Backup tape encryption grows up

For years, backup tape encryption technology has gotten a bad rap. Many IT pros think the process of encrypting a backup tape is slow, unreliable and ineffective.

But backup tape encryption has come a long way of late. You could even say it's gone from being a nuisance to a necessity.

Why is it important to encrypt your backups? The reason lies in the nature of a backup tape. A backup tape is a mirror of your server's contents, and nothing stands in the way of someone stealing a backup tape and restoring it to their own server. Sure, most companies password-protect their backup tapes, but passwords can be cracked. Besides, if a hacker has physical possession of one of your backup tapes, he's not under any time constraints.

So while it's critical to keep your tapes from falling into the wrong hands, physical security will only get you so far. Since most backups run late at night, there is little to stop a trusted employee from sneaking into the office and stealing the tape as soon as the backup completes. If you store backup tapes in an offsite facility, there's always the chance that a tape could be lost or stolen in transit.

Encryption advances
Encrypted tape backups got a reputation for being insecure because 56-bit Data Encryption Standard (DES) was originally used to encrypt tapes. In 1998, it was proven that DES could be cracked through brute force. Today, however, companies can use more secure encryption algorithms, such as 128-bit 3DES (triple DES) or 256-bit AES (Advanced Encryption Standard).

The only problem from the past that still plagues encrypted backups is that they can take longer to complete than a comparable non-encrypted backup. The reason is that encryption is a mathematical process, one that is CPU-intensive. The decrease in performance applies mostly to software-based encryption, but recent advances in data compression have helped to compensate for the slow throughput.

If you're worried about the amoun...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Data Backup and Protection Are security concerns over cloud computing unfounded? How to configure backups and perform restores in Windows Server 2008 When to use VM backups versus snapshots in Hyper-V Microsoft Hyper-V: Best practices for performance, backups and management Working with snapshots in Microsoft Hyper-V Self-healing NTFS keeps admins one step ahead of data corruption The efficacy of backup-as-a-service solutions Using WBAdmin to create backups in Windows Server 2008 Breaking down the Windows Server Backup tool for Windows 2008 Moving dynamic disks to a new Windows server Microsoft Windows Data Backup and Protection Research Windows Storage Management Connecting Hyper-V hosts to iSCSI targets in Windows File classification the automated way with Windows Server 2008 R2 Using DFS to create file system virtualization in Windows Server 2008 File server migration tips for Windows Server 2008 Planning a file server migration to Windows 2008 Self-healing NTFS keeps admins one step ahead of data corruption The efficacy of backup-as-a-service solutions Server Message Block 2.0: A new protocol for the millennium Using WBAdmin to create backups in Windows Server 2008 Breaking down the Windows Server Backup tool for Windows 2008

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cold/warm/hot server  (SearchWindowsServer.com) Dolly  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

t of time it takes to complete a backup, compression should be done prior to encrypting the data. Compression decreases the amount of data that must be written to backup tape by removing redundancy from the data. Since compressed data can be encrypted just as easily as uncompressed data, it makes sense to compress the data first. This way you have fewer bytes to encrypt.

The problem is that most of the time, compression is handled by the tape drive. If you're planning to encrypt the data through software, make sure your backup software can handle compression and encryption at the software level.

Speed as a factor

It's hard to quantify the differences in speed between unencrypted backup, software-encrypted backup and hardware-encrypted backup because backup times vary so much. The timing depends on the type of data you're backing up, the speed of the underlying infrastructure (such as disks, tapes, network links and processors), the encryption algorithms being used and even variances among brands of backup software and encryption hardware.

Although I could not find any meaningful benchmark data, my own experience has been that encrypted backup that uses software-based encryption can take up to 30% longer to complete than a comparable unencrypted backup. There can be huge variances in this number, depending on the efficiency of the underlying hardware. Hardware-based encryption appliances allow backups to run almost as fast as a comparable unencrypted backup because they offload the encryption process to a dedicated CPU.

For many administrators, software-based encryption is still the encryption method of choice because most decent backup software comes with an encryption function built into the software. A common practice for getting around the speed issue is to encrypt only the sensitive data and leave non-sensitive data unencrypted. But I don't agree with this technique; I've seen too many situations in which seemingly harmless data was used for malicious purposes

Hardware-based tape encryption dramatically improves the speed of the encryption process. Sustained encryption rates of 52 MB per second are not uncommon. These appliances tend to be rather pricey -- ranging from about $1,000 to well over $10,000.

No matter whether you use a hardware or software tape encryption product, backup encryption depends on keys, which can carry serious consequences. If a key is lost, any data encrypted with that key is unreadable. If a key is compromised, any data encrypted with the key is at risk of also being compromised. My advice: Before you adopt tape encryption, you should perfect your organization's key management strategy.

Botom line: Whether or not to use encryption and which encryption method you want to use is not a decision you should take lightly.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. You can visit Brien's personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.