'Paranoia' Gives Peace of Mind for Tape Backups

Published: October 24, 2006

by Alex Woodie

In the world of IT security, it can pay to be paranoid. Not "curled-up-in-the-fetal-position-behind-the-tape-library" scared, but healthily aware of the real dangers lurking inside and outside of the data center. If your shop routinely sends sensitive data off site for disaster recovery purposes and you're potentially liable under one of the new identity theft laws, you may find that a hardware-based encryption device, such as the "Paranoia" could be the right solution.

For the last decade, the English company DISUK has been making an encryption device called "Paranoia" that's been adopted by companies in the financial services industry. With tougher data security measures being written into law, companies in all types of industries are taking a look at tape encryption, too.

The current Paranoia2 model, which was developed four years ago, is a rack-mounted appliance that uses two 3DES encryption engines. By splitting the data into two streams, each with its own unique key, it greatly reduces the chances of a brute-force attack being used to successfully break the encryption key. To further boost security, the Paranoia doesn't use an operating system. Instead, it uses simple BIOS loaded into flash memory, so it greatly increases the amount of work a hacker would need to do to alter the operating environment to his advantage.

The throughput on the Paranoia2 is about 68 MBps, which is fast enough to support most enterprise-strength tape drives, including the latest LTO3 drives, says George Loridas, a salesman with Advanced Data Sales, the U.S. distributor of the devices and an IBM System i reseller. This has the potential to slow down backups; however, the bottleneck typically occurs on the server, he says.

The SCSI version of the Paranoia2 costs about $15,000 and the Fibre Channel version goes for about $20,000. When the Paranoia3 model comes out (plans call for availability by the end of the first quarter of 2007), it will be equipped with dual AES encryption engines, and provide a throughput up to 250MBPS. This will give it enough bandwidth to handle the next generation of successful LTO tape drives, the LTO4.

According to Loridas, the Paranoia line was created by a former British intelligence officer with four decades of experience in security. About 10 years ago, a Swiss Bank contracted the individual to develop an encryption solution for them. At some point somebody referred to the solution being developed for "those paranoid Swiss," and thus, the product's name was born.

The real benefit of Paranoia is that it's non disruptive and works with any operating system, Loridas says. "The nice thing is it's just simple," he says, comparing it to an I/O processor on an iSeries machine. "Just plug and play and forget."

There are drawbacks to hardware-based solutions such as the Paranoia. Because the device is the solution, customers typically must buy two units--one to use at the production site, and one for the DR site in case the tapes need to be decrypted. However, the simplicity of the Paranoia boxes overcomes that shortcoming, Loridas says. "Most [software-based encryption solutions] are complex and require a certain level of babysitting," he says.

ADS, which is based in Winter Park, Florida, sells the full gamut of IBM i5/OS, AIX, X86, and storage gear, but it has the most experience with iSeries, Loridas says. The financial services industry has been the primary purchaser of Paranoia boxes. Indeed, ADS has sold devices to a bank that uses Jack Henry's software. However, new privacy laws and eager auditors are putting encrypted backups on the "to do" lists of CIOs of all types of companies.

ADS attended the COMMON conference last month in Miami Beach, Florida, where the focus was disaster recovery. The feedback from Expo attendees was good, Loridas says.

The next-generation of Paranoia devices, the Paranoia3, is due out by the end of the first quarter of 2007. The Paranoia3 will be equipped with dual AES encryption engines, and provide a throughput up to 250MBPS, which will be fast enough to support the new LTO4 generation of tape drives.

For more information, visit www.disuk.com or www.ads-i.net.