When it comes to data security, CNL Financial Group, one of the country’s largest private real estate investment and development companies, wants to be a leader in its industry. To meet that objective, CNL recently deployed a storage security appliance from Decru Inc. for encrypted tape backup.
“Privacy and confidentiality of our customer data is what drove us to look for an encryption-type solution,” says Joel Schwalbe, vice president of technical services at CNL.
With too many headline stories about high-profile companies losing unencrypted tapes, Orlando, Fla.-based CNL, with $13 billion in assets, wasn’t looking to become tomorrow’s news.
According to Schwalbe, CNL backs up and moves 12 terabytes of enterprise data daily.
Time for a Change
Like many organizations required by the Securities and Exchange Commission to store backup data offsite, CNL complied, conducting standard unencrypted backup of internal data. The process worked fine for the company until reports of security breaches at financial institutions such as Bank of America and CitiFinancial made headlines.
“We decided that we wanted the flexibility to encrypt backup data that left the premises, but not necessarily encrypt data that remained on site,” says Schwalbe.
CNL has a traditional IT environment, with a backup and restore solution that includes Veritas NetBackup software and Overland tape libraries with high-performance LTO-3 tape drives. Backup supports more than 80 servers located in the company’s data center. Servers run business applications, office automation applications and traditional file storage.
The decision to encrypt off-site tape backup was made at the beginning of the summer, according to Schwalbe.
“We were looking for a solution that provided ease of implementation, good cost-performance, and a vendor with expertise in this space,” he says.
CNL hooked up with two vendors that provided solutions for encrypted tape backup. One vendor was Decru, the other a competitor that Schwalbe declined to name.
“We had the companies come in at separate times to demo the solution to see if it would work for us,” he says.
The choice was clear. The competing vendor’s product, according to Schwalbe, was more difficult to set up, configure and operate. “I’m talking days versus hours,” he says.
CNL purchased two Decru DataFort FC-series appliances, clustered for failover, and Lifetime Key Management system. Decru’s DataFort FC-Series Storage Security Appliances, designed for both Fibre Channel SAN disk arrays and tape media, are managed from a centralized secure interface, according to the company. The product’s Storage Encryption Processor (SEP) is a hardware engine that enables full-duplex, wire-speed encryption and key management. Lifetime Key Management automates key backup, recovery and archiving across the enterprise, according to Decru.
Schwalbe notes that in addition to encryption, a specific key enables the company to unencrypt data and restore to server.
Safety First
The cost for a solution that would provide secure encrypted tape backup was worth the price, says Schwalbe, adding that Decru was very competitive.
According to the vendor, pricing for a single security appliance for tape is $25,000. Pricing for a departmental IP SAN encryption solution is below $10,000.
Getting the Decru DataFort FC appliance up and running was very straightforward, taking no more than a couple of hours to install and test, says Schwalbe. The device is inserted between the tape library and the backup server, he said. According to Decru, the DataFort supports 2Gb Fibre Channel SANs and tape libraries, with in-line or fabric-attached deployment options.
In addition to physically attaching the security appliances, CNL had to define its backup policies. “We wanted the flexibility to encrypt backup tapes taken off the premises and not encrypt backup tapes that stay in-house,” Schwalbe says.
The daily management of the backup security device is simple, according to Schwalbe. The Veritas backup server manages the encryption, he says. The DataFort uses a secure Web-based management interface.
There’s a two-factor authentication for administrators to further strengthen security for sensitive operations. Industry-standard tools, such as SNMP and syslog, can be used for monitoring, and CLI allows scripting of management tasks, according to the vendor.
Schwalbe says that the encrypted tape backup solution meets CNL’s current security needs, and adds that the product can scale to meet future requirements too.
For more storage features, visit Enterprise Storage Forum Special Reports