Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] What's EMC/NetWorker's answer to Symantec's NetBackup encryption on the backup server

2006-12-14 17:16:21
Subject: Re: [Networker] What's EMC/NetWorker's answer to Symantec's NetBackup encryption on the backup server
From: Stan Horwitz <stan AT TEMPLE DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 14 Dec 2006 17:10:45 -0500 
On Dec 13, 2006, at 5:53 PM — 12/13/06, Tim Mooney wrote:
In regard to: [Networker] What's EMC/NetWorker's answer to Symantec's...: 


What's EMC's answer to this?

Symantec puts encryption on the backup server, 12/12/06
Symantec Tuesday announced a new encryption feature for its flagship
NetBackup backup and recovery software that takes the CPU- intensive load off of application servers and places the burden onto the backup server. 

Someone in marketing at Symantec probably thinks that's a great idea,
while we all know it's potentially a horrible idea.  "Burden", is,
however, a fantastic word choice for their press release, so I commend
them on getting that right.
NetWorker has for years had support for doing encryption over the wire. 
It was extremely weak and almost no one used it.  I've even heard EMC
employees describe it as "a joke". My opinion is that it was added just 
so EMC could have it on a checklist and say they had that feature.
Prior to NetWorker 7.3, the only encryption NetWorker did was so minimal, it was useless. NetWorker 7.3 offers better encryption support, but we all know that moving to that version is not something one should rush into just yet. 

There are two problems with doing data encryption on the backup server.
First, allowing the data to remain unencrypted at the application level does nothing to ensure data confidentiality on the applications server, which is also where the greatest security vulnerability lies, especially with web based applications.
Second, if you encrypt your data at the level of the backup device such as what Neoscale and DeCru do, you get no protection until the data gets to the encryption device, which is a bad thing for those of us who back up data over an untrusted network.
A better solution for security purposes is to keep the data always encrypted beginning with the point of collection. Waiting to do batch encryption would work in some applications, but it still makes the most sense to encrypt the data at the earliest possible point in the life of the data. Waiting to encrypt the data at the point of backing it up is too late in my view.
There is also the issue of who manages the encryption keys. Do you want to manage your organizations encryption keys? I sure don't. The solution I am looking at encrypts data at the beginning of its life cycle and provides tight control over who can access the encryption keys.
I am working with the CISO here on an encryption project and I have successfully gotten that point across. 

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Tape Management/Offsite tape rotation, Tim Nicholson
Next by Date:  Re: [Networker] 2007 USA Daylight Savings Change, Rohrich, James
Previous by Thread:  Re: [Networker] What's EMC/NetWorker's answer to Symantec's NetBackup encryption on the backup server, Tim Mooney
Next by Thread:  Re: [Networker] Driver for tape device, Librado Pamintuan
Indexes:  [Date] [Thread] [Top] [All Lists]