In the past, we have seen many cases of tape based data backups being lost while being shipped to the disaster recovery site, leading to heavy penalties on the enterprises. Enterprises are therefore looking for encryption of backup data
- There are two types of options for encryption of backup. One is host-based and the other is appliance-based.
- In host-based encryption of backup data, encryption takes place on the host itself. For this type of encryption, most enterprises won't need to buy an additional solution because most backup software solutions support encryption (including EMC Networker, EMC Avamar, Symantec Netbackup, IBM TSM, and Commvault Simpana.
- You can opt for encryption on the backup client side. In this option, you encrypt data on the backup client, and send the encrypted data on the network and then to the backup device.
- If you cannot afford host processing cycles for the encryption of backup data, you can choose the backup server to encrypt data. After this, send encrypted data to the backup device.
- The major disadvantage of encrypting backups is that it will increase the backup window since encryption adds overheads to the backup throughput. It can also lead to a decrease in data compression ratios.
- Many databases such as Oracle also support encryption specifically for backups, but they slow the databases' performance (in cases where the IO rate is considerably high). For this reason, you cannot opt for such encryption of backup in cases where you cannot afford to affect the database performance.
- Remember to choose a strong pass code while opting for this type of backup encryption, since even the strongest encryption method can be cracked if your passcodes are vulnerable.
- A passcode should consist of a random series of mixed uppercase and lowercase letters, characters and punctuation marks. The longer this pass code, the more secure. A short passcode can be cracked. Also, avoid keeping common words as passcodes.
- In appliance-based encryption, the encryption of backup is handled by an appliance (which sits in the storage network). In other words, it's directly in the data path, and encrypts data at wire speed—without the clients and backup server being aware of this appliance. For example, NetApp DataFort is considered an industry-trusted appliance for such encryption of backup data.
- This type of encryption of backup doesn't cause any overheads, since the encryption takes place at wire speed and has robust key management features. Enterprises can distribute these keys to various trusted employees in the form of smart cards, and all the smart cards will be needed for key regeneration. In addition to encrypting backup data, these appliances also give you the advantage of writing encrypted data to the SAN.
The hard part is that these appliance-based encryption solutions are much costlier than the
backup software solution which a company may have already invested in.
To wrap up, both types of backup encryption have their pros and cons, so you need to choose which type of encryption suits you best—backup software applied or hardware appliance applied.
About the author: Anuj Sharma is an EMC Certified and
NetApp accredited professional. Sharma has experience in handling implementation projects related
to SAN, NAS and BURA. He also has to his credit, several research papers published globally on SAN
and BURA technologies.
This was first published in June 2010