By Tim Nolte

IT departments are responsible for the safekeeping of huge amounts of information about their business, their intellectual property and even their customers.  Increased criminal sophistication in exploiting this information means protecting it is not only more difficult, it is more important than ever.

Backup tapes are relatively small and easy to move around, meaning they are definitely a potential security issue.  All of the tape handling processes therefore need to incorporate strict security guidelines, especially if they are actually transported offsite for long-term storage or disaster tolerance.

If the data on the backup tapes are encrypted, the risks associated with tape handling are dramatically reduced.  Highly secure, standardized encryption algorithms are used for this.   These algorithms make use of a digital key to encode and decode data.  These are a key part (no pun intended) of the entire security strategy for this data.  Keys must be managed and they must be managed carefully.  They must not be lost, of course.  That amounts to the same thing as losing the data because without the correct key, you basically have an unusable random collection of 1s and 0s on your tape.  Of course keys must be stored securely to prevent them falling into the wrong hands.  If the key is available to someone with criminal intent, all the benefits of encryption go out the door (good analogy, isn’t it?).

HP Data Protector 6.1 has introduced Centralised Encryption Key management to make this process simpler, less prone to mistakes and therefore, more secure.  While software based encryption requires a license for any server where it will run the centralized key management, it is a standard feature of Data Protector 6.1 that does not require any additional licensing to use.  Without centralized key management, server specific files containing current and past encryption keys need to be stored on each individual server for backup and restore.  This can result in a large number of keyfiles which are widely distributed.  Keeping them secure and synchronized required careful manual work and could involve many different people just to keep up with the required administration tasks.  Not only do these manual tasks make mistakes more likely, security risks are higher simply because the number of people with access to secure data increases.

With Data Protector 6.1 all keys used for software-based or LTO4 drive-based encryption are kept in a centralized, secure location that simplifies administration, reduces exposure and the chances of human error.  The encryption keys are themselves encrypted for storage or as part of any transfer to a server for use.   The keys are managed by the Data Protector Cell Manager and made available as and where needed to any server in the cell rather than being stored in individual files on each server.  Using the Manager of Managers capability of Data Protector allows the key management to be done across multiple cells.

So with Data Protector 6.1 there are no longer individual, server by server key files that must be managed, shared, moved created, and backed up.  Encryption key management is virtually automatic and transparent, reducing security exposure as well as the opportunity for mistakes which could result in loss of data.