Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution

(1)

Securing Data Stored On Tape With

Encryption: How To Choose the Right

Encryption Key Management Solution

NOTICE

(2)

Encryption Key Management 2

Data security breaches are becoming increasingly expensive for organizations, and a variety of industry analysts agree that the costs of such incidents will continue to rise for the foreseeable future. While the legal, administrative and technology expenses resulting from lost data are significant, a new study claims the most significant cost may well be found in customer churn rates.

According to a study by The Ponemon Institute, data breaches now cost organizations an average of $197 per compromised customer record, up from $182 in 2006. Most of the cost — $128 out of the $197 — is from lost business and having to acquire new customers.

Average total per-incident costs of data breaches in 2007 were $6.3 million, compared to an average per-incident cost of $4.8 million in 2006. The cost of lost business accounts for nearly two-thirds of that total — an average of $4.1 million, which represents a 30 percent increase over the previous year. Analysts say the rise in customer churn is easily explained. Increasingly tech-savvy consumers are quick to abandon organizations that fail to protect personal information. And they aren’t likely to come back, either.

Gartner analysts, meanwhile, estimate that the cost of sensitive data breaches will increase 20 percent per year through 2009 as financially motivated targeted attacks become more prevalent and new vulnerabilities continue to be reported.

The good news is that encryption can dramatically reduce, if not eliminate, the risk of a data security breach. Furthermore, many organizations already have the tools in place to encrypt sensitive data. Nonetheless, organizations should develop sound encryption key management processes to minimize administrative overhead and maximize the value of data encryption.

Why Encrypt Backup Tapes?

When it comes to data management, today’s enterprises must balance a number of divergent requirements that often compete for priority. Government and industry regulations, as well as sound business practices, mandate data security and privacy, while day-to-day operations demand data protection and fast recovery.

Many organizations routinely store backup tapes off site to meet operational requirements and business continuity objectives. However, backup tapes can easily be lost during transport, and remote storage facilities may lack adequate security. As a result, lost or stolen backup tapes are an all-too-common vector for data security breaches.

Backup and archival solutions are designed only to preserve data; they don’t protect against unauthorized access. Only data encryption can effectively safeguard sensitive data by rendering it unreadable without access to the encryption key. That’s why experts recommend encryption as part of the routine backup process.

The Importance of Encryption Key Management

(4)

As a result, encryption key management plays a vital role in any encryption solution. Simply writing down each key and its associated pass code defeats the purpose of encryption. The keys associated with each data set must be stored in a secure manner to ensure data privacy and security.

Users of Quantum LTO-4 tape drives have two options for encryption key management: Quantum Encryption Key Manager (Q-EKM) and the encryption key management functionality built into leading backup applications. Each option offers unique benefits. Choosing the right solution depends upon the storage infrastructure and volume of data to be protected.

Quantum Encryption Key Manager (Q-EKM)

Q-EKM is a proven, easy-to-use, library-managed encryption solution designed to protect sensitive data throughout the enterprise. The Q-EKM software, which may be implemented on either a Windows or Linux server, is designed to generate and communicate encryption keys. It selects a pre-generated key from its key store, encrypts the key for transport and sends it to the LTO-4 drive, which decrypts the key and uses it to encrypt or decrypt the data. The key is not stored on the tape drive; an alias is used to relate each data set to the appropriate encryption key.

The encryption keys generated by Q-EKM are transferred to each tape library “out of band” — that is, outside of the backup data path — with no impact to backup performance. Q-EKM’s out-of-band methodology eliminates “same system” restore requirements, and enables the centralized storage, management and protection of encryption keys supporting multiple libraries across the distributed network. Administrators don’t have to learn, support and manage multiple encryption solutions. Q-EKM was designed from the ground up for encryption key management. It is easy to set up, integrates seamlessly into the existing backup environment, and scales easily to meet changing

demands. It can also be implemented in a redundant, high-availability configuration that replicates the key store for maximum protection.

Most importantly, Q-EKM’s “set and forget” design eliminates the need for administrators to manually track encryption keys and pass codes. This hands-off approach is ideal for organizations that back up large amounts of data, or have multiple, geographically dispersed tape libraries.

Backup Application Managed Encryption

A number of leading backup applications — including CommVault, EMC Insignia, HP Data Protector, Symantec Backup Exec, Tivoli Storage Manager and Yosemite — support data encryption and encryption key management. These solutions generate encryption keys using the AES-256 algorithm and transfer them “in band,” ahead of the data to be backed up.

The software keeps track of the encryption key along with other information about the data set. A password or pass phrase is assigned to each key in order to protect the data set records and prevent access to the encryption keys. As a result, backup applications require a more hands-on approach to encryption key management than the Q-EKM solution. Administrators must keep a log of the pass codes associated with each key in order to decrypt the data.

(5)

However, backup application managed encryption can be very effective for organizations that have a single tape library and modest backup demands. The encryption key management process is already built into the infrastructure — there’s no need to purchase, learn and manage a separate encryption product. And pass code tracking can easily be added to existing tape and data set management processes.

Conclusion

Securing data from unauthorized access is a critical issue for businesses in all industries. Regulatory compliance and customer loyalty all depend on keeping sensitive information safe and secure. With tens of million customer records compromised each year — many of them on backup tapes — businesses must take steps to improve data confidentiality and integrity. Luckily, the data encryption capabilities built into every Quantum LTO-4 tape drive can help organizations prevent a costly and embarrassing security breach.

The right encryption key management solution can help minimize the impact of encryption processes on IT operations. The encryption key management capabilities built into popular backup applications provide a cost-effective approach for organizations with a single tape library. For customers with multiple tape libraries distributed throughout the organization, Quantum’s Q-EKM solution provides a robust, transparent, fully automated approach to enterprise encryption key management.

For contact and product information, visit quantum.com or call 800-677-6268

Backup. Recovery. Archive. It’s What We Do.

Protected by Pending and Issued U.S. and Foreign Patents, including U.S. Patent No. 5.990.810. WP00124 Aug 2008 About Quantum

Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution