A quick consult with PrivacyRights.org is enough to give you a cold, sinking feeling in your gut about data protection. Leveraging public sources, the site operators maintain a log describing disclosure events involving private personal and financial data. As of mid-January, the total number of persons whose data has been breached is more than 100 million.
Their numbers seem pretty accurate, given they’re taken from public announcements about privacy breaches made by companies that last had the data. Such disclosures have become de rigueur as a function of state and federal laws, such as the Gramm-Leach-Bliley Act of 1999 and California’s SB 1386. In Europe, the e-Privacy Directives are just beginning to kick in.
A portion of these reported disclosures have involved hacker misdeeds or stolen or misplaced laptops. However, a more substantial number involve the misplacement of backup tapes containing data that wasn’t encrypted prior to its movement out of the safe confines of the data center. These events could mostly be avoided by encrypting backup tapes. So, why hasn’t everyone developed an encryption strategy?
It’s not that encryption is very complex: Truth be told, you don’t need to understand all the complexities of specific encryption algorithms to develop an encryption strategy. That said, you do need to use common sense to formulate a workable strategy—partly to surmount the vendor “marketecture” and partly to develop an approach that fits your budget and operational requirements.
The first question is always what to encrypt. In the case of backup tapes, that’s pretty obvious: Anything leaving the secure premise—especially tape backups of databases and files heading to offsite storage—needs to be encrypted.
The second question is how. This is an important one to answer, in part because there are so many approaches for encrypting backup data.
Certainly, you can encrypt as a function of backup software, or by using facilities provided on many tape libraries as either a feature or an option. IBM provides a facility in the z/OS environment called Integrated Cryptographic Service Facility (ICSF), which helps ensure that the encryption process, however you elect to do it, doesn’t steal too much of your processing power.
Ed Low, operations manager for Fidelity Information Services’ Oahu, Hawaii-based data center, told me he finds the BrightStor Tape Encryption Utility from CA to be handy in encrypting the data produced by the financial institutions he supports. In fact, Low used encryption requirements to help refine his overall tape strategy back in 2005. Here’s how it works.
Low has deployed CA-1 to perform tape management, and the BrightStor CA-Dynam/TLMS Tape Management Copycat Utility to enable him to pack the 3490 tape images he builds in his IBM Virtual Tape System (3494-B20) onto new 3592 J cartridges that work with his new 3584-D22 Tape Library. Basically, this enables him to reduce the number of physical cartridges that move offsite daily from 12 to 15 cases (50 cartridges per case) to only eight of the more capacious 3592 J tapes. He doesn’t have to write special JCL to do the consolidation.
The BrightStor Tape Encryption Utility plugs right into the process. It leverages ICSF, manages encryption keys, and lets him define policies to automate the encryption process. Should he need to decrypt the tapes at an alternate location, following a disaster, for example, he can use a piece of client software provided by CA to read the data sets back into a production environment.
He’s had this up and running since last spring and reports no problems. Plus, he’s expecting to expand the solution to his Unix servers when CA releases agents to support that operating system later this year. The result will be a centralized backup-with-encryption story that protects all of his important information assets.
This isn’t meant to be a push for CA. They have one of the more integrated solution sets out there, but there are obviously others. The key to selecting the right approach is to leverage what you already have, be as non-disruptive as possible in the encryption process by leveraging things such as ICFS, and carefully consider how you will decrypt the data if the need ever arises to implement your disaster recovery plan.
Several laws have been introduced in this Congress, designed to lock down private data even more tightly. It’s only a matter of time before the laws that require companies to disclose data disasters evolve into laws that exact fines and penalties directly against the offending companies. The time to get your act together on encryption is now. Z