- casino online slots

Spectra Logic Chimes In on Tape Security

by Administrator on June 28, 2007

While working on my next installment of the storage security series I am writing over on, I reached out to a few tape vendors to get a better understanding of their technologies.  Here is a response received from Spectra Logic’s Molly Rector, who is VP of Marketing and Product Development  for the company (a big job even for a very capable woman).  Thanks for taking time to respond, Molly.

Q: There are many ways to deploy storage security. Some focus on enabling software on application hosts, other strategies entail the deployment of appliances. Why is doing security (encryption) directly on the target device, the library or disk array, preferable – assuming that it is?

Rector: Performing security on the target device is preferable in environments that have significant performance requirements and the need to encrypt large amounts of data on a daily basis.

Q: LTO 4 has begun to ship to market and everyone is touting its on-media encryption capabilities. Does Spectra Logic leverage this media-level capability?

Rector: Yes, Spectra Logic does leverage the media-level encryption capability offered in LTO4 as part of our encryption solution. LTO 4 tape drives offer the capability to generate a random number and encrypt a data stream. However, the tape drives do not solve the complex portion of encryption, the key management.

Spectra Logic has extended the Key Management offered in BlueScale to include key management of the keys generated by the LTO 4 tape drives. This extension of BlueScale encryption enables Spectra Logic now to offer a complete encryption and key management offering for LTO2, LTO3, LTO4, SAIT, SDLT and our virtual tape library – RXT.

A limitation of LTO 4 drive encryption is that it can only encrypt on LTO 4 media. Using LTO 4 drive encryption requires an investment in all new media and drives. Spectra Logic BlueScale Encryption enables customers to implement encryption using their existing drives and media while migrating over to LTO 4 as budget and business plans justify it.

Q: Describe how you implement security on the library and/or media level.

Rector: The security provided by encryption is hardware-based. With LTO-4 drives, the encryption is handled by a microprocessor that is part of the drive hardware. The drive encryption takes advantage of Spectra key management. Initially, to enable encryption and key management, a superuser must login, and then an encryption password can be created. To access encryption features, the superuser then the encryption passwords must be entered, so that only authorized users can access encryption features.

The encryption user creates a key nickname or moniker, used to refer to each key. This protects the true value of the AES encryption key, so that it is never revealed. The user must also enable encryption for a specific partition (that is, virtual library)—this is as easy as clicking a checkbox on a screen. Data can now be encrypted.

Once keys are created, best practices dictates that the encryption user immediately makes a copy of the key (the copy is encrypted using one or more passwords that one or more users enter). Using more passwords increases security. The key, encrypted using the password or passwords, can be exported to a USB key or through an encrypted email attachment. To access the key for import, the proper passwords must be again supplied (typically, an N of M you select—2 of 3, 4 of 5, etc.). A secure initialization option is also available, that requires the entry of the encryption user password (or multiple passwords) to be entered before partitions that are designated as data encryption-enabled can be used for data encryption/backup. Note that, throughout the encryption process itself, true encryption key values are never revealed; the system performs a wide range of internal hashing and other security measures to keep the key value hidden.

Q: What is the hit on tape restore of various encryption options? The rule of thumb with LTO 3 and other media was that encrypting data imposed about 40% overhead on restore. So a nominal restore speed of 3 hours per TB with LTO 3 became 4.2 hours per TB. What kind of performance hit is imposed by on library or on media encrypt/decrypt?

Rector: Hardware encryption at the library and at the tape drive offloads the performance impact of encryption from the backup server and hosts. The specific performance impact of encryption with LTO 4 drive-based encryption is still being validated in the Spectra Logic test labs. The drive vendors say there will not be an impact on performance whether streaming native versus encrypted data. However, we still need more test data to validate this will be the case in real world environments. Spectra Logic testing reveals a 10- 30% performance hit depending on the type of data, and if compression is also occurring as part of encryption.

Q: How does Spectra handle key management?

Rector: Setup and use of encryption is very straightforward. Setup involves a few steps—first, create an encryption user password, then create a key, make a copy the key that you store off-site, and enable a partition to accept encryption. Use your backup application, as usual to determine data to be backed up, and in this case, if it is to be encrypted, make sure the data is backed up through a specific virtual library (that is, partition).

To decrypt data, use the same key that encrypted the data. The library checks to see if the key is on the library; if it is not, then the library requests that you import the key referenced only by its nickname. The import process requires the entry of the password or passwords used to encrypt the key for security. Once the key is on the library, decryption and restore can initiate.

The multiple levels of passwords and access requirements protect the encrypted key along with its data.

The screens guide you through the process, requiring the entry of the proper passwords. The first step is to login as an encryption user through the Encryption User Login screen.




The second step: create a key using the Encryption Configuration screen >>Add Key option. Enter the name of the key nickname, or moniker, that you can use to safely refer to the key without revealing its value.




The third step: export a copy of the key for safekeeping, using the >>Export Key option. This copies the key in encrypted form onto a USB or attaches the key to an email message. A copy of the key remains on the library for immediate use.




The final step to set up encryption/key management: check the Enable Encryption partition option.

Note that key deletion is just as straightforward—very important in the case of lost tapes; encrypted data is considered irretrievable once the encryption key associated with the data is deleted. Note that the BlueScale Key Management interface does warn the user of the effect of deleting keys.

Q: Some storage security strategies impose significant labor costs for management and administration. What is the labor cost impact of using on library/on media encryption from Spectra Logic?

Rector: The labor cost associated with implementing BlueScale Encryption is nominal. There are 4 simple steps to follow to set up encryption. Walking through these steps take approximately 5 minutes to walk through. Once encryption is set up, encryption occurs seamlessly without any changes to backup policies.

Thank you again to Molly Rector for taking time to respond, and also to Leigh Grace for facilitating the response.

Previous post:

Next post: