The re-work involves an option to move the encryption processing in the company’s flagship NetBackup software onto media servers, and the launch of what Symantec claims is a fully functional key-management system. The option is based on software OEM’ed from encryption specialist Vormetric Inc.
For the last two years, NetBackup has offered an option to encrypt data written to backup tapes, in order to protect data that might fall off the back of a lorry on its way to an offsite vault. While Symantec says there has recently been a huge up-tick in demand for the feature, it also says that it cannot say how many customers are using it.
One certainty is that the feature requires data to be encrypted on source application servers. This is not popular, because it slows throughput during backup jobs that are already under time pressure.
Now Symantec has launched an option to encrypt data on the backup system’s dedicated media servers, rather than on application servers. The encryption code can even be loaded on extra hardware dedicated exclusively to encryption, Symantec said.
This is going to make a big difference to customers, because of the growing number of machines that they have to encrypt, and the scaling that this gives them, said Michael Adams, senior group product manager at Symantec. Usually the media server has some spare cycles, and we think the performance impact will be negligible.
The encryption devices sold by Network Appliance-owned Decru Inc and NeoScale Systems Inc are sold as wire-speed devices, that have zero impact on backup throughput. But according to Symantec, a six-port set-up of this sort of gear costs almost twice as much as it media-server encryption option.
In order to enable the media server-based encryption, Symantec says customers will need to pay a $10,000 flat-fee for the key management software, and pay for a license for the encryption engine itself. The latter will cost the same as a plain Media server license ie starting from $5,000 for Windows, and $10,000 for Unix.
Content from our partners
ESG analyst John Oltsik said that one advantage of Symantec’s system is that it will be managed centrally via the NetBackup console. It alleviates the need for a third-party solution, so it gets Symantec into a growing lucrative market, he said.
But equally, it is not going to put Decru or NeoScale out of business. Some people will prefer a third-party solution to manage heterogeneous environments, he said. Some will want to encrypt both disk and tape. Over time there will be more and more types of solutions to choose from involving either hardware or software. Depending upon your systems, backup software, and tape drives, you will have lots to choose from.
Other backup software players will be easily able to make the same move, Oltsik said. Basically, Vormetric is encrypting the entire file system underneath Symantec, he said. There is no reason why EMC or IBM couldn’t do the same, with or without Vormetric. If your backup server runs on Longhorn in the future you can simply turn on EFS or BitLocker encryption, but that will be in the future.
Oltsik’s final comment was a warning to customers. The key is to think strategically about operations and key management. If users deploy backup encryption tactically they will likely end up with an operations nightmare down the line, he said.
This suggests that the sooner vendors can give themselves the option to become customers’ preferred encryption supplier and central control point, the better.
Decru and NeoScale are both pitching their key management systems as future virtual key-safes for all of the third-party encryption keys that will be floating around future data centers.
This will require third-parties to allow their applications to hand their keys to Decru and NeoScale’s key-management systems. Symantec will make the same move, creating an API that will allow the key-management system it has developed for NetBackup to accept third-party keys. But will it allows NetBackup to hand its keys to anybody else’s key management system? We haven’t decided yet, the company said.
The KMS for NetBackup will replicate keys from one site to another, and can be set to create backup copies automatically, either as part of a catalog backup, or as a separate job, Symantec said.
