Encrypting backups

Backup and Recovery
I have been asked by my CIO to perform an risk analysis of encrypting our backup takes. Our off-site vendor is urging us to consider encrypting sensitive data backups. I want to follow up with operations team performing this operation to review the impact on backup window. Has anyone created a matrix to compare the time differences in performing encrypted backups versus unencrypted? Thanks! John

Answer Wiki

Thanks. We'll let you know when a new response is added.

There are probably a couple of approaches to be considered for time impact. For most wintel platforms, encryption in software has improved to be of minimal impact. For large bulk encryption, consider hardware to accelerate.

But first, a few more questions:
Do you really, really want to encrypt backups?
Is this being done to reduce your risk or the offsite storage vendors? (contracts, SLA’s, etc. should be reviewed).

What key management for backups? Will keys be sent to same vendor, same location? (If offsite data – or media this is on – is lost, damaged/ destroyed or stolen, will decryption keys be lost also?)
[Is your offsite storage local or distant? Is the physical risk loss of your facility, or larger, like hurricanes?]. In the past, some organizations have sent encrypted offsite to one location/vendor, and keys to another site/vendor. Also, consider what if the decryption keys (or the media they are on) are lost (the encrypted data is OK). Do you have a key recovery process?

Also, loss of keys could introduce risk due to inability to provide data to law enforcement, client, patient, etc. if encrypted data in unrecoverable.

Are you encrypting your organization’s on-site data NOW? Online data? Nearline data? Offline data? Despite what is in the news, the bigger risk is probably still to the data in your facility. If your facility has current experience with bulk encryption of online, nearline and/or offline data, then you might be better equipped (organizational processes) to engage encrypting for offsite.

A subsequent question is are you going to encrypt as part of the backup process or separately? You could check some of the backup system vendors for encyrption specs and recomendations. Depending on the size of your backups, you might do a disk-to-disk backup first, then encrypt. Then backup the encrypted data.

Another thought is along the lines of how long to hold? this is also like tape drives (will there still be DAT drives or DLT drives in 5 or 10 years?).

Be sure you do a full, detailed and thorough risk analysis.

Sorry, that I didn’t answer your question. This topic was discussed in detail at the last ISSA meeting.

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Martoncik
    What backup software do you use?
    0 pointsBadges:
  • RoyatRCDC
    Consider where the encryption will be done to make sure you have adequate processor resources. Typically, software encryption (eg Veritas) happens on the client rather than the backup server. The overhead can be significant enough to impact the client's application processing. If an upgrade is needed, it's probably not to the backup server, but rather (multiple) user machines. Consider who will need to know the keys. If the users are able to do their own adhoc backups/restore (eg database tables, etc), then the risk of key exposure may be significant. Consider adding the caveat in the SLA if the user encrypts their backups and loses the key, to ensure they accept the risk of having unusable backups. Make sure your key management process is rock solid. Once you have a library of encrypted files, changing keys is impossible.
    0 pointsBadges:
  • SwaggerUK
    All good advice above i.e. its not just the technical issues your company will need to address. Thought I'd add something as well as I have just been looking at this issue. Veritas adds something like 15-20% extra CPU load on the client during encryption, which has been seen in our (not Veritas) testing. Not sure of other vendors though. I like the fact that Veritas does the encryption on the client as it is then the only component affected. True you may have multiple clients that this needs to be installed on, but you would need to ask yourself, do I really need to have this enabled on all of them? Out of interest how many servers are we talking about? The list price for this for Veritas was about 300 US dollars + 60 p.a. for maintenance. This is per client server - we are lucky in that we only need this on a few servers. The funniest thing about this is when I found in the Encryption Admin Guide the following quote: "This is the most secure method for protecting your key file pass phrases. ❖ When you add a pass phrase via the bpkeyutil command, write the phrase down on paper, seal it in an envelope, and put the envelope into a safe." The reality of this rings true though, at some point you have to look at your combination of technology, people and processes and not rely entirely on technology to help you.
    0 pointsBadges:
  • Epeterson
    I've seen about 15 - 20% impact in my tests depending on what I was backing up. I would also include the impact on restores in the matrix so that there are no suprises when restore time comes around. If you are tight on meeting your SLA's for backup or recovery, this may tip you over the edge and require updating the SLA's. If you are going to selectively encrypt at the sub-server level (directory, file, tablespace, etc.) it will require much more co-ordination on restores if that authority has been de-centralized. As already mentioned, the management of those keys is crucial along with knowing what is or isn't encrypted.
    0 pointsBadges:
  • HannahDrake
    Hi, Just thought I'd chime in to let you know we thought both the question and advice was great, and turned the thread into a tip on SearchDataCenter.com. So, if you'd like to see this thread on our website, the link is: http://searchdatacenter.techtarget.com/tip/1,289483,sid80_gci1102259,00.html Keep up the good posting :) Hannah Drake Assistant Editor SearchDataCenter.com E-mail: hdrake@techtarget.com
    190 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: