Symantec Adds Crypto to Backup

Symantec today unveiled backup encryption software that it claims will keep IT managers and CIOs out of the storage snafu hall of shame. (See Symantec Expands Data Encryption.)

The vendor is touting its clumsily titled Veritas NetBackup Media Server Encryption Option (MSEO) as a way for firms to encrypt backup data before they shift it off to tape. In doing so, Symantec joins the growing list of vendors looking to tap into users' growing tape paranoia. (See On the Brink of Storage Disaster, Security Smorgasbord on Show and CA Faces Backup Flaw.)

Lost tapes are now almost as much of an IT security cliché as lost laptops thanks to a string of high-profile incidents involving the likes of Time Warner, Los Alamos National Lab and NASA. (See Tape Security Trips Up Users, Can't Quite Kick the Tape Habit, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Search Results Get Safer: AOL Edges Google.)

Although Symantec describes the software as running on a media server, the vendor is not referring to video and broadcast products from vendors like AVID and Ciprico. (See Storage Grabs Video Limelight, AVID Intros Open Storage, and Ciprico Unveils Enhancements.) Rather, Symantec means a traditional server which backs up data from client devices such as desktops, laptops, and other servers. This, in turn is connected to a tape library or tape drive where the data is stored.

The idea behind today's announcement is that users can encrypt data on the server rather than on the client device, which is the approach taken by IBM's Tivoli Storage Manager. Symantec told Byte and Switch that doing the encryption on the backup server is more efficient than on the client because the server typically has extra CPU cycles, which frees the client up for other operations.

At least one analyst agrees with this approach. "The benefit of moving [the encryption] onto the media server is that it's dedicated to backup, so it will have a lot more capacity than the server you are looking to protect," says Stephanie Balaouras, senior analyst at Forrester Research. IBM, for its part, was unavailable for comment.

Symantec also claims that it is the first backup software vendor to offer encryption on the media server, although Vormetric's CoreGuard offering also encrypts data on the server. And it's an OEM'd version of this product that forms the basis of Symantec's MSEO, although one analyst told Byte & Switch that this could make life easier for IT managers.

MSEO at least removes the hassle of running Vormetric on your server and ensuring that it links up with other backup products and client devices, according to John Oltsik, senior analyst at the Enterprise Strategy Group. "It makes sense to let Symantec do the integration for you," he said.

Users deploying the software, though, will still need to allocate CPU power to it, which makes it slower than using a dedicated encryption device from NetApp/Decru or NeoScale. (See NeoScale Claims Speedy Encryption, Decru Selects Mu, Decru, Sepaton Team, and NeoScale Faces Up to 4-Gig Encryption.)

"There is some processing power that's needed, but the price of the encryption drive is prohibitive for some customers," says Mike Adams, manager of Symantec's NetBackup group.

Pricing for Symantec's MSEO starts at $5,000 for every Windows or Linux client per server, and $10,000 for each Unix client. Key management costs an additional $10,000. Pricing for NeoScale's recently launched 4-Gbit/s CryptoStor FC 712 encryption device, in contrast, is around $45,000.

Encrypting at the tape drive level can also prove expensive. An encrypted Fibre Channel version of Sun's T10000 drive, for example, is priced at $42,000. (See Sun Encrypts Tape Drive and Sun Fills in Storage Crypto Details.)

The cost benefits touted by Symantec, though, depend on the number of client devices used, warns Balaouras. "If you're talking about a number of licenses, it could quickly add up," she says.

The analyst told Byte & Switch that, despite the cost, some of the key management features offered within MSEO could benefit users. (See What's the Key to Excellent Encryption?.) The software, for example, can centralize key management to a specific device and automatically track which key has been used for each tape.

"Traditionally that has been the advantage of going with the more expensive encryption devices like NeoScale or Decru that are very strong in key management," says Balaouras.

MSEO will be available next month.

— James Rogers, Senior Editor, Byte and Switch