1. /
  2. Confident Insights Newsletter/
  3. Encrypting Critical Backup Data

Encrypting Critical Backup Data

January 16, 2007

Summary

Given the recent spate of high-profile cases where lost or stolen backup tapes exposed thousands of confidential health and financial records, the need to encrypt sensitive data has taken on even greater urgency. This article looks at some of the options today’s enterprises have when it comes to protecting critical backup data.

Introduction

As enterprises usher in a new year, they’re coming face to face with a pressing challenge: namely, the amount of data they move around continues to increase. Of course, that means their risk of exposure continues to increase as well.

"If data becomes exposed due to tape theft or loss, companies face damage to their reputation as well as the possibility of heavy fines from government agencies," says Jon Oltsik, senior analyst with Enterprise Strategy Group. "That’s why we are recommending that companies make encryption a standard component of their backup process when tapes need to travel offsite."

Given the recent spate of high-profile cases where lost or stolen backup tapes exposed thousands of confidential health and financial records, the need to encrypt sensitive data has taken on even greater urgency. This article looks at some of the options today’s enterprises have when it comes to protecting critical backup data.

In the spotlight

When a large financial institution and a data warehouse specialist disclosed last year that they had inadvertently compromised the personal data of thousands of customers, renewed attention was brought to data security and backup processes.

As technology site Enterprise ITPlanet.com has observed, "what used to be a straightforward process of loading data onto tape, cataloging it and storing it away, either on-site or off-premises, has become a critical item on security and compliance checklists. And not ticking off that checkbox can have dire consequences for businesses."

Just how dire? According to a study conducted recently by the Ponemon Institute, the average data breach cost companies $4 million in 2006.

Adds Enterprise ITPlanet.com: "This can include the cost of notifying customers as well as actions a business has to take to safeguard customer accounts like reissuing account numbers and providing for credit monitoring. And these are generally accompanied by a public relations disaster that is even harder to quantify."

"Tapes can be lost or stolen," says Mike Adams, group product marketing manager at Symantec. "The choice is no longer whether to encrypt, but how."

That choice becomes even clearer in light of so-called "encryption safe harbor" clauses contained in much of the data breach legislation currently under review by the Congress. Such clauses limit the need to disclose to those data breaches where the data was not encrypted. This kind of clause first made an appearance in California’s Data Protection Act (SB1386) and has since been included in a number of different state acts.

Encryption options

There are currently several options for performing backup encryption. Some offerings encrypt at the client. Software performs the data encryption on the client using one of variety of ciphers (encryption algorithms), transfers the data across the network, and stores it on tape in the encrypted format. For those with modest encryption needs, this option works well. However, it may not be efficient for larger organizations with more widespread needs. Other options, such as encryption appliances and tape drives that offer encryption, can be expensive and difficult to manage since they operate outside of the backup system.

Veritas, now owned by Symantec, introduced both 128-bit and 256-bit encryption in 2004, but it ran at the application server level as part of the NetBackup client. In April of 2006, Symantec introduced encryption through its Veritas NetBackup 6.0 PureDisk Remote Office Edition, but this product was not intended for protection of data in the enterprise data center but rather the remote office.

In January, 2007, Symantec plans to release the NetBackup Media Server Encryption Option, which is intended for the data center. NetBackup Media Server Encryption Option offers 128-bit or 256-bit AES encryption, allowing users to avoid encrypting at the client and encrypt with NetBackup Media Server prior to data being sent to tape. It works within existing NetBackup policies and backs up all NetBackup clients.

Encrypting backup data at a centralized server — rather than at the client or on dedicated appliances -- provides several benefits, including:
  • Little impact on backup windows and no impact on the backup client
  • No need to deploy separate hardware encryption devices
  • No dedicated staff is required to manage

Conclusion

When companies move unencrypted backup information by tape to an offsite location, they expose private customer data, corporate financial data, and intellectual property to significant risk. Encrypting backup and recovery data provides organizations with an important layer of protection. Moreover, it provides peace of mind and security for backup data regardless of where it lives or what happens to it.

Back to Newsletter