Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Encryption options other use with Networker

2010-04-02 12:13:34
Subject: Re: [Networker] Encryption options other use with Networker
From: "STANLEY R. HORWITZ" <stan AT TEMPLE DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 2 Apr 2010 12:10:45 -0400 
On 04 2, 2010, at 11:19 AM, Ryan wrote:

> We have just got hit with some regulations with the new Hitech regulations to 
> encrypt any and all backups that go to tape or external media to be 
> encrypted.  The majority of the data affected is resides in our Oracle 
> databases, which is about 22 TB for each full for the 5 major db's for our 
> environment that contain PHI, PCI or SOX related data. 
> 
> Now I know, we should already have a solution in place, but the company I 
> work for is very slow to move on anything until the last second.   We are 
> stuck in a very bad situation because of our infrastructure.   We have a CDL 
> 710, and EMC 3D1500 (which is about to be replaced with a DD880), and a SL500 
> tape library.  Most of the larger db's are on a two hosts configured as 
> dedicated storage nodes, to backup 17 TB's of the data.  
> 
> The way I've looked at it, there are really only a couple solutions because 
> we don't have the additional capacity and the fact that the ultimate goal is 
> have the tape copy encrypted.  The biggest hiccup is that that NSR clone 
> cannot encrypt the tape copy unless the original copy is encrypted without 
> the use of a 3rd party appliance or LTO 4 drives.  These are the options I 
> can think of:
> 
> 1.) use the AES option on the NW/NMO agent to encrypt on the rman backup - 
> con's - lose ability to compress on the CDL, will not have a dedupe ratio, 
> and will add CPU overhead to the client
> 
> 2.) Use the options in RMAN to compress and encrypt the db - con's lose the 
> ability to dedupe on on appliance, CPU overhead within the db which could 
> affect the application, compression on the CDL or DD appliance will be minimal
> 
> 3.) leave the backup unencrypted and use a 3rd party appliance to encrypt the 
> data between cloning (ie.  the Decru product).
> 
> 4.) leave the backup unencrypted to CDL or DD880 and use LTO4 drives.  Use 
> the Key management within the vendor to encrypt on the tape level.  
> 
> Ultimately, I would like to go tapeless, but even with dedupe on a DD, I 
> doubt we can keep data for 7 years worth of data on disk.  I would like to 
> see if I'm missing something in terms of options and what others have used to 
> get around the issues.  We do not have an offsite location for recovery, 
> until later in the year (I know......very dangerous, but that's how my 
> company operates).   Does anyone have suggestions 

Ryan, I think options 3 or 4 would probably be best, but the best choice 
depends on your budget and some other factors you didn't disclose such as 
required restore times. 

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] Encryption options other use with Networker, Ryan
Next by Date:  [Networker] Legato 7.4 on SunSolaris, faridzal
Previous by Thread:  [Networker] Encryption options other use with Networker, Ryan
Next by Thread:  Re: [Networker] Encryption options other use with Networker, David Magda
Indexes:  [Date] [Thread] [Top] [All Lists]