Quantum Goes Big on Encryption

Hardware-based encryption and robust key management become staples of the company's tape libraries and DXi disk systems.

Quantum Corp. of San Jose, CA has caught the security bug in a big way.

Its tape libraries are equipped with Quantum's Encryption Key Manager (Q-EKM), and its DXi disk-based systems harness Advanced Encryption Standard (AES) 256-bit encryption when two DXi's are used for replication The DXi's also have built in de-duplication in order to reduce backup windows.

Q-EKM manages encryption keys across multiple Quantum libraries. It operates out of the data path to look after the encryption keys used on LTO-4 drives. Q-EKM is Java based. Keys are maintained in a centralized key store. These keys are harnessed by the tape drive to encrypt information being written to tape media – and decrypt from tape media. As the keys pass through the library-to-drive interface rather than the data path, encryption is transparent to users and applications.

"Q-EKM encryption occurs out of the data path, therefore it does not impact backup performance and does not require restoration in the exact system that encrypted the data," said Robert Callaghan, senior product manager, Security and Enabling Solutions for Quantum. "Encryption keys generated by Q-EKM are transferred to any library attached to the IP-based Q-EKM system. The benefit of Q-EKM's approach is that it is an enterprise class solution that does not require each individual application or library to manage the keys."

Quantum, explains Callaghan, offers a three-pronged security framework for its customers. First, it provides security solutions that control data access. This includes Quantum's LTO-4 half-height and LTO-4 full-height drive offerings that incorporate the native LTO-4 tape drive encryption standard.

The company also certifies appliance-based encryption hardware from companies like Decru (owned by Network Appliance Inc. of Sunnyvale, CA) as well as ISV-based key management from various vendors who are developing these solutions. And it encrypts replicated data within its own line of disk-backup solutions.

Secondly, Quantum provides administrative access systems. These include the use of user authentication, role based access (RBAC), audit logging, SSL/SSH and Q-EKM. These administrative tools are designed to give the storage administrator more control of data while denying access to storage systems and the underlying data to hackers and other undesirables.

"We currently provide embedded solutions that encrypt data on tapes, such as the native encryption technology found in LTO-4 tape drives, or encrypting replicated data between our DXi-Series disk backup and data de-duplication systems," said Callaghan.

Finally, the company offers physical access controls such as locks on tape library and disk systems. It also consults on best practices when it comes to things like transporting tape cartridges and managing security keys.

"In terms of the backup, recovery and archive of data, Quantum is most focused on securing the data in-flight – providing encryption protection of that data when it is written to tape media that may leave the security of the library or go exterior to the data center," said Callaghan. "That also includes ensuring the encrypted data can be recovered again for archive or disaster recovery purposes – via a centralized key management solution."

These products, of course, go up against point products from encryption specialists. But that side of the industry is going through a rough patch. Witness the demise of NeoScale and Kasten Chase.

"Being a standalone storage encryption vendor is an increasingly difficult business model, as evidenced by NeoScale's decline late last year," said Callaghan.

However, he concedes that encryption appliances meet a certain need, especially for those companies that must have the highest level of FIPS certification, are in the most highly regulated industries, and have the budget to support it. As a result, Quantum will continue to support compatibility with these appliances. Long-term, though, he believes the trend is headed towards the embedded native encryption model, in conjunction with centralized standards-based key management.

Data Protection Mandate

These days, it seems that major data breaches have become a weekly occurrence According to Enterprise Strategy Group of Milford, MA, lost or stolen data can cost a company anywhere from $25 to $150 per record (i.e. one million records equals $150M). And that doesn't include intangibles such as damage to the company reputation and brand, loss of business and adverse impact to the company's stock. Quantum, therefore, is investing heavily in the security side to ensure its products provide adequate levels of security.

"We see security becoming an embedded feature of most storage solutions, which is obviously much more cost-effective for customers from the SMB into the enterprise," said Callaghan. "That's why Quantum is active in a number of security and technology standards groups working to create security standards for encryption and key management."

This article was first published on EnterpriseITPlanet.com.

Comment and Contribute


(Maximum characters: 1200). You have characters left.