Encryption is an increasingly important set of technologies that enable customers to protect private data on computers, over public or private networks, or in other machine-readable forms.
More data is at risk of being compromised than ever before. This, coupled with the rising cost of data breach, measured in terms of both “hard” dollars and legal settlements, as well as “soft” costs, such as loss of customer loyalty, make the intelligent use of encryption and other data protection technologies increasingly necessary for organizations of all sizes.
For the small to medium-sized market, the ideal data encryption approach would be affordable and easily integrated into a complete data backup and business systems continuity solution. It would include powerful standards-based encryption and offer robust key management functionality.
Imagine a bank with 20,000 customers, most with multiple bank accounts and bank cards. Every night, the bank makes a full tape backup of its main information servers. The tapes are placed in a storage box. Sometime during the day, a truck driver from the tape storage company leaves a set of older tapes (which are no longer needed) and picks up the box of new tapes.
Any such practice can lead to ribbons being lost or stolen from loading docks, accidentally left in the wrong places or lost or stolen from the delivery van, among other things. Once the tapes are in the wrong hands, unencrypted data is easily compromised.
Fortunately, encryption functionality can be easily integrated into an organization’s backup processes, protecting all data on the company’s servers and backup devices, and all data is extracted from the site for archiving.
Keys and Key Management
A key is a piece of information, or parameter, that controls the operation of a cryptography algorithm. Modern encryption algorithms often use symmetric or asymmetric keys. Asymmetric key encryption uses a pair of keys, called public key and private key, and is best suited to protect data that has a wide audience, such as websites with secure access established for many users.
Symmetric key methods use the same key for both encryption and decryption. Symmetric keys are excellent for use with devices and appliances where the need to share keys is very limited. This is typically the case for data backup devices, for which it is not necessary to specifically allow many parties to have access to the key.
If you lose your home key, a locksmith can mechanically open it and help you regain access. If you lock the keys in the car, there are many specialized tools that can help you open the door. But any encryption method that would allow this type of “alternative access” in the event of a lost key would be fatally unsafe. Today, most encrypted data is essentially indecipherable to thieves and is completely lost to the owner in the absence of the key needed for decryption. This puts enormous pressure on the owner not to forget the key. It is important to choose a “strong” key, often many, many characters long, which makes it harder to guess, but also harder to remember. And writing the key carries its own obvious security risks.
Methods of implementation
Data encryption can be incorporated into your workflow in different ways, each with its own advantages and disadvantages. When data encryption is implemented on a network, there are four basic ways to approach the process:
File system encryption on a server. File system encryption is probably the easiest to implement. But this type of encryption places a great demand on the CPU server, which often makes it impractical for a busy Exchange or SQL server because of the computing power required.
In addition, encryption of the server’s file system does not allow centralized management, but must be implemented per server and managed only with respect to that system. And in multiple OS environments, this type of file-system-based encryption may not be available for all the OS used.
Online encryption. Online encryption is typically performed by a dedicated hardware appliance and is quite simple to implement.
Encryption of backup devices. The key difference between backup device encryption and backup media encryption is the location where the encryption is performed. Encryption at the backup device level provides much greater overall data security. This is true because data can be encrypted once (on the device), and remain encrypted regardless of its location at any time in the future.
If data is encrypted as it arrives at the device, the data stored on the backup device for quick local recovery is also protected against internal attacks. This approach avoids the performance degradation associated with file system encryption and also eliminates the complexity of applying encryption tools across multiple operating systems.