When trying to decide on an encryption strategy there are numerous areas of concern, but encryption key management is one area that should heavily influence whatever your strategy ends up being. Some important areas of consideration when making the selection include evaluating how the solution handles:
- Static and dynamic key generation
- Key management technique used to encrypt and decrypt the data
- Administrative overhead associated with the key management
Since encryption is only as strong as your key management, it is important to take into account each of these areas in order to determine how to best implement encryption as well as its corresponding key management solution.
In Asigra’s recent release of Televaulting 8.0 data security remains at the forefront with their use of the AES encryption algorithm to encrypt data while in transmission across the network; or at rest in its DS-System or BLM Archiver. Televaulting’s approach to encryption key management provides several options in how to best approach encryption key management. Televaulting 8.0 gives users and service providers several key ways to protect data from unauthorized exposure:
- Starting with Televaulting version 8.0 copies of encryption keys can be kept on the DS-System. The DS-System keeps the keys of the DS-Client in escrow, but in order for this feature to be functional both the DS-Client and the DS-System has to be enabled to “forward” and “accept” the encryption keys. Having the ability to store keys on the DS-System lowers the chance that an encryption key could be lost and thus making data unreadable.
- The DS-System can be set to “encryption key escrow mandatory”. Using this setting, the DS-System will only accept DS-Client connections after they forward their encryption keys. This provides service providers the assurance that DS-Client keys are kept in escrow lowering the possibility of key loss.
- Keeping encryption keys in escrow could allow a liability risk for service providers. In Televaulting 8.0, Asigra allows service providers to accept encryption keys into escrow only if the DS-System is enabled to do so. Without enabling the DS-System to escrow encryption keys, the DS-Client will not be able to forward the keys to escrow.
- DS-Client encryption is always mandatory. Providing mandatory encryption ensures data at rest is encrypted, as well as when it is in transmission to the DS-System. This type of encryption arrangement ensures legal compliance if an unauthorized exposure of data should occur.
- Encryption keys stored on the DS-System can be forwarded to the BLM Archiver. This type of transfer for archival purposes is paramount to data recovery in the event of a disaster.
When setting up Asigra’s Televaulting 8.0, upon installation the DS-Client is required to create an encryption key thus generating a static encryption key. Proper controls over the DS-Client encryption key should be used so as to lessen the chances of unauthorized key exposure. Third party encryption appliances and key management systems are not directly supported, but if one is used in the network background it is completely transparent to the DS-System, DS-Client, and BLM Archiver.
When deciding on a backup solution, especially when data is at rest or in transmission is concerned, it is important to understand what role encryption and key management plays in the chosen technology. Understanding whether static or dynamic key generation is needed or preferred depending on the level of security needed for your environment, how best to manage encryption keys, the associated administrative overhead, and liability of lost or exposed encryption keys should all be considered. By providing flexible choices in how to manage both encryption and encryption keys while allowing for data and liability protection, Asigra Televaulting 8.0 has struck a balance to meet both data center and service provider needs.