Re: [Networker] What's EMC/NetWorker's answer to Symantec's NetBackupenc

NeoScale have already opened up their API's

This war between netApp and EMC is annoying. No support for SnapVault, for
example!

Siobhan


On 15/12/06 11:24 AM, "Peter Viertel" <Peter.Viertel AT MACQUARIE DOT COM> 
wrote:

> Our friendly Decru sales rep tells us their key management platforms
> api's are being opened up so that netbackup and other vendors such as
> storagetek drives can work with them - so you can envisage a complex
> site - with a mix of solutions, but one key management platform...   Now
> that's something to ask EMC which way they're heading ( but as per
> previous comment regarding netapp owning decru, I have an expectation
> that we'll be waiting a long time for something).
> 
> -----Original Message-----
> From: EMC NetWorker discussion [mailto:NETWORKER AT listserv.temple DOT edu] 
> On
> Behalf Of Curtis Preston
> Sent: Friday, 15 December 2006 11:12 AM
> To: NETWORKER AT listserv.temple DOT edu
> Subject: Re: [Networker] What's EMC/NetWorker's answer to Symantec's
> NetBackupencryption on the backup server
> 
>> There are two problems with doing data encryption on the backup server.
> 
> And there are problems with doing it at the app server too.
> Nothing's free. ;)
> 
>> First, allowing the data to remain unencrypted at the application level
> 
>> does nothing to ensure data confidentiality on the applications server
> 
> Agreed
> 
>> which is also where the greatest security vulnerability lies,
>> especially with web based applications.
> 
> Disagree.  These vulnerabilities are known and addressed.  (It's a
> continuing process and you can't assume it's been done, but it could
> happen.)
> 
> The biggest vulnerability, IMHO, is that you're handing a plain text
> backup tape to a complete stranger that could lose it or steal it.
> There's no amount of tracking you can put in place to ensure that never
> happens.
> 
>> Second, if you encrypt your data at the level of the backup device such
> 
>> as what Neoscale and DeCru do, you get no protection until the data
>> gets to the encryption device, which is a bad thing for those of us who
> 
>> back up data over an untrusted network.
> 
> Then use untrusted network backup software, or VPN software.  That's
> solving a different problem.  If you fix the lost backup tape problem
> with backup software or application encryption, then you cause OTHER
> problems, like the loss of all compression on your tape devices (ouch).
> It also has HUGE performance ramifications.  If you're cool with that,
> then have a blast.
> The tape hardware encryption option solves a problem and doesn't hurt
> anything other than your pocketbook.
> 
>> A better solution for security purposes is to keep the data always
>> encrypted beginning with the point of collection.
> 
> Yes, but that has other ramifications.  See above.
> 
>> Waiting to encrypt the data at the point of backing it up is too late
>> in my view.
> 
> It depends on the problem you're trying to solve.
> 
>> There is also the issue of who manages the encryption keys. Do you want
> 
>> to manage your organizations encryption keys? I sure don't. The
>> solution I am looking at encrypts data at the beginning of its life
>> cycle and provides tight control over who can access the encryption
>> keys.
> 
> Which brings me to another point.  I like what I've seen in key
> management with the hardware encryption boxes.  I HATE what I've seen
> with everything else.  If you're going to encrypt data at rest, you'd
> better have really good key mgmt, and the only one's I've seen with that
> SO FAR are these hardware boxes.
> 
> So, I AGREE that IF you could encrypt it at the source, and IF you could
> manage the keys well, and IF you didn't hurt anything (performance,
> compression), then you should do it.  I just haven't found anyway to do
> that yet.  But I have found a way to solve this one problem without
> hurting anything else.
> 
> To sign off this list, send email to listserv AT listserv.temple DOT edu and
> type "signoff networker" in the body of the email. Please write to
> networker-request AT listserv.temple DOT edu if you have any problems with 
> this
> list. You can access the archives at
> http://listserv.temple.edu/archives/networker.html or via RSS at
> http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 
> 
> NOTICE
> This e-mail and any attachments are confidential and may contain copyright
> material of Macquarie Bank or third parties. If you are not the intended
> recipient of this email you should not read, print, re-transmit, store or act
> in reliance on this e-mail or any attachments, and should destroy all copies
> of them. Macquarie Bank does not guarantee the integrity of any emails or any
> attached files. The views or opinions expressed are the author's own and may
> not reflect the views or opinions of Macquarie Bank.
> 
> To sign off this list, send email to listserv AT listserv.temple DOT edu and 
> type
> "signoff networker" in the body of the email. Please write to
> networker-request AT listserv.temple DOT edu if you have any problems with 
> this list.
> You can access the archives at
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 


Siobhán

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
Re: [Networker] What's EMC/NetWorker's answer to Symantec's NetBackupencryption on the backup server
