Encryption is "Free" But Key Management Still Costs; Part 2 of 2

In the first part of this two-part series, I examined tape's evolving role in data protection, what events are occurring that are prompting companies to need to encrypt data stored to tape and how Quantum is evolving its lines of disk and tape products to meet these need demands. This second part takes a look at what the impact and overhead is of managing encrypting data stored on tape and what steps the industry in general and Quantum specifically is taking to address this.

Quantum's larger strategy is to provide solutions that keep data on both disk and tape is reflective of the approach that most large storage vendors are taking. More users want to use disk as their initial target for backup data to keep backup and restore times to a minimum. However they want to keep tape in the mix for their business's archiving, long term data retention and offsite recovery requirements that keep their storage costs low while giving them the flexibility to move data offsite. As companies move data from disk to tape, the onus is on more squarely on companies to encrypt data to ensure it is not compromised as a result of laws like California's SB 1386.

Companies can choose from a number of places to encrypt data: backup software, encryption appliances or on the tape drive. Quantum's disk and tape products support the either of the first two options though Quantum includes encryption capabilities on its LTO-4 tape drives as well as the option to encrypt data as it is being replicated between the company's DXi-Series disk systems. Of the three, encrypting backup data using the tape drive seems to be gaining some industry momentum as the most logical place to encrypt data. Backup software may encrypt data regardless if the backup data is stored to disk or tape and introduces overhead on the host server. Alternatively, an encryption appliance introduces more cost into the backup equation. By using LTO-4 tape technology, companies get encryption for "free" since encryption is included with the tape drive and the overhead associated with encrypting data by the tape drive is minimal (typically 1 - 2%).

The ease in which companies can implement encryption using an LTO-4 tape drive has one immediate advantage. Quantum's Senior Product Manager, Robert Callaghan, finds that many companies that start to encrypt data using a tape drive can immediately come into compliance with new state statutes and avoid some of the litigation issues that some companies already have to address. "If data on a tape cartridge is encrypted using 256-bit encryption and the tape is lost or misplaced, in most cases the company is off the hook," says Callaghan.

Yet the more pressing question is not which method should companies choose to encrypt data but, "How do companies generate and manage the encryption keys that are used to encrypt and decrypt the data?" The obstacle here is that there is no industry standard way to generate or manage encryption keys long term. Though there is a standard before the IEEE committee (IEEE 1619.3), Callaghan says that it will take some time before all of the participating parties come to agreement on a common key management standard.

In the meantime, users have one of three general methods they can use to generate and manage keys: a common key, user generated keys or cryptographically generated keys. The common key is the simplest to manage but also the least secure. If this key is compromised or hacked, all of the data encrypted with that key is essentially compromised. User generated keys are equally problematic. Though they are more random, they may not be sufficiently complex and users are responsible for tracking what data was encrypted with what key and when. Neither of these options are sustainable or reliable models for most corporations.

The third option of using cryptographically generated protected keys is emerging as the best solution today for enterprises to centrally manage encryption keys until encryption key management standards are ratified. In Quantum's case, the Quantum Encryption Key Manager (Q-EKM) gives enterprises the flexibility to encrypt data and centrally manage the data. While using Q-EKM does not guarantee that the encryption keys will be in compliance with whatever standard emerges (nor does using any other vendors), since Quantum is represented on the IEEE committee, it is logical to assume that Quantum will provide a roadmap for ensuring that the encryption keys it generates will remain manageable long term using current and future standards.