Thu, Jun
3 New Articles

Choosing and Implementing an Encryption Solution

Compliance / Privacy
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
Companies are now beginning to realize the importance of protecting all sensitive customer data. The only real way to protect your backups is through encryption. This article outlines what you need to look for when considering a backup encryption solution.

It's important to understand that the purpose of backup/archive encryption is to protect confidential data when it leaves the secure environment of the business on either backup tape or optical disc. Therefore, backup/archive encryption represents very different requirements from those of other internal security products designed for the network.


Backup tapes are produced for one reason: to allow you to easily restore your data within your service-level timeframes if the original is lost or corrupted. It is imperative that you take this into consideration when looking at any proposed solution. In a real DR crisis, any complexity or additional steps required when restoring your data must be minimized. In a crisis, your primary objective is to get the business back in operation; complexity must be reduced.

Once you decide that a solution is required in order to meet regulatory or good business governance requirements, a new set of questions must be addressed.

It may be that your company has a single platform environment, which could simplify the available options. Or you may be looking for a corporate-wide solution to cover a diverse heterogeneous environment. Whatever your environment, it is vital that you look at the full picture to avoid expensive and time-consuming mistakes. It is usually better to standardize on one solution for all platforms to save on training, support, and costs.

Once these questions have been addressed and the requirements understood, you must determine whether a software-only solution meets the requirement or the hardware route is the only acceptable solution. For details of the core differences between a software and hardware solution, see the table below. On the hardware front, there is a choice of where that hardware should reside and this is also covered below.

Software versus Hardware

Software often does not offer compression. The maximum speed achievable will be the native transfer rate of the drive as the drive will not be able to compress the encrypted data.
Hardware units—whether built into the drive or of an inline design—use hardware compression prior to encryption, so the effective transfer rates are maintained or, in some cases, improved upon.
Software compression relies upon the system processing power to do the work; this means the speed is dependent on the available system power and is affected by other processes running on the system.
Hardware compression is not system-reliant, and the transfer rates and backup times are able to be calculated.
Software normally involves several updates during the life of the system.
Hardware does not change even if the complete system or OS is changed.
Encryption Availability
Software encryption is not available for all systems.
Hardware encryption works on all system types.
Some backup packages do not include encryption and therefore require a change of package and the associated configuration as well as setup and training time to learn the new packages.
Hardware encryption works on all backup packages without the need for any configuration changes.
Encryption Keys
With software encryption, the user key is kept on the system, so the system or network is open to attack.
With hardware tape encryption, the key can be kept in the device and so cannot be read from any external device.
Operating System
Software is normally restricted to a single operating system type.
Hardware is system-independent, so the same hardware can be used across many different platforms and operating system.
OS Upgrades
Software encryption usually needs to be upgraded (i.e., purchased again) when the OS is upgraded.
Hardware, being platform-independent, does not need to be changed ( i.e., no cost!).
Software is often low cost.
Hardware is normally the same cost whatever the OS, so it may appear expensive on small systems and less so on larger ones.
Software costs are often based on the capacity of the attached library; if the library is upgraded, you often need to pay again for the software upgrade.
Hardware costs are fixed, whatever the size of the library or the amount of data to be protected.


What to Encrypt

Another issue that is often raised is whether to encrypt only the sensitive data (i.e., that which is covered by the various legislation) or to encrypt everything.

At first view, the concept of encrypting only the sensitive data appears to be very attractive and may offer a number of advantages. If you use a software solution, this method mitigates some of the downsides because it minimizes the amount of extra processing required by the system, and restoring the non-encrypted data is simpler. The downside is that someone has to make the decision as to what is sensitive and, more importantly, what is not. This of course is often very much a moving target. It is simple to understand that the company database needs to be secured when written to tape, but what about all those word processing and Excel spreadsheets? Ask the CEO of a major company if copies of his/her emails are sensitive just after they have been uploaded to the Web, and you can be sure that the CEO would have preferred that they had been kept confidential. If you are going to invest in a solution, why restrict it to only part of your information?

Another area of contention is when to implement a solution. Should you look at what is readily available and "field proven" or wait for the availability of the "ultimate solution" that the vendor assures you is going to be available "real soon"? If you are in the lucky position of having a representative development system where you can run exhaustive tests of the new solution as soon as it becomes available, waiting may be an option, but what about the risk you are running until it is implemented on the live systems?

From the beginning, it should be understood that although someone in the corporate entity has identified the requirement for encryption, there may be individuals within the business who will not understand the risks and will fight against any attempts to integrate a solution into the infrastructure. Why is this?

Many MIS departments see backup and archive as a non-productive activity that simply causes them extra work and headaches. Asking them to add what they see as an additional level of complexity into this environment will not go down well. They must meet existing SLAs and will not accept anything that could potentially increase their workload and impede their primary activity of delivering a service to customers.

Another potential issue is where the funding for such a project will come from. In businesses where the financing of such projects is centralized, this is not an issue; however, if the IT department is expected to use funds from its existing budget for something the financial department wants, you can expect some resistance.

Sometimes the resistance is because the IT group didn't get asked to evaluate a product or solution but was simply told by corporate that this is what they will be implementing. This is seen as a reflection on the professional expertise and again can add unexpected complications.

Existing Tapes

A vital point to consider is what to do with the existing pool of tapes used for backups and archives. It is likely that the rationale behind encrypting backup tapes will require that tapes written prior to the implementation of the encryption solution also be encrypted. How can this task be carried out? What extra facilities will be required? Do you have staff available to carry out what might be a considerably time-consuming operation?

If the plan is to move to a new device such as the LTO-4, is it possible to reuse the existing media, or do you have to copy old tapes onto new media and then destroy the old media? If the plan is to use new media, is there a budget to cover this additional cost, or has it been overlooked?

We are all aware that staff costs for storage management exceed the costs of the actual storage, so any new solution must not add extra work and costs for the staff managing the systems. A simple solution that requires no changes to the existing procedures or infrastructure and has no training costs in time or money may be less costly in the long term than an apparently cheaper solution that requires continual monitoring and operational input.

Are you thinking of delaying implementing a solution simply because the present system is going to be replaced in the next 12 to 18 months? By carefully selecting a solution that can be migrated to the new system, you can ensure you are safe for the whole period, not just when the new system is delivered.

IBM has announced its intention to deliver a number of security features in i5/OS V6R1 when it delivers in 2008, but can you wait until then to cover your identified security weakness? The solution that you implement on your present OS level can still be fully used when V6R1 is released. An external hardware solution with dedicated compression and encryption engines will not suffer from the problems and complexities that software such as those in V6R1 may suffer from. It also can be the case that the original marketing statements are simply what is intended; what is actually delivered may not have all the expected features!

The DR Implications

It is often overlooked that one of the main reasons you run regular backups is to ensure that you are able to bring up the systems required to keep the company in business in a major disaster situation. Any good tape encryption solution must be such that it does not hinder or overcomplicate this already stressful operation.

We all presume that it will never happen to us, but it does! It might be a hurricane, a flood, a fire, or an earthquake, but the result is the same: You need to restore your business data onto a new system in order to get your business back up and trading. Statistics show that if you fail to do this in a timely manner, the result 80 percent of the time is the total collapse of your business.

Be cautious against choosing a solution that's over-complex, needs specialists to install on the DR site, or has a difficult key-management system. All of these will hinder the restore process and seriously impact your company's ability to survive a disaster.

Where Should a Hardware Solution Reside?

There are three approaches to where a hardware solution can sit: in the server, on the drive, or in the layer between the two.

Hardware Built into the Server

When encryption is built into the server, it is very system-dependant and, by the nature of the beast, will be very disruptive to install. Normally, this type of encryption is designed and manufactured by system vendors, so it will have the benefits of their support and maintenance packages and may be guaranteed to be compatible with future OS upgrades.

The downside of using a server-based solution is that it must also reside in any DR or development systems in order to be utilized for DR or development. This is likely to add a significant financial impact to such a project, and the disruptive nature of installing such a solution can cause substantial headaches. It also should be understood that some of these solutions use the system processors to do some of the work, so they can have an impact on overall system performance when being used.

With host-based encryption using a standard encryption card, any user who has decided to implement the same methodology will have exactly the same physical hardware as you.

Built into the Drive

At this time, there are only a limited number of truly integrated drive-based solutions on the market, and these are new and, so far, unproven. Most solutions are limited to a new media type in order to allow encryption, although they do read earlier media types and in some cases can also write unencrypted data to these media types.

All of these drives store the key externally and require external methods of controlling the encryption. The whole system's security is based on that single key as the drives are standard; hence, key management of such a product is of paramount importance.

Again, as with host-based encryption using a standard encryption card, any user who has decided to implement the same methodology will have exactly the same physical hardware as you.

Inline Appliance

These devices are normally the simplest to install and cause the least disruption as there should be no changes to the operating system and no new drivers to add because the drive type is unchanged, and the keys can be securely loaded into the appliance, which needs no network connection to the system so is inherently more secure. These systems are transparent, so they can be used on different system types and drives and can be rolled out across a heterogeneous environment very easily. If a move to another system is needed, there is no need to decrypt the data before it can be moved as the same appliance will be used to read the data on the new system that was used to write it on the original one. These solutions also offer the easiest use in a DR situation and are ideal for use when the DR site is a shared facility because their very short installation time allows them to be added only when needed.

Different but Better

In conclusion, it's clear that this new area of security has different requirements and issues compared with network security products and solutions, but with good planning and understanding, this solution need not be difficult to implement.

Paul Howard
Paul Howard is a security consultant for BOSaNOVA, Inc., a leading developer of security solutions, enterprise-class thin clients, and iSeries connectivity products. Paul is a veteran of the storage and encryption industry who, before designing BOSaNOVA's Q3 and Q3i storage encryption appliances, worked for numerous defense-related contractors on storage solution technologies. For more information on BOSaNOVA's security solutions, visit http://www.theq3.com/ or contact Paul at This email address is being protected from spambots. You need JavaScript enabled to view it..


Support MC Press Online

$0.00 Raised:

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: