Encrypting your backup tapes with Cisco Storage Media Encryption (SME)

May 03, 2008
2 min read
Encrypting your backup tapes with Cisco Storage Media Encryption (SME)

IT staff at the University of Miami are having a very bad week. They are having to deal with the fact that two million private health records were stolen from them. While it wasn’t directly their fault that their backup tapes were stolen from an off-site storage provider’s transport van, the responsibility does fall on their shoulders to protect sensitive data no matter who has access to the physical media.

Losing control of personal data means more than just replacing a tape in your backup rotation. Laws vary from state to state, however generally you are required to contact the identity holders who were breached, as well as fund some sort of remediation. This has huge implications on consumer confidence, and at the end of the day stock price of your company. In some cases, such as ChoicePoint, a company can be completely decimated by a breach.

Data protection regulations

There are an ever increasing number of regulations that concern the control of sensitive data. These can vary from laws focused on patient data, to financial data, to personal identification data. The most well known laws are HIPAA, GLBA, and Sarbanes Oxley (SOX). Past that there are laws that pop up every day at the state and municipality level that further increase the requirements and expense of dealing with a breach. In short, it is becoming an expensive and in some cases criminal offense to lose control of your sensitive data.

What you can do to protect your backup tapes

First things first, putting a lock on that Iron Mountain box is just not good enough. You must assume that no matter what, a determined attacker will get physical access to your tapes. So many times companies think that just because their data format is unique or proprietary that an attacker won’t be able to access it. The cold reality is that any format can be read, and yours is not that special.

The only way to be assured that your data is safe is to encrypt it with a complex cipher. In short, you need to treat your data the same way on tape as you would if it was sitting on a public ftp site (with anonymous access enabled). Luckily Cisco has a technology that allows you to encrypt and decrypt your data coming on and off tape. This technology is storage media encryption.

Cisco Storage Media Encryption (SME)

Cisco’s Storage Media Encryption (SME) technology allows for the seamless encryption of your data flows on and off your backup tapes using AES256 standard encryption. Whether you have VSANS segregating your data, a core/edge architecture, or Virtual Tape Libraries (VTL), you can use SME to protect your data at rest, removing the possibility of an attacker getting access to your critical data.

Storage Media Encryption works by leveraging a multifunction chipset available in the 18/4 module that comes default with the 9222i and is an option for the 9500 series director class SAN switches. The chipset has a couple functions, including line rate encryption of iSCSI and FCIP data streams at gigabit speeds, as well as line rate encryption of data as it streams to your tape or virtual tape library’s (VTL).

Want to learn more?

  • SAN and NAS, O’Reilly Press - In the classic O’Reilly style by W. Curtis Preston, this book is a great starting place to understanding the fundamentals of SAN and NAS architectures that many people are likely to face.

  • Storage Media Encryption for Cisco MDS SAN Switches - Cisco has lumped together a couple good data sheets here, though I may have to write a future article taking a deep dive on what really drives SME.