Encryption: Tape Drives' Savior?
Let's face it: Tape-based storage has been declared dead more times than disco.
But like cheesy dance music, tape survives because it's cheap, easy and does what it claims to do--nothing more, nothing less. Despite the precipitous drop in disk prices and new technologies that make low-end disk drives emulate the best of tape-based storage while delivering random access, tape drives remain a staple for backup because of their utilitarian focus on the task at hand.
If tape is to remain vital, however, it will need to overcome a more recent threat. As regulatory compliance concerns and headlines about data loss mount, tape will need a measure of security heretofore unknown in what most administrators have considered an afterthought in the IT infrastructure.
Enter encryption. What many think of as a complex technology reserved for only the most important corporate data is now being applied to the lowly tape library. If it catches on, it could mean one more coda for a storage technology that often seems headed for its last dance.
"We have customers with big investment in current tape technology that they won't move away from anytime soon," says Chris Anderson, an account manager at Custom Storage, a Scottsdale, Ariz.-based integrator specializing in secondary backup solutions.
The move to encrypt the data on tape drives comes in part from the flood of recent stories about lost or stolen backup tapes from the likes of Bank of America, Citigroup and DHL, as well as a number of health-care institutions and universities over the past year.
It's unclear whether such incidents are on the rise, or if new reporting regulations are forcing more data loss into the public eye. Whatever the case, security breaches have shone a spotlight on the inherent insecurity of tape storage--a significant threat no matter how cheap or convenient the technology.
While tape may represent a single-digit growth market, there are ways solution providers can offer high-margin professional services, such as layering on encryption technology, to reduce the risk of exposing data if tapes are stolen or lost in transit between data centers and so-called "iron mountain" storage facilities.
Currently, very little data on archived tape is encrypted, mainly because encryption slows the backup process, affects recovery point objectives, and lacks standards that could ensure compatibility and future readability.
NEXT: How vendors are attacking the tape-encryption problem on all of those fronts with a variety of new offerings.
One such innovator is Spectra Logic, an established but relatively small provider of tape-library systems. The company in May began shipping the first tape-library system with built-in encryption. The Spectra T950 and T120 come with hardware-based AES-256 encryption, which is compliant with the Federal Information Processing Standards, or FIPS 140-2, Level 3, which mandates how federal agencies must secure archived data.
Critical to Spectra Logic's approach to tape encryption is what it calls a QIP, or quad interface processor, a network-based bridge that performs multi-protocol conversion between Fibre Channel and iSCSI, and is designed to prevent the encryption process from creating a bottleneck at the network layer.
That said, Spectra Logic is a relatively small player working mainly in government and health care. The leading providers of midrange and enterprise tape systems, which include Hewlett-Packard, IBM, Quantum and Sun Microsystems' StorageTek division, have a variety of efforts in the works to address tape encryption.
There are also vendors that provide appliances within the network that handle encryption of stored data. One is Decru, a subsidiary of Network Appliance. Another is NeoScale, which recently upgraded its CryptoStor Tape software for HP's tape systems based on the current LTO-3 standard. LTO, which stands for Linear Tape Open, is the fastest-growing midrange tape format, says Robert Abraham, an analyst at Freeman Reports in Ojai, Calif.
HP, along with IBM and Quantum, is the key partner in the LTO Consortium, which recently announced that the next version of the LTO specification will support encryption at the tape-cartridge level. Called LTO Ultrium 4, the new spec will encrypt data as it's written to the tape drive.
But LTO-4 drives, expected to appear early next year, don't obviate the need to address older systems, says Kevin Brown, director of marketing at Decru.
"Let's say you get encryption in a tape drive, library or software," Brown says. "The problem you have is that, if you're working with, say, three or four vendors' old gear and new gear, you're faced with managing a lot of different key management systems."
Decru's DataFort can handle encryption and key management of up to 20 drives on a single box, Brown says. "What we expect to see is a blended approach," he says. "New-gear customers will want to do native encryption, but those with legacy gear will be best served by the appliance approach."
Among those that resell Decru's solutions is Quantum, which offers the solution for its line of LTO tape drives. Quantum is also known as a leading provider of a competing format, Digital Linear Tape, or DLT. The company in February started shipping DLT drives and a tape-automation system that supports its new security framework, which includes a key management platform.
Technically speaking, though, this approach isn't actually encrypting data but rather putting the data behind a password-protected header. For those who do require full encryption, Quantum resells Decru's DataFort. Likewise, Advanced Digital Information Corp., or ADIC, another key provider of tape-library systems, has a looser arrangement in which it refers Decru.
Quantum has agreed to acquire ADIC, although neither company would discuss how they will integrate encryption moving forward.
For those looking at mainframe and large host environments, there are a number of new solutions as well.
CA recently launched BrightStor Tape Encryption, which encrypts and decrypts data written by any application to mainframe tapes based on the z/OS.
Having acquired StorageTek last year, Sun is now a leader in the high end of the tape-library market. The company offers built-in encryption in the StorageTek Virtual Tape Library through software called the Secure Tape feature, which encrypts data as it moves to tape. Later this year though, Sun will deliver the T10000, a tape drive with encryption and its own key-management suite.
And as Sun and others point out, key management will be more critical than any approach to encryption, because if the keys are not accessible, neither will the data be. On the other hand, if they're too accessible, that could defeat the purpose of encryption in the first place.