We have just got hit with some regulations with the new Hitech regulations to
encrypt any and all backups that go to tape or external media to be encrypted.
The majority of the data affected is resides in our Oracle databases, which is
about 22 TB for each full for the 5 major db's for our environment that contain
PHI, PCI or SOX related data.
Now I know, we should already have a solution in place, but the company I work
for is very slow to move on anything until the last second. We are stuck in a
very bad situation because of our infrastructure. We have a CDL 710, and EMC
3D1500 (which is about to be replaced with a DD880), and a SL500 tape library.
Most of the larger db's are on a two hosts configured as dedicated storage
nodes, to backup 17 TB's of the data.
The way I've looked at it, there are really only a couple solutions because we
don't have the additional capacity and the fact that the ultimate goal is have
the tape copy encrypted. The biggest hiccup is that that NSR clone cannot
encrypt the tape copy unless the original copy is encrypted without the use of
a 3rd party appliance or LTO 4 drives. These are the options I can think of:
1.) use the AES option on the NW/NMO agent to encrypt on the rman backup -
con's - lose ability to compress on the CDL, will not have a dedupe ratio, and
will add CPU overhead to the client
2.) Use the options in RMAN to compress and encrypt the db - con's lose the
ability to dedupe on on appliance, CPU overhead within the db which could
affect the application, compression on the CDL or DD appliance will be minimal
3.) leave the backup unencrypted and use a 3rd party appliance to encrypt the
data between cloning (ie. the Decru product).
4.) leave the backup unencrypted to CDL or DD880 and use LTO4 drives. Use the
Key management within the vendor to encrypt on the tape level.
Ultimately, I would like to go tapeless, but even with dedupe on a DD, I doubt
we can keep data for 7 years worth of data on disk. I would like to see if I'm
missing something in terms of options and what others have used to get around
the issues. We do not have an offsite location for recovery, until later in
the year (I know......very dangerous, but that's how my company operates).
Does anyone have suggestions
Thanks,
Dan Ryan
+----------------------------------------------------------------------
|This was sent by dryan AT medplus DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|