Lost Backup Tapes Amount to Unlimited Liability; Best Options for Tape Encryption

Even if you do not closely monitor the data storage space, chances are still above average that you have seen headlines about BNY Mellon Bank losing unencrypted backup tapes and the ensuing media storm that surrounded this disaster. Since that loss occurred, the aftermath has expanded to affect clients from two other banks.

Data losses can occur for any reason. They could be the work of a well-disciplined, external network attack or simply stumbling corporate negligence. In either case, it is unfortunately customers who suffer most as their personal information is compromised. Even though many companies invest heavily in protecting their networks with firewalls, intrusion detection systems, etc., often when a data loss occurs, it amounts to nothing more than failing to identify a fundamental security risk and taking prompt action.

An area once frequently overlooked when identifying potential risks for data loss is backup tapes. Although there are countless, high-profile examples of customer information being compromised through a lost or stolen backup tape, with BNY Mellon Bank being a more recent example, failure to take appropriate actions early on, such as encrypting data stored to backup tapes, continues to occur.

Unfortunately when a backup tape is lost, it becomes much more than an issue of trying to recover the lost tape; it becomes a question of quantifying a company's liability. Backup tapes most often are lost or misplaced while in transit and outside the control of your company (such as when being stored with a records management provider), but that doesn't relieve any of the associated liability of protecting against data loss. Currently, tape encryption provides companies with their best defense in guarding against data breaches from lost or stolen backup tapes, and often provides them with a "safe harbor" when faced with having to notify customers of the breach.

Deploying encryption for any type of storage medium requires careful planning and consideration but more so for tape. Deciding how that solution best fits your environment long-term is of particular importance. Although encryption solutions for backup tapes have been limited in the past, innovation in this area has and continues to occur, providing more options than ever to help in your decision. Currently, the best options for tape encryption are:

• Backup Software: This choice is usually integrated into backup applications and has two options: client based and server based. Either way this is a common and cost-effective solution as it is often included free with the backup software. But beware: choosing this approach can have an adverse impact on the performance of your application server. If operating multiple hosts or working within a short backup window, this might not be the best solution for your environment.
• Encryption Appliances: This solution provides a dedicated appliance for fast performance and processing for a small number of links and is most often found in a SAN environment. While this solution offloads the performance hit onto a dedicated appliance, it comes at a substantial cost, especially for small deployments. Managing the performance overhead as the number of backup jobs grows also can be problematic.
• Tape Drives: A relatively new approach to tape-based encryption, the inclusion of encryption with LTO-4 technology now has made native tape drive-based encryption both feasible and affordable for most companies. This approach integrates encryption into the drive itself and offers cost savings over other solutions since it comes with the tape drive, plus the data is encrypted just prior to getting moved offsite. Vendors such as Overland Storage offer LTO-4 backup tape drives in both half-height and full-height models.

One aspect to keep in mind when using a tape drive-based encryption solution is that individual LTO-4 tape drive vendors may encrypt data in different manners. So even if all your tape drives are LTO-4, if they are from different vendors, an LTO tape encrypted by one tape drive may not work in another. This makes it important to standardize on a specific vendor's LTO-4 tape drives to ensure encrypted tapes can be read across all tape drives in your environment whether they are standalone, autoloaders or tape libraries. In these cases, it is advisable to work with providers like Overland Storage to take the risk out of this part of the equation.

A larger concern when encrypting data, however, is the choice of the encryption key management solution. Without proper key management, data on the backup tapes may be rendered unrecoverable. Key management, and some of its pros and cons, will be the focus of an upcoming blog entry.