tape encryption why is it needed? tape backup software is given access to all data on the system....
TRANSCRIPT
Tape Encryption
Why is it needed?
Tape backup software is given access to all data on the system.
Tapes are taken off site to a data vault for “security” in case of loss of the physical site.
Tapes often taken to the vault by the lowest cost method, I.e. lowest cost courier company.
Tape Encryption
Why is it needed?
Data saved to tape is not given any security access levels.
An operator can initiate an unauthorised backup to a tape he can then keep without
Theft of a tape is a major problem .
There is no way to tell if a tape has been copied.
Who needs it?
Tape Encryption
Banks – may be a requirement from the SEC or similarInsurance Companies – may also be a statutory requirement.
Medical companies – requirement in many countries.Research groups – data here is almost priceless.
PARANOIA!
Tape Encryption
In line tape encryption.
Host Independent
System Independent
DES & DES3 level encryption
PARANOIA
PARANOIA
PARANOIA
PARANOIA
Server
Server
Server
Server
Paranoia is a hardware pass through SCSI solution, which encrypts data on the fly even in an unattended backup environment.
Tape Encryption
Tape Encryption
Hardware Key
User Key
Encryption Key
ƒ
The hardware key is a unique chip installed during manufacture containing the unit’s 8 character key.
The 8 character user key is input by RS232
The Paranoia performs a logical function between the hardware and user keys, so producing a 56bit encryption key unique that is unique to the hardware and user key combination..
Tape Drive
SCSI Connection
Original System with tape drive connected via standard SCSI interface.
Tape Drive
Add Paranoia unit and connect to Tape drive.
Paranoia interrogates tape drive and then sets itself up on that ID.
ID3 3590E
SCSI InquirySCSI InquirySCSI InquirySCSI Inquiry
Tape Drive
Reconnect system via the Paranoia
The system is now tested including reading previously written tapes to ensure all connections are correct.
ID3 3590E
Tape Drive
A PC is connected to serial interface and unit is configured using the Windows GUI programme.
ID3 3590E
Tape Drive
When set to not secure all data to and from the tape is unchanged.
The quick brown fox jumps overThe quick brown fox jumps ID3 3590E
Not Secure
Tape Drive
When set to secure all data to and from the tape is encrypted
The quick brown fox jumps over 3n%7xklm)-f7jksuw edec
7AheJL8*65ssa “$.M
The final figure is $8,000 ID3 3590E
Secure
Configurations.
Host System ID3 3590E
Tape Drive
Simple single unit configuration.
Backup to a stand alone tape is encrypted.
Configurations.
Host System ID3 DLT7000
Tape Library
Small tape library with single drive allows all tapes in Library to be encrypted.
Library control over SCSI is daisy chained so as not to be passed via the Paranoia
Tape Drive
Configurations.
Host System
Tape Library
Tape Drive
Tape Drive
Small tape library with dual drives with only one drive able to encrypt data. When reading unencrypted data this drive can still be used by simply selecting the Non Secure option.
Any data to be sent to an off-site vault can be encrypted whilst data remaining on site does not need to be.
ID3 DLT7000
Configurations.
Host System
Tape Library
Tape Drive
Tape Drive
Small tape library with dual drives and both drives able to encrypt data. Both units are fitted with the same “key chip” so either unit can be used to read/write encrypted data.
ID3 DLT7000
ID2 DLT7000
ID3DLT7000
ID4 DLT7000
Configurations.
Host System
Tape Library
Tape Drive
Tape Drive
Small tape library with dual drives and two hosts but each Paranoia has a different “Key Chip” so data written in encrypted mode from one system cannot be read on the other. For data interchange the units can be set to non-secure mode.
Host System
Configurations.
Tape Library
Large tape library with one department system using encryption to ensure sensitive data cannot be read by other departments.
Host System Tape Drive
Host System
Tape Drive
Host System
Tape Drive
Host System
Tape Drive
Host System
Tape Drive
ID4 AIT-2
Configurations.
Tape Library
Host System Tape Drive
Host System
Tape Drive
Host System
Tape Drive
Host System
Tape Drive
Host System
Tape Drive
ID3 AIT-2
ID4 AIT-2
ID1 AIT-2
ID0 AIT-2
Large tape library with a mixture of common secure (red units), non secure and separate secure (blue unit) in a single library.
Host System ID3 3590E
Tape Drive
Host System ID3 3590E
Tape Drive
For secure transfer of large amounts of data between remote sites two Paranoia units are supplied with identical “Key Chips”. The sites use a common user key string for encrypting tapes to be shipped between sites.
For added security the sites use a separate user key string to encrypt tapes not being transferred between sites.
Any distance – Data can go via
commercial courier without
risk.
For Disaster recovery using a public DR site a Paranoia unit with a dummy “Key chip” is supplied on the DR site. Users have a third “spare” key chip supplied and this is used whenever the DR site is need to read the tapes.
This allows common usage of a DR site without the need to have the possibility of data compromise.