Networker

[Networker] Encryption options other use with Networker

2010-04-02 11:22:21
Subject: [Networker] Encryption options other use with Networker
From: Ryan <networker-forum AT BACKUPCENTRAL DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 2 Apr 2010 11:19:41 -0400
We have just got hit with some regulations with the new Hitech regulations to 
encrypt any and all backups that go to tape or external media to be encrypted.  
The majority of the data affected is resides in our Oracle databases, which is 
about 22 TB for each full for the 5 major db's for our environment that contain 
PHI, PCI or SOX related data. 

Now I know, we should already have a solution in place, but the company I work 
for is very slow to move on anything until the last second.   We are stuck in a 
very bad situation because of our infrastructure.   We have a CDL 710, and EMC 
3D1500 (which is about to be replaced with a DD880), and a SL500 tape library.  
Most of the larger db's are on a two hosts configured as dedicated storage 
nodes, to backup 17 TB's of the data.  

The way I've looked at it, there are really only a couple solutions because we 
don't have the additional capacity and the fact that the ultimate goal is have 
the tape copy encrypted.  The biggest hiccup is that that NSR clone cannot 
encrypt the tape copy unless the original copy is encrypted without the use of 
a 3rd party appliance or LTO 4 drives.  These are the options I can think of:

1.) use the AES option on the NW/NMO agent to encrypt on the rman backup - 
con's - lose ability to compress on the CDL, will not have a dedupe ratio, and 
will add CPU overhead to the client

2.) Use the options in RMAN to compress and encrypt the db - con's lose the 
ability to dedupe on on appliance, CPU overhead within the db which could 
affect the application, compression on the CDL or DD appliance will be minimal

3.) leave the backup unencrypted and use a 3rd party appliance to encrypt the 
data between cloning (ie.  the Decru product).

4.) leave the backup unencrypted to CDL or DD880 and use LTO4 drives.  Use the 
Key management within the vendor to encrypt on the tape level.  

Ultimately, I would like to go tapeless, but even with dedupe on a DD, I doubt 
we can keep data for 7 years worth of data on disk.  I would like to see if I'm 
missing something in terms of options and what others have used to get around 
the issues.  We do not have an offsite location for recovery, until later in 
the year (I know......very dangerous, but that's how my company operates).   
Does anyone have suggestions

Thanks,

Dan Ryan

+----------------------------------------------------------------------
|This was sent by dryan AT medplus DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER