Help/Systems Delivers Encryption for Backups

Published: August 15, 2006

by Alex Woodie

Help/Systems last week delivered Robot/SAVE version 11, a new release of its backup and recovery software for OS/400 and i5/OS systems. With this release, the Eden Prairie, Minnesota, company has added new encryption capabilities that make a backup tape unreadable without the proper keys. With four levels of encryption, Help/Systems is banking that Robot/SAVE customers will be able to find the right balance of safety and performance.

Every week, it seems, we hear another report of the loss of massive amounts of sensitive data due to stolen laptops, PCs that disappear, and backup tapes that never arrive at their secure offsite location. Banks, brokerage houses, the Department of Justice, and many other large organizations have owned up to their mistakes, which have put millions of Americans at risk of identity theft. Several reports in the last week alone give credence to the claim that this is the summer of identity theft.

These are only the ones we hear about. There's currently no federal law requiring companies to notify customers when their personal data has been lost, although there are several bills making their way through various states' legislative bodies that are similar to California's identity theft regulation, SB 1386, currently the only such law. Encryption is also commonly used in HIPAA, Sarbanes-Oxley, and PCI remediation engagements.

As reports of lost backup tapes and stolen laptops pile up in the news and states and Congress inch closer to closing the legal gaps related to identity theft, corporations are increasingly looking for ways to reduce the risk of losing sensitive data, thereby incurring potential fees related to notifying customers of the data loss, or possibly even paying fines.

One of the ways companies can fight data loss is by encrypting backup tapes. Many tape encryption solutions apply encryption at the tape drive itself, which provides less flexibility than a software-based solution, because users must find their own way to manage the encryption keys that unlock the encrypted content. A hardware-based solution also doesn't manage backups or guide the handling of tapes.

These are the advantages of Robot/SAVE's new encryption capability in version 11, according to Help/Systems' vice president of technical services, Tom Huntington. Because key management is also built into the OS/400-based backup and recovery product, there's no need for a separate key management solution, he says. "This is all totally integrated, all panel driven. It's easy to do," Huntington says.

If the tape is being recovered and decrypted using the same iSeries server that did the initial backup and encryption, the recovery is done automatically. Of course, a disaster recovery solution wouldn't be much good if the only place a tape could be restored was on the original machine, which might be destroyed due to a disaster. In these situations, Help/Systems recommends that users have a copy of the product with them to perform the restore, as well as the passphrase that was used to encrypt the backups. "The easiest way would be to have Robot/SAVE with you and plan on it being part of your hot site," Huntington says.

Alternatively, customers can also use a separate runtime environment (referred to by Help/Systems as a "mini library") and a set of commands to restore data locked on an encrypted tape. In these situations, users--or even close partners of the user--could recover an encrypted tape, even if they didn't have the full Robot/SAVE product loaded on their system, although they would still need to have the passphrase. Without the passphrase, there's no way to restore the tape.

Robot/SAVE also gives users flexibility in what they encrypt. They can encrypt an entire library, or just a few individual objects in a library. Object lists, IFS objects, and Domino databases can also be encrypted as part of a standard Robot/SAVE backup.

Robot/SAVE provides four encryption levels, allowing users to match their required security level with the performance hit they can afford on their OS/400 server (encryption is a processor-intensive workload for every computer). The lowest setting uses an "internally defined" algorithm and consumes the least amount of CPW, according to Help/Systems, while the medium encryption uses Data Encryption Standard (DES). (Because the company uses an IBM API for the DES encryption, company sources weren't 100 percent sure whether it was the 56-bit or the 64-bit version of the algorithm).

Two Advanced Encryption Standard (AES) encryption levels are also offered, one with a 128-bit encryption key, and one with a 256-bit encryption key that provides the most security. Robot/SAVE also maintains a secure cross-reference file of the encryption keys used to encrypt data. OS/400 shops that require the highest degree of security would do well to choose one of the recently created AES algorithms. DES, which was originally designed by IBM more than 30 years ago, has shown itself to be vulnerable to brute-force attacks.

Huntington expects the new release of Robot/SAVE will meet the burgeoning demand for encryption solutions among OS/400 shops. "It's been something that's been hot for the last year and a half," he says.

Robot/SAVE version 11 is available now. Pricing is tier-based and ranges from $7,300 to $67,500. For more information, go to www.helpsystems.com.

RELATED STORIES

Robot/SAVE Picks Up Where Bad Backups Leave Off