Tip

Encryption of backup : Strategies for effectively securing your data

In the past, we have seen many cases of tape based data backups being lost while being shipped to the disaster recovery site, leading to heavy penalties on the enterprises. Enterprises are therefore looking for encryption of backup data

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

as a precautionary measure to avert any loss due to information leakage. Besides, they need to comply with statutory requirements. Here are some aspects that you should consider before going in for the encryption of your backup data.

More resources on data backup
Using an encryption appliance for data backup security

How to back up encrypted files and how to use the Encrypting File System

Where should you encrypt your data?

The pros and cons of host-based vs. appliance-based tape encryption

  • There are two types of options for encryption of backup. One is host-based and the other is appliance-based.

  • In host-based encryption of backup data, encryption takes place on the host itself. For this type of encryption, most enterprises won't need to buy an additional solution because most backup software solutions support encryption (including EMC Networker, EMC Avamar, Symantec Netbackup, IBM TSM, and Commvault Simpana.  
  • You can opt for encryption on the backup client side. In this option, you encrypt data on the backup client, and send the encrypted data on the network and then to the backup device.
  • The major disadvantage of encrypting backups is that it will increase the backup window since encryption adds overheads to the backup throughput. It can also lead to a decrease in data compression ratios.
  • Many databases such as Oracle also support encryption specifically for backups, but they slow the databases' performance (in cases where the IO rate is considerably high). For this reason, you cannot opt for such encryption of backup in cases where you cannot afford to affect the database performance.
  • Remember to choose a strong pass code while opting for this type of backup encryption, since even the strongest encryption method can be cracked if your passcodes are vulnerable.
  • A passcode should consist of a random series of mixed uppercase and lowercase letters, characters and punctuation marks. The longer this pass code, the more secure. A short passcode can be cracked. Also, avoid keeping common words as passcodes.
  • In appliance-based encryption, the encryption of backup is handled by an appliance (which sits in the storage network). In other words, it's directly in the data path, and encrypts data at wire speed—without the clients and backup server being aware of this appliance. For example, NetApp DataFort is considered an industry-trusted appliance for such encryption of backup data.
  • This type of encryption of backup doesn't cause any overheads, since the encryption takes place at wire speed and has robust key management features. Enterprises can distribute these keys to various trusted employees in the form of smart cards, and all the smart cards will be needed for key regeneration. In addition to encrypting backup data, these appliances also give you the advantage of writing encrypted data to the SAN.

The hard part is that these appliance-based encryption solutions are much costlier than the backup software solution which a company may have already invested in.
To wrap up, both types of backup encryption have their pros and cons, so you need to choose which type of encryption suits you best—backup software applied or hardware appliance applied.

Anuj Sharma

About the author: Anuj Sharma is an EMC Certified and NetApp accredited professional. Sharma has experience in handling implementation projects related to SAN, NAS and BURA. He also has to his credit, several research papers published globally on SAN and BURA technologies.


This was first published in June 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.