210 likes | 371 Views
Tape Encryption. Why is it needed?. Tape backup software is given access to all data on the system. Tapes are taken off site to a data vault for “security” in case of loss of the physical site. Tapes often taken to the vault by the lowest cost method, I.e. lowest cost courier company.
E N D
Tape Encryption Why is it needed? Tape backup software is given access to all data on the system. Tapes are taken off site to a data vault for “security” in case of loss of the physical site. Tapes often taken to the vault by the lowest cost method, I.e. lowest cost courier company.
Tape Encryption Why is it needed? Data saved to tape is not given any security access levels. An operator can initiate an unauthorised backup to a tape he can then keep without Theft of a tape is a major problem . There is no way to tell if a tape has been copied.
Tape Encryption Who needs it? Banks – may be a requirement from the SEC or similar Insurance Companies – may also be a statutory requirement. Medical companies – requirement in many countries. Research groups – data here is almost priceless.
Tape Encryption PARANOIA! In line tape encryption. Host Independent System Independent DES & DES3 level encryption
Tape Encryption Paranoia is a hardware pass through SCSI solution, which encrypts data on the fly even in an unattended backup environment. Server PARANOIA Server PARANOIA PARANOIA Server PARANOIA Server
Tape Encryption The hardware key is a unique chip installed during manufacture containing the unit’s 8 character key. Hardware Key The 8 character user key is input by RS232 User Key The Paranoia performs a logical function between the hardware and user keys, so producing a 56bit encryption key unique that is unique to the hardware and user key combination.. ƒ Encryption Key
Original System with tape drive connected via standard SCSI interface. Tape Drive SCSI Connection
Add Paranoia unit and connect to Tape drive. Tape Drive SCSI Inquiry SCSI Inquiry SCSI Inquiry SCSI Inquiry ID3 3590E Paranoia interrogates tape drive and then sets itself up on that ID.
ID3 3590E Tape Drive Reconnect system via the Paranoia The system is now tested including reading previously written tapes to ensure all connections are correct.
ID3 3590E Tape Drive A PC is connected to serial interface and unit is configured using the Windows GUI programme.
Tape Drive The quick brown fox jumps over The quick brown fox jumps ID3 3590E Not Secure When set to not secure all data to and from the tape is unchanged.
Tape Drive The quick brown fox jumps over 3n%7xklm)-f7jksuw edec ID3 3590E Secure The final figure is $8,000 7AheJL8*65ssa “$.M When set to secure all data to and from the tape is encrypted
Configurations. Host System Tape Drive ID3 3590E Simple single unit configuration. Backup to a stand alone tape is encrypted.
ID3 DLT7000 Configurations. Tape Library Host System Tape Drive Small tape library with single drive allows all tapes in Library to be encrypted. Library control over SCSI is daisy chained so as not to be passed via the Paranoia
ID3 DLT7000 Configurations. Tape Library Host System Tape Drive Tape Drive Small tape library with dual drives with only one drive able to encrypt data. When reading unencrypted data this drive can still be used by simply selecting the Non Secure option. Any data to be sent to an off-site vault can be encrypted whilst data remaining on site does not need to be.
ID3 DLT7000 ID2 DLT7000 Configurations. Tape Library Host System Tape Drive Tape Drive Small tape library with dual drives and both drives able to encrypt data. Both units are fitted with the same “key chip” so either unit can be used to read/write encrypted data.
Configurations. Tape Library Host System ID4 DLT7000 Tape Drive Host System Tape Drive ID3DLT7000 Small tape library with dual drives and two hosts but each Paranoia has a different “Key Chip” so data written in encrypted mode from one system cannot be read on the other. For data interchange the units can be set to non-secure mode.
ID4 AIT-2 Host System Host System Host System Host System Tape Drive Tape Drive Tape Drive Tape Drive Configurations. Tape Library Host System Tape Drive Large tape library with one department system using encryption to ensure sensitive data cannot be read by other departments.
ID1 AIT-2 ID4 AIT-2 ID3 AIT-2 Configurations. Tape Library Host System Tape Drive Host System Tape Drive Host System Tape Drive Host System Tape Drive Host System Tape Drive ID0 AIT-2 Large tape library with a mixture of common secure (red units), non secure and separate secure (blue unit) in a single library.
Host System Tape Drive ID3 3590E Host System Tape Drive ID3 3590E For secure transfer of large amounts of data between remote sites two Paranoia units are supplied with identical “Key Chips”. The sites use a common user key string for encrypting tapes to be shipped between sites. For added security the sites use a separate user key string to encrypt tapes not being transferred between sites. Any distance – Data can go via commercial courier without risk.
For Disaster recovery using a public DR site a Paranoia unit with a dummy “Key chip” is supplied on the DR site. Users have a third “spare” key chip supplied and this is used whenever the DR site is need to read the tapes. This allows common usage of a DR site without the need to have the possibility of data compromise.