How To Create A Large Enterprise Cloud Storage System From A Large Server (Cisco Mds 9000) Family 2 (Cio) 2 (Mds) 2) (Cisa) 2-Year-Old (Cica) 2.5

Preface Introduction... 1 High Availability... 2 Users... 4 Other Resources... 5 Conventions... 5

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Tape s evolving data storage role Balancing Performance, Availability, Capacity, Energy for long-term data protection and retention

Protect Microsoft Exchange databases, achieve long-term data retention

Business-Centric Storage FUJITSU Storage ETERNUS CS800 Data Protection Appliance

We look beyond IT. Cloud Offerings

Deduplication and Beyond: Optimizing Performance for Backup and Recovery

We take care of backup and recovery so you can take care of your business. INTRODUCING: HOSTED BACKUP

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Implementing Offline Digital Video Storage using XenData Software

Symantec NetBackup Appliances

Symantec Desktop and Laptop Option 7.6

Universal Backup Device with

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

FAQ RIVERBED WHITEWATER FREQUENTLY ASKED QUESTIONS

WHITE PAPER: customize. Best Practice for NDMP Backup Veritas NetBackup. Paul Cummings. January Confidence in a connected world.

Total Cost of Ownership Analysis

EMC DATA PROTECTION. Backup ed Archivio su cui fare affidamento

Maximize Your Virtual Environment Investment with EMC Avamar. Rob Emsley Senior Director, Product Marketing

Backup and Disaster Recovery Planning On a Budget. Presented by: Najam Saeed Lisa Ulrich

Cloud, Appliance, or Software? How to Decide Which Backup Solution Is Best for Your Small or Midsize Organization.

Accelerating Backup/Restore with the Virtual Tape Library Configuration That Fits Your Environment

Dell PowerVault DL Backup to Disk Appliance Powered by CommVault. Centralized data management for remote and branch office (Robo) environments

Self-Encrypting Hard Disk Drives in the Data Center

WHITE PAPER. QUANTUM S TIERED ARCHITECTURE And Approach to Data Protection

Save Time and Money with Quantum s Integrated Archiving Solution

HP2-K33. Selling HP Enterprise Storage Solutions Exam.

EMC DATA DOMAIN OVERVIEW. Copyright 2011 EMC Corporation. All rights reserved.

Things You Need to Know About Cloud Backup

HIPAA Security Matrix

Alliance Key Manager Solution Brief

EMC Disk Library with EMC Data Domain Deployment Scenario

CA ARCserve Backup Agents and Options

Universal Backup Device The Essential Facts of UBD

DATASHEET FUJITSU ETERNUS CS800 DATA PROTECTION APPLIANCE

Complying with PCI Data Security

Symantec Backup Exec 2010

Data Protection with IBM TotalStorage NAS and NSI Double- Take Data Replication Software

Using Live Sync to Support Disaster Recovery

EMC DATA DOMAIN ENCRYPTION A Detailed Review

IBM Tivoli Storage Manager

W H I T E P A P E R T h e C r i t i c a l N e e d t o P r o t e c t M a i n f r a m e B u s i n e s s - C r i t i c a l A p p l i c a t i o n s

Symantec OpenStorage Date: February 2010 Author: Tony Palmer, Senior ESG Lab Engineer

Huawei OceanStor Backup Software Technical White Paper for NetBackup

Using Symantec NetBackup with Symantec Security Information Manager 4.5

What You Need to Know NOW about Next Generation Data Protection. Kenny Wong Senior Consultant June 2015

How To Use The Hitachi Content Archive Platform

Storage Guardian Remote Backup Restore and Archive Services

How To Protect Data On Network Attached Storage (Nas) From Disaster

Oracle Database Backup Service. Secure Backup in the Oracle Cloud

Archiving, Backup, and Recovery for Complete the Promise of Virtualization

Using HP StoreOnce Backup Systems for NDMP backups with Symantec NetBackup

Scalar i500. The Intelligent Midrange Library Platform FEATURES AND BENEFITS

Enterprise Backup Overview Protecting Your Most Important Asset

Cost Effective Backup with Deduplication. Copyright 2009 EMC Corporation. All rights reserved.

COMMVAULT SIMPANA 10 SOFTWARE MULTI-TENANCY FEATURES FOR SERVICE PROVIDERS

Utilizing Cloud Storage for Mainframes

Symantec NetBackup OpenStorage Solutions Guide for Disk

Payment Card Industry Data Security Standard

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Transcription:

Solutions for Encrypting Data on Tape: Considerations and Best Practices NOTICE This white paper may contain proprietary information protected by copyright. Information in this white paper is subject to change without notice and does not represent a commitment on the part of Quantum. Although using sources deemed to be reliable, Quantum assumes no liability for any inaccuracies that may be contained in this white paper. Quantum makes no commitment to update or keep current the information in this white paper, and reserves the right to make changes to or discontinue this white paper and/or products without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any person other than the purchaser s personal use, without the express written permission of Quantum.

Introduction With companies storing data for longer periods of time to meet compliance regulations and business best practices, the inherent risk of a data breach is growing significantly. Data security breaches are becoming increasingly expensive for organizations, and a variety of industry analysts agree that the costs of such incidents will continue to rise for the foreseeable future. This cost increase is in direct correlation with the ever expanded legislative rulings that require extensive notifications and fines should a data breach occur. In fact over 44 states in the US and many nations currently have adopted strict legislation around notifications involving a data breach. While the legal, administrative and technology expenses resulting from lost data are significant, a new study claims the most significant cost may well be found in customer churn rates. According to a study by The Ponemon Institute, data breaches now cost organizations an average of $200+ per compromised customer record, up from $182 in 2006. Analysts say the rise in customer churn is easily explained. Increasingly tech-savvy consumers are quick to abandon organizations that fail to protect personal information. And they aren t likely to come back, either. Gartner analysts, meanwhile, estimate that the cost of mitigating a data breach is likely to be vastly greater than the cost of preventing the breach beforehand perhaps by a 70-to-1 margin 1. There are some questions that you should ask yourself to see if you are at risk: Are you storing proprietary information for your business? Are you storing either customer or employee personal information such as social security numbers, birthdates, credit card information, financial records, health records, addresses? Do you have offsite data retention requirements for disaster recovery? By answering yes to any of the above questions you are at risk, but the good news is encryption can dramatically reduce, if not eliminate, the risk of a data security breach. Furthermore, many organizations already have the tools in place to encrypt sensitive data. Nonetheless, organizations should develop sound encryption key management processes to minimize administrative overhead and maximize the value of data encryption. But what is the best solution for encrypting data on tape, and to address the complexities associated with encryption key management? This paper outlines some of the important considerations and best practices for encrypting data on tape, and is intended to help IT administrators make the right decision for their environment and their company s data security needs. 1 Predicts 2011: Infrastructure Protection Is Becoming More Complex, More Difficult and More Business-Critical Than Ever, Gartner, 16th of November 2010 2 Solutions for Encrypting Data on Tape Considerations and Best Practices

Why Encrypt Backup Tapes? When it comes to data management, today s enterprises must balance a number of divergent requirements that often compete for priority. Government and industry regulations, as well as sound business practices, mandate data security and privacy, while day-to-day operations demand data protection and fast recovery. Many organizations routinely store backup tapes off site to meet operational requirements and business continuity objectives. However, backup tapes can be lost during transport, and remote storage facilities may lack adequate security. Backup and archival solutions are designed only to preserve data; they don t protect against unauthorized access. Only data encryption can effectively safeguard sensitive data by rendering it unreadable without access to the encryption key. That s why experts recommend encryption as part of the routine backup process. Selecting the Right Encryption Device When choosing the right solution for encrypting data on tape, there are really two choices to make: First decide what device to use to perform the actual data encryption. Then Depending on the encryption device used, there are different options for how best to manage the encryption keys. When considering which device to use to perform encryption, it is important to remember that data encryption is a processor-intensive process, or algorithm, that actually scrambles the data and makes it more random. The most common encryption algorithm is called Advanced Encryption Standard, or AES, and there are different strengths associated with AES encryption, such as AES-128 bit or AES-256 bit encryption. The 128 bit or 256 bit refers to the length of the encryption key used to perform the algorithm the longer the key the harder it is to crack the code. So, AES-256 bit is more secure than AES-128 bit. With this in mind, here is a summary of the devices available in the market that can encrypt data on tape: Use a software application to encrypt data on the host or client: Several backup software packages offer the option to encrypt data on the server or client side before sending data to the storage target. In the context of tape, this would be a backup application encrypting data on the media server before sending the data to tape. This option could significantly impact backup performance, since the encryption will use server processing power before sending any data over the network. Also, some applications do not offer AES-256 bit encryption. Use a dedicated encryption appliance: These appliances are typically a server that sits on the SAN and encrypts data in band on the way to the storage device. These devices are typically expensive, but may be the only option for customers looking for the absolute highest level of security, such as FIPS Level 3 or Level 4. In the context of tape backup, since the appliance is encrypting data before it hits the drive, and since encryption algorithms tend to increase randomness of data, the encrypted data will be far less compressible or dedupe-able. Use an encryption-capable switch: There are now switches on the market that can perform encryption on data that is transmitted through the switch on the way to the storage device. Like an encryption appliance, since the switch is encrypting data before it hits the drive, the data will be far less compressable or dedupe-able. Use an LTO-4 or LTO-5 tape drive as the encryption device: With the introduction of LTO-4 technology in 2007, the LTO consortium built encryption capabilities in the tape drives. The tape drives use an AES-256 bit algorithm so the data stored on tape is extremely secure. In addition, the tape drives perform the encryption algorithm using an ASIC chip inside the drive, which means the tape drives can encrypt data in parallel with ingesting data, so there is no impact to backup performance. The encryption algorithm in the tape drive occurs after data compression, so there is no impact to data compression. Lastly, since LTO encryption is governed by the LTO consortium, interchange between drive vendors is assured. This means a tape encrypted in an Quantum LTO-4 or LTO-5 tape drive can be decrypted in an HP LTO-4 or LTO-5 drive, as long as the drive has access to the right encryption key. (More on that on next page.) Solutions for Encrypting Data on Tape Considerations and Best Practices 3

The table below summarizes the different options and considerations for encrypting data on tape. Encryption Device Options Software-based encryption (encryption happens on the media server) Encryption Appliance (encryption occurs on this appliance that is located between the media server and the storage device) Encryption-cable switch (encryption happens on the switch that is located between the media server and the storage device) LTO-4 or LTO-5 tape drive (encryption happens in the tape drive using an ASIC) Considerations» Could slow down backup performance.» Might require more powerful server.» Drive-Based compression is not leveraged, which means more impact on server performance.» May not offer AES-256 bit encryption.» Expensive, but might be the only option if you need something higher than FIPS Level 2.» Encryption occurs before compression, so data compression will be impacted.» Drive-Based compression is not leveraged.» Uses AES-256 bit encryption so data is extremely secure.» No impact to backup performance.» Encryption occurs after compression, so no impact to data compression.» LTO open standard approach means there is vendor interoperability for investment protection, flexibility and choice. Because there are so many advantages to using the LTO-4 or LTO-5 tape drive to perform the encryption, many companies are choosing to adopt this approach. The rest of this paper deals with selecting the right encryption key management solution to work with LTO-4 and LTO-5 tape drives. Selecting the Right Encryption Key Management Solution Assuming that LTO-4 or LTO-5 tape drives are being used as the encryption device, the next question is which key management solution to use. Key management refers to the process of creating encryption keys, communicating encryption keys to an encryption device, keeping track of those keys, and even deleting keys when they are no longer needed. An encryption key is just a very long string of bits, and in the case of AES-256 bit encryption, the encryption key is a 256-bit string of bits. To help visualize this, Figure 1 below shows an example encryption key. MIICQzCCAawCCQCv6doZQHj73TANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJB VTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxDDAKBgNV BAoTA1JTQTEMMAoGA1UECxMDUlNBMRMwEQYDVQQDEwpBUC5SU0EuTkVUMB4XDTA2 MDYyOTIzMjAzN1oXDTA5MDMyNjIzMjAzN1owZjELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMQwwCgYDVQQKEwNSU0Ex DDAKBgNVBAsTA1JTQTETMBEGA1UEAxMKQVAuUlNBLk5FVDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAqlFAHHviF9VT3/4mauKWpK5V+++6tcMQja2tZU9iTzDv QvpOFCMWMFcn6F3Ge5LyYj1Vk0lU7IwiuRCRu5SCiXeQyrubviiFtkNaYy4bx5av 4uR3Dd2f98zyeArb9z7iUFXbM2lzM/aupCyKVczOVgV1JiphDpSXHZFYrF88lAEC AwEAATANBgkqhkiG9w0BAQUFAAOBgQAaGRq6p3fSK/kw+LdxgVAwMeiDvKKdJ51U +Kjxx7wwg6I2ya5ls/fuDN1K6MvKsqdeiyTrlSKJwzPMjGz5ZHupgJVWG8dEin2P wego9olbj2xcwaglpoprxgqo/4duedhqjphzniph+x1/eqxbntj51ssvprpqvl3+ KWr79ghTHw== FIGURE 1 Example Encryption Key An encryption device like a tape drive will use the encryption key as the root for encrypting a particular set of data. The key is the root of the encryption algorithm, and is the key that is needed to unlock or decrypt that data. There are two general options for managing encryption keys for LTO-4 and LTO-5 tape drives: Use the backup application: In this architecture option, the backup application generates the encryption keys, sends the keys directly to the tape drive upon request, and stores the keys on the media or master server. The latest versions of the following backup applications offer key management for LTO-4 and LTO-5 tape drives: Symantec NetBackup, Symantec BackupExec, CommVault Simpana, CA ARCserve, HP Data Protector, and IBM Tivoli Storage Manager. 4 Solutions for Encrypting Data on Tape Considerations and Best Practices

Use a centralized key manager: In this option, a server* (or key management software on a server) is deployed to provide key management for encryption devices in the datacenter. This key manager generates the encryption keys, sends the keys to the devices (in the case of tape backup the tape library) upon request, and the keys are stored on this key manager server. Quantum s Scalar series of tape automation products supports either option for managing keys. The Scalar libraries are compatible with all of the backup applications listed above, and Quantum s centralized key management solution is the Scalar Key Manager, which is described in more detail below. Figures 2 and 3 below explain these two options in more detail. Media Server SAN Encryption keys (the key database or keystore reside on media or master server. Encryption are sent over fiber channel (or SAS) using SPIN/SPOUT. To Encrypt Data on Tape: 1. User configures the backup job to be encrypted. 2. Backup application prompts user to create a password that the backup application will use for user authentication for that backup job. 3. The backup application generates the encryption key,and the associated encryption key name, and sends the key itself over the data path (either Fibre Channel or SAS) ahead of the backup file. (The SPIN / SPOUT protocol is used, which is a T10 protocol that all LTO-4 and LTO-5 tape drives support.) 4. The tape drive uses the encryption key to encrypt the data as it writes to tape. (Encryption occurs after compression, and occurs in drive hardware so there is no performance impact.) 5. The tape is now encrypted, and the encryption key name is stored on the tape. (Important: Only the encryption key name is stored on the tape. The encryption key itself is stored on the media or master server.) Tape Library 3x Fibre Channel Drives Encrypted Tapes To Restore Data from An Encrypted Tape: 1. User kicks off a restore from the backup application. 2. The encrypted tape with the key name is inserted into a tape drive. 3. The drive reads the key name from tape and requests the encryption key that is associated with that key name. 4. The backup application may prompt the user to enter the authentication password associated with that encryption key, or this may happen automatically. 5. Application sends the encryption key to the drive. 6. Drive uses the encryption key to decrypt the data and read it back to the application for restore. Figure 2 Using a Backup Application for Key Management Media Server SAN Tape Library 3x Fibre Channel Drives Clustered Key Server Pair LAN/ WAN Encrypted Tapes Keystore is on the key servers. Keys are passed over the LAN using proprietary protocols. To Encrypt Data on Tape: 1. User configures the tape library and tape drives for centralized or library managed key management. 2. User configures library to be aware of the network addresses of the key servers. 3. When backup application sends a backup job to an encryption-enabled tape drive, the tape drive requests a key from the library. 4. The library requests a key from the key server this request is sent over the LAN. 5. The key server uses secure communications protocol to send the key to the tape library, which sends it to the tape drive. 6. The tape drive uses the encryption key to encrypt the data as it writes to tape. (Encryption occurs after compression, and occurs in drive hardware so there is no performance impact.) 7. The tape is now encrypted, and the encryption key name is stored on the tape. (Important: Only the encryption key name is stored on the tape. The encryption key itself is stored only on the key servers, and is encrypted while stored at rest.) To Restore Data from An Encrypted Tape: 1. User kicks off a restore from the backup application. 2. The encrypted tape with the key name is inserted into a tape drive. 3. The drive requests the encryption key that is associated with that key name from the library, which requests it from the key server. 4. Key server authenticates library, encrypts key, then sends the encryption key to the library, which sends it to the drive. 5. Drive uses the encryption key to decrypt the data and read it back to the application for restore. Figure 3 Using a Centralized Key Manager Figures 2 and 3 above illustrate some of the differences between using a centralized key manager and using that backup application to manage keys, and these differences point to some important considerations when choosing between these two options, summarized in the table on the next page. *Key management servers, or key servers are usually deployed as a clustered, synchronized pair of servers for redundancy. Solutions for Encrypting Data on Tape Considerations and Best Practices 5

Consideration Scalar Key Manager Backup Application-Based Level of Security Quantum s Scalar Key Manager is FIPS 140-2 Level 1 Certified. Backup applications are generally not FIPS Certified. (FIPS is a U.S. federal government security standard.) Complexity of managing keys Scalability, or connectivity across multiple sites Interoperability between tape libraries The Scalar Key Manager automatically keeps track of which keys are associated with which encrypted tapes. The user does not have to manually keep track of any encryption keys. As shown in Figure 3, centralized key managers like the Scalar Key Manager sit on the LAN, and pass encryption keys over the network, either WAN or LAN. This means if you have multiple sites or multiple libraries that need encryption keys, having a key server that resides on the network makes it easy to scale and connect additional devices. Today, all centralized key managers use proprietary protocols for passing encryption keys over the network, as shown in Figure 3. Therefore, most centralized key managers today only work with certain tape libraries. The recent introduction of the Key Management Interoperability Protocol or KMIP means that tape libraries and centralized key servers now have the ability to support a standard that enables interoperability between vendors. Users have two options here: One option is to use one encryption key (and one password) for all of their backup sets, which is simple to manage but not very secure. If that one encryption key gets compromised, all data is compromised. The other option is to use multiple unique keys for the multiple backup sets. This option is more secure, but requires manual tracking on the part of the administrator. As shown in Figure 2, the encryption keys from the backup application sit on either the master or media server and pass keys over Fibre Channel. As such, with multiple sites or multiple libraries that need encryption keys, some type of network connectivity back to the media or master server needs to be ensured. The backup applications are generally interoperable with all major tape library vendors, so it is possible to have tape libraries from multiple vendors all requesting and receiving keys from the backup application. Quantum s Scalar Key Manager Quantum offers a centralized key manager for use with our Scalar tape libraries. An encryption solution based on Scalar tape libraries with LTO-4 or LTO-5 tape drives and the Scalar Key Manager offers all of the advantages of drive-based encryption and centralized key management outlined above. The Scalar Key Manager is: Simple: Automated key generation and management. Setup, configure, and manage the key servers directly from library user interface using a few simple steps as shown in Appendix 1. Secure: FIPS 140-2 Level 1 certified, TLS-based authenticated communication, AES 256-bit encryption. Scalable: Over 700,000 unique keys per clustered server pair. Scalar Key Manager supports key management for multiple libraries across multiple sites, and supports the entire Scalar portfolio. Reliable: Redundant servers, RAID0 HDD, integrated with Scalar ilayer diagnostics. In addition, the Scalar Key Manager offers flexible deployment options it can be deployed as a pair of physical appliances, or as a pair of virtual machines for VMware environments.* Figure 4 below shows an example deployment of the Scalar Key Manager. Datacenter LAN/WAN Remote Site Primary Key Server Sync d Key Databases Remote Site Remote Site Secondary Key Server *VMware host software must be either ESX 4.x (64-bit) or ESXi 4.x (64-bit). 6 Solutions for Encrypting Data on Tape Considerations and Best Practices

Conclusion Encryption of data once it leaves the datacenter is a critical component of a sound data protection strategy. When choosing the best solution for encrypting data on tape, it is important to first decide which device to use for the actual data encryption, and then decide on the right encryption key management strategy. Using the LTO-4 or LTO-5 tape drives as the encryption device offers the benefits of an ultra-secure AES-256 bit algorithm, no backup performance impact since the encryption is performed in drive hardware, and no impact to data compression rates since encryption is performed after data compression. When using LTO-4 or LTO-5 tape drives for encryption, two options for key management are to either use the backup application to manage keys, or use a centralized key manager such as the Scalar Key Manager. Quantum s Scalar tape libraries support either option. To choose between the two, consider the level of security required (including the number of unique encryption keys that will be required), and also the potential complexity of keeping track of multiple encryption keys. Finally, Appendix 1 below lists some common best practices when deploying a tape encryption solution, and Appendix 2 shows how easy it is to setup and configure the Scalar Key Manager in just a few easy steps. Appendix 1 Best Practices to Consider When Deploying Key Management BACK UP YOUR KEYSTORE! The importance of this cannot be overstated, because if the encryption keys are lost, then the data associated with those keys is lost. Back up your keystore to a location that is not on an encrypted tape (since that wouldn t help you in the event of the keystore being unavailable). Back it up to a thumb drive, a CD, or another location on the network. Your key servers (and/or keystore backups) should be installed in separate physical locations if possible. This helps in case of disaster, and is certainly a best practice. If it is not possible to install the key servers at different locations, at a minimum keep the keystore backup stored in a separate location. Consider which data types need to be encrypted (perhaps for compliance reasons), and if some data does not need to be. It may be that not all data needs to be encrypted, in which case it is easy to set up your system to address this, for example with one encrypted partition and one non-encrypted partition. Define who needs to have access to the key servers themselves. This is one major advantage of keeping the encryption keys separate from the media server, and separate from the library itself. It enables administrators to set different access policies for the key servers that are perhaps more restricted than the access granted to the tape library, for instance. Have a policy for managing access to the key server password. Replace a failed key server (or failed hard drive within a key server) immediately, don t wait. Appendix 2 The Simple Steps to Setup and Configure the Scalar Key Manager The Scalar Key Manager was designed to reduce the complexity of encryption key management. It can be setup and configured directly from the library user interface in just two easy steps. Step 1 Point your Scalar tape library to the IP addresses of the primary and secondary key servers on the network as shown below. During this step, the user can also select whether they would like to enable proactive key server path diagnostics, where the ilayer software will periodically verify connectivity with the key servers. Solutions for Encrypting Data on Tape Considerations and Best Practices 7

Step 2 Configure your library partition or partitions for SKM-managed encryption. In this step, you enable a particular partition for encryption. Once this occurs, the SKM key servers pre-generate the first set of encryption keys, and synchronize those keys between the primary and secondary servers. Now you are ready to begin encrypting data! As soon as a backup is directed at any tape drive within that partition, the tape drive will request a key from the key servers, and all tapes created in that partition will be encrypted. For contact and product information, visit quantum.com, call 800-677-6268 Preserving the World s Most Important Data. Yours. 2011 Quantum Corporation. All rights reserved. Quantum, the Quantum logo and Scalar are registered trademarks of Quantum Corporation and its affiliates in the United States and/or other countries. All other trademarks are the property of their respective owners. About Quantum Quantum Corp. (NYSE:QTM) is the leading global specialist in backup, recovery, and archive. From small businesses to multinational enterprises, more than 50,000 customers trust Quantum to solve their data protection, retention and management challenges. Quantum s best-of-breed, open systems solutions provide significant storage efficiencies and cost savings while minimizing risk and protecting prior investments. They include three marketleading, highly scalable platforms: DXi -Series disk-based deduplication and replication systems for fast backup and restore, Scalar tape automation products for disaster recovery and long-term data retention, and StorNext data management software for highperformance file sharing and archiving. Quantum Corp., 1650 Technology Drive, Suite 800, San Jose, CA 95110, (408) 944-4000, www.quantum.com. WP00153A-v02 Feb 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information