Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Encryption options other use with Networker

2010-04-07 19:39:14
Subject: Re: [Networker] Encryption options other use with Networker
From: "Ryan, Dan" <DRyan AT MEDPLUS DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Wed, 7 Apr 2010 19:35:57 -0400 
Thanks for all of the information.  I mostly going with how our parent
company has interpreted this, as well as including contracts and
preventing a lawsuit in the future.  For healthcare companies, there is
so much regulation around privacy, one event, could wipe our company out
and ruin its' reputation.   I appreciate the links to the documents and
the thoughts on the legal aspect of, but I'm going on this based upon
what I've had to answer for contracts and questions I had to answer for
our parent company. 

We use a third party vendor for offsite, who has had incidents that are
well documented and publicized who have lost tapes in the past.  Even
though we have a Chain of Control in regards to the media and
responsibility, people do not get that warm and fuzzy when they are sent
a disclaimer that media record have been exposed to an outside party.
Credit cards and financials are one thing that can be corrected and
changed pretty quickly.  You cannot go back and change medical records.


Ultimately, I believe the best design IMO is to use replication and a
tape library at the targe site, which keeps everything internally within
the company, at multiple sites and theoretically limits the exposure
inside the company and to breaches.   Both of those are typically
standard risks whenever you design a product in general. 

As for the LTO encryption articles, Thank you for the link David



Dan Ryan
www.MedPlus.com 

Please think about resource conservation before you print this message

-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
Behalf Of David Magda
Sent: Saturday, April 03, 2010 2:37 PM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: Re: [Networker] Encryption options other use with Networker

On Apr 2, 2010, at 19:11, Ryan wrote:

> I don't know about any KMS built in utility that networker owns.  I  
> think that KMS is built into the tape drive although i think it all  
> depends upon the vendor how those keys are managed.

KMS standards for key management system, and it's unlikely that it's  
either in the LTO-4 tape drive or the SL500 library.

For LTO-4 encryption, the key is sent from outside the drive from    
another source. Now this can be either from the backup software (in  
the case of NetBackup, but not NetWorker AFAIK), or an appliance that  
sits on your network such as:

http://www.netapp.com/us/products/storage-security-systems/lifetime-key/
http://www.oracle.com/us/products/servers-storage/storage/tape-storage/0
29154.htm
http://www.quantum.com/Products/TapeLibraries/ScalarKeyManager/Index.asp
x
http://www.rsa.com/node.aspx?id=3485
http://www-01.ibm.com/software/tivoli/products/key-lifecycle-mgr/

When an LTO-4 drive wants to encrypt a volume, it needs a key for the  
AES algorithm. It needs to get it from somewhere--either software, an  
appliance, or the library (e.g., Fujitsu's ETERNUS has this option).  
Similarly, if you want to read the tape, the drive has to get the key  
from wherever it got it in the first place.

So if you want to use LTO-4's hardware AES encryption, you need a key  
source. I believe this is what Stanley was referring to in Option 4.

To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER










Confidentiality Notice: The information contained in this electronic 
transmission is confidential and may be legally privileged. It is intended only 
for the addressee(s) named above. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you have 
received this transmission in error, please notify us by telephone (513) 
229-5500 or by email (postmaster AT MedPlus DOT com). After replying, please 
erase it from your computer system.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] problem getting incrementals from snapshot, Rudy Munguia
Next by Date:  [Networker] Backing up Large File Systems, Stewart, Kathleen M
Previous by Thread:  Re: [Networker] Encryption options other use with Networker, David Magda
Next by Thread:  Re: [Networker] Encryption options other use with Networker, Conrad Macina
Indexes:  [Date] [Thread] [Top] [All Lists]