- casino online slots

Sun Microsystems (StorageTek) responds to tape encryption questions

by Administrator on June 28, 2007

Dharmesh Shah, Group Manager for Tape Drives and Encryption, at Sun, plus his colleagues Sandy Stewart, John Holdman and Jon Hiles, provided me with an hour of detailed discussion of Sun’s tape encryption strategy in a phone call yesterday.  I think Shah and Stewart may well be my new best friends given their refreshing candor and general smarts around all things tape encryption.

Shah followed up this AM with a set of formal responses to my questions about tape encryption.  Here goes:

Q: There are many ways to deploy storage security. Some focus on enabling software on application hosts, other strategies entail the deployment of appliances. Why is doing security (encryption) directly on the target device, the library or disk array, preferable – assuming that it is?

Sun: Encrypting in the drive is low cost, does not degrade performance, is highly secure and is generally independent of all other components of the data stack.

Q: LTO 4 has begun to ship to market and everyone is touting its on-media encryption capabilities. Does Sun/STK leverage this media-level capability? Describe how you implement security on the library and/or media level.

Sun: LTO4 came to market after the Sun T10000 drive with encryption capability. LTO is a good mid-range solution and the same is true of its encryption capability. It provides a solid encryption solution at media level although the rest of the infrastructure and key management supporting LTO4 is less secure than the enterprise-strength Sun encryption solutions. In addition, there are concerns about interchangeability of media using LTO4 encryption due to divergence in key management solutions. Sun is adding LTO4 encryption to our portfolio of library supported drives to complement our enterprise-level T10000 encryption drive solution.

Q: What is the hit on tape restore of various encryption options? The rule of thumb with LTO 3 and other media was that encrypting data imposed about 40% overhead on restore. So a nominal restore speed of 3 hours per TB with LTO 3 became 4.2 hours per TB. What kind of performance hit is imposed by on library or on media encrypt/decrypt?

Sun: With a well-designed device encryption solution, there should be zero degradation in performance. This has been validated in testing of Sun’s T10000 drive encryption solution and we believe the same will be true of LTO4. Software encryption at host level can create a severe impairment of performance since encryption (and compression which must be performed prior to encryption if capacity is not to be lost) is highly processor dependent. Encryption in the drive is performed at full speed within the tape drive logic and does not cause any impairment. Appliance solutions typically reduce performance depending on the fibre-channel data rate supported. For example, Sun’s T10000 drive can encrypt compressible user data at 300 MBytes per second while a 2Gb fibre appliance will limit throughput to around 200 MBytes per sec.

Q: How does Sun handle key management?

Sun: Sun provides an appliance solution – a Sun Key management application based on a secure Solaris OS with all key generation, backup and protection mechanisms installed. A Sun Key Management System operates independently of all other data stack environments and so supports all operating systems, backup applications and channel hardware.

Q: Some storage security strategies impose significant labor costs for management and administration. What is the labor cost impact of using on library/on media encryption from Sun?

Sun: Sun’s solution is very low maintenance and places virtually no additional personnel or administrative load on a Data Center.

BONUS Q: In addition to encrypting data moving off site (backups, etc.), do you believe that additional security is required for storage at rest in the data center or business office? Describe your view of a comprehensive storage security program.

Sun: We believe there are valid uses for encryption at various points in the data stream. Any data that can removed from a data center is at risk, where that data is intended to be moved off site or not. Host based, network based, and device based encryption products all have their uses. As we have shown with the T10000 tape drive encryption, device based encryption can be accomplished without performance impact. Using device based encryption allows protection of all data on tape or disk media with minimal impact to the remainder of the environment. Host based encryption, such as file system based encryption, allows more thorough protection. Data is encrypted from the moment where it is initially placed into the storage system. In situations where the host applications are unable to encrypt or server processing power is inadequate, or where non-encryption legacy devices are used for storage, network based encryption provides a drop-in solution for data protection.

I will share with readers here some of the commentary offered by the folks on the call regarding the evolution of standards in storage security and the politicization of the process within SNIA and Trusted Computing Group. Shah and company had some very good insights to offer.


Previous post:

Next post: