Securing Sensitive Information: Securing data with LTO-4 tape drive encryption
Each month many
companies, big or small, well known or unknown, experience a data security loss
with the potential exposure of thousands to millions of sensitive customer or
employee records. Recent regulatory actions have made such losses much more
onerous. Corporations need to reduce the financial risks of a security
breach as well as protect their brand reputation. As such, corporate management
is looking to CIOs to minimize these risks with effective security for all
sensitive corporate data, wherever it may reside.
Encryption has emerged as a best practice
mechanism to security breach risk. As an important consideration for corporate
officers cryptographic methods will be examined that can mitigate risks
associated with data security breaches, specifically tape data encryption. LTO
technology is the most widely adopted data storage tape format and as such,
LTO-4 drive encryption will be discussed below.
The
LTO-4 Tape Drive encryption is specified as
part of the LTO-4 open standard format with a 256-bit symmetric key AES-GCM
algorithm implemented in tape drive hardware and fully supports the IEEE
standard (P1619.1) for tape based encryption and the new SCSI encryption
augmented (T10) command set. The symmetric key is transmitted to the tape
transport prior to being used for encrypting data written to or decrypting data
read from the media.
The key is not transferred to the tape cartridge
and is only retained by the drive during the encryption process. Instead a key
identification tag is written and stored on the tape volume. This key
identification tag on the tape media provides efficient search access to the
necessary information used by the key management system to recall the required
encryption key.
Transmission of the keys to the
LTO-4 tapes is typically accomplished by using
a backup application that supports application managed encryption (AME), by
using a tape library that supports library managed encryption (LME), or by using
a Key Management Appliance. Most organizations implement LME and tape libraries
from IBM, HP, Quantum, Sun, and others support LME tape encryption.
With LME, the tape library has a list of
cartridge volume serial numbers that are designated for encryption.
-
The backup application
requests a mount of a cartridge that is in the library encryption list.
-
The library uses the
library-to-drive interface to tell the drive to encrypt data on that
cartridge.
-
The drive requests a
symmetric key from the key management software via the libraries IP
interface with the key management system and also requests a key tag for the
drive to store on the cartridge for subsequent symmetric key identification.
In addition, LME encryption is transparent to the
backup application. As such, usually no changes are needed to backup
applications. LME can be ideal for environments that have a number of
heterogeneous backup applications or servers.
LTO-4 tape libraries can sometimes be
partitioned to further support the separation of encrypted from non-encrypted
data. Specifically, one or more partitions can be configured to accept only
encrypted data whereas the remaining partition(s) only accept non-encrypted
data. Some libraries with advanced library management capabilities provide
security policy based selection of encryption and specific keys; these can
dynamically support a mix of encrypted and non-encrypted cartridges in variable
slot locations without needing to use partitions.
Both compression and encryption significantly
modify data and can both be performed by an LTO-4 tape drive for the same data
on a given tape. In this case, the LTO-4 tape drive first compresses user data
and then encrypts it. Thus, the
LTO-4 drive can maximize the tape cartridge
data capacity and address data security concerns. Also, encrypted data can be
added or appended to an LTO-4 encrypted
tape cartridge allowing the cartridge capacity
to be fully utilized.