Posted by Is this the same trusting yet risky behavior you take when protecting your data? More specifically, is this how you handle your data stored on removable media, like LTO tape?
Without question, tape has been transitioning from being a primary backup target to most recently a long-term retention and very cost-effective archive storage medium. Tape is even finding a new way to be a “Data Protection Super Hero,” protecting data from cyber threats and ransomware. Most ransomware threats attack file systems. The fact that data stored on tape is not presented in this fashion has helped a number of our customers thwart ransomware attacks because they had copies of their data on tape.
If you have tape for any of these purposes—even if you don’t plan to ever have the media leave the security of your data center—are you using the native encryption feature of the LTO technology? Why not?
Not encrypting media is similar to leaving your doors unlocked, allowing anyone with bad intentions full access to your possessions. There is no excuse for not encrypting every piece of media for all types of data:
- Native LTO drive encryption does not negatively impact performance.
- Native LTO encryption does not reduce the usable capacity of a tape cartridge.
- Native LTO encryption has a very small licensing fee, which is so low it is considered “free” by most customers.
- LTO drive encryption is compatible with cloud technology.
To use the native LTO encryption, you’ll need to make sure you have a key manager available. Quantum’s Scalar® Key Manager (SKM) appliance is FIPS 140-2 compliant and very affordable when considering the value it delivers. If FIPS compliance is not required and you would rather have a virtualized key manager, SKM is also available running on VMware and Kernel-based Virtual Machine (KVM).
Whatever you decide to use as a key manager a “must-have requirement” is Key Management Interoperability Protocol (KMIP). Prior to KMIP, each vendor had to develop their own proprietary key manager, which in some cases made it impossible for customers to upgrade their tape libraries and tape drives to newer, faster, and more reliable technology. KMIP is a ratified standard that allows encryption keys to be exchanged by key managers from different vendors—and yes, Quantum’s products are KMIP compliant. Quantum understands this and has developed technology that allows us to import keys from other vendor’s key managers into SKM, including from legacy non-compliant key managers.
Can LTO encryption help meet federal government, Securities and Exchange Commission (SEC), and Health Insurance Portability and Accountability (HIPPA) compliance and regulatory requirements?
A number of regulatory agencies require protection for data stored on removable media—LTO encryption meets these requirements. In addition to providing hardware-based data encryption, LTO also supports WORM (write once, read many) technology which prevents data from being modified after it has been written. The WORM requirement is typically found in medical, financial, and investment organizations, and businesses that deal in stock trading markets. LTO Consortium has sponsored a white paper on the topic, and the SEC has provided more detailed information specific to their regulations.
Is It Time to Lock the Doors?
If you might be required to encrypt all of your media in the future, you need to start now. Once a tape has been written, you can’t add encryption without initializing the cartridge and implementing encryption starting with the first use.
So the real questions are “Why am I not encrypting?” and “How do I implement encryption?” instead of “Why should I encrypt?” The cost of encryption is miniscule in comparison to the penalty of stolen data, just like the 30 seconds to lock your doors is a minimal investment to protect your entire house.