The best approach for you depends on your unique needs. Here are some important factors to consider when evaluating an encryption engine for your backup environment.
Scalability: How much data can a particular hardware device or server with software encrypt before performance degrades or you need another device?
Performance: How much additional time does the encryption process take? Does the encryption process utilize processing cycles on the server? As you might expect software based encryption, because it does not bring its own hardware, uses additional processing resources. Yet, software solutions are more portable, easier to manage, and less expensive than hardware solutions.
Availability: What can you do if the encryption engine fails during a backup or restore? Can you easily locate the encryption engine at a disaster recovery site? Can you easily use this encryption engine at international locations?
Key Management: An encryption key allows you to unlock the backup. Without the right key your backup data is useless. Should you use the same encryption keys across your environment and at different sites? How frequently should you change these keys. Where are the keys stored – on the client, on a server, or in the device? Will they still be available 5 or 10 years from now? Who has access to the keys in the event of a disaster? One vendor or consultant may tell you that you need different, changing keys across your enterprise, but increasing security in this manner also increases complexity, maintenance, and financial costs.
Management: Can you identify which data you have encrypted within your backup environment using existing tools? Do you maintain logs of when you encrypted data or when you changed encryption keys? Utilizing your existing backup solution for encryption may help you address these questions.
Cost: How much will you spend on the encryption engine ? What resources will you use to deploy, test, and maintain the encryption engine in the data center(s) and at disaster recovery site(s)? Can you accomplish encryption with your existing backup solution?
If these factors seem overwhelming, start with the size and location of data that you want to encrypt and then begin to answer and prioritize these questions. Like any new requirements process, it will be iterative, and you will find yourself revising your initial assumptions and expectations. A few enterprise data protection products offer encryption as an option. Using your backup software to encrypt backup media, may simplify the management and operational deployment of encryption. As you evaluate the right approach for your company, balance the trade-offs between simple process changes and added costs and complexity. For example, rather than encrypting all data going to tape today, why not decrease the data sent to tape or encrypt only data with sensitive customer or corporate information. You could decrease data sent offsite on tape media by backing it up to disk and replicating it to another secure site. Now, you have reduced the volume of offsite backup data to be encrypted which may give you more flexibility in deployment of a solution.
If you accept the premise that offsite backup tapes should be encrypted then you can begin to approach solutions creatively. More importantly, starting this process in 2006 will help you put a short-term goal – encrypting offsite backup tapes – in context of a larger goal – running a backup environment designed for security and availability.