While large public companies have borne the brunt of well publicized tape breaches over the past year or so, smaller companies have as much or more to lose from compromised data. (See The Year in Insecurity and A Tale of Lost Tapes.)
Ask directory services provider Qsent. As a private firm, Qsent is spared reporting the type of tape breaches that have embarrassed larger companies. Still, Qsent hopes to grow into one of those larger public companies, and its business demands the utmost confidence from its customers and partners.
Qsent maintains databases of updated telephone information that companies use to verify identities of potential customers and business partners. The company is also working on a directory of cell phone numbers for leading wireless carriers. With consumers skittish about their information getting into the wrong hands, Qsent can't afford even one incident of lost data.
These high stakes convinced Qsent UNIX systems administrator Derek Olsen that his company needed to encrypt its tapes.
"Bad press from lost data could possibly put us out of business," Olsen says. "Our business partners may want to re-evaluate the contracts we have or customers may not be comfortable working with us. We've never lost any tapes, but we want to be prepared. We hope we never lose any, but hope isnt really a policy."
So Qsent chose the "better safe-than-sorry" approach for the 100 Tbytes or so of data stored on its EMC Clariion and Network Appliance NAS systems. Rather than replicate massive amounts of data between data centers, Qsent does disk-to-disk-to-tape backups with the help of a FalconStor Virtual Tape Library (VTL) in Portland, Oregon, then ships the tapes to Chicago for archiving and disaster recovery.
Last year, Qsent moved off a software-based encryption application from PGP to a hardware device. Olsen says he looked at devices from three vendors -- he declined to name the other two -- before selecting Neoscale. Qsent purchased two CryptoStor Tape 700 devices. (See NeoScale Touts CryptoStor and Review: Tape Encryption Devices.) One sits in each data center and Qsent will add another when it opens a third data center later this year.
"We did a Pepsi challenge with a few other vendors, but none of the other products had fully matured," he says. "They didn't have full support or professional services."
Hardware-based encryption is faster than software encryption, which uses up CPU cycles. Olsen says NeoScale plays nice with his backup software -- Symantec Net Backup -- and lets him use different encryption policies on tapes in different Sun tape libraries. "Net Backup doesn't know the data's encrypted," he explains. "We can do backup to VTL, and if we're sending it to real tape we use NetBackup and it doesnt know the difference between the two, or if one's encrypted or not."
Of course, hardware encryption is more expensive than doing it with software. According to Olsen, the CrytpoStor devices cost $30,000 apiece, but help save money in other areas.
"It would cost too much in bandwidth to move this amount of data electronically," he says. "We can use FedEx and have keys in both locations to do restores in both data centers. We dont have to worry about tapes if they get lost because nobody can read that data. It's just a few days' inconvenience to us."
Olsen likes NeoScale's key management, which lets him decrypt any data encrypted with a CryptoStor appliance with another appliance of the same type. However, he admits that's not always the way to go.
"We have two key management policies, depending on whether we're doing archiving or transporting data for use in the near future or backups," he says. "We have to archive financial records for audit reasons, and we can put the key on the tape because in eight years if we want to go read the tape we probably won't have the exact same NeoScale appliance. But the info will be on the tape, and we'll have smart cards to decrypt. If we're doing backup or transporting data we'll be using in the near future, we have keys on the appliance."
Organizations mentioned in this article: