InfoStor leads this month’s issue with a story on LTO4 Encryption. Good buddy, Mark Ferelli, wrote the piece.
Interestingly, Mark’s interviewees did a shmarmy job of trying to side step the issue, raised in this blog, about the failure of LTO-4′s onboard encryption, based on AES/GCM, to pass muster with FIPS 140-2 Level 3 standards. According to Mark’s piece, “…while this [FIPS] may be a gold standard for dealing with federal organizations, it may be excessive for many, if not most, companies.”
The piece goes on to explain that rates of key changes and other operational aspects of smaller firms may make compliance with FIPS security standards “overkill.”
But with many companies I visit using FIPS standards to provide an iron clad guarantee of encryption compliance, I don’t know if I would dismiss the non-FIPS readiness of LTO-4 so readily. Are there any agreed-to standards, besides FIPS, that can be referenced to show auditors that you are complying? Neither Mark, nor his sources, explore this issue.
I’m afraid that this concern doesn’t go away with the wave of LTO’s hand.