More than 50 million Americans have had their personal information compromised in the last year, and many of those security breaches have been the result of tape loss. With so much data at risk -- and the potential penalties involved -- storage administrators are struggling to protect sensitive information at rest in the data center and in flight across public networks. Vendors also see the problem, and are stepping forward with software and appliances that can ease implementation. The trick is to sort through the proliferation of offerings and find a product that meets your business requirements without breaking the budget. This article provides an overview of encryption and its role in the enterprise, highlights the leading vendors who offer disk and tape encryption products, and offers some advice to help ease purchasing and implementation issues. The reality of encryption Simply stated, encryption is a technique used to make plain data unreadable. Encryption starts by processing data through a complex mathematical algorithm (a cipher) that uses a unique variable value (or key) to produce unique encryption results. Longer keys, used in concert with more complex encryption algorithms, will result in encrypted data that is practically impossible to recover without the key. Once the data is in an unreadable form, it is considered safe even if the files are lost or compromised by hackers. Encrypted data is made readable again (or decrypted) by processing it through the algorithm using the same key, though sometimes a different or companion key might be used for added security. This simple concept has important implications for data center security. Given the growing number of high-profile security breaches in the news, storage professionals are embracing encryption technologies to protect the business against embarrassment and legal liability. "For the enterprise, encryption helps safeguard, protect and conceal data while it's at rest, being transported or being moved across networks," says Greg Schulz, founder and senior analyst at Storage IO. Encrypted data remains secure even when it is stolen -- a thief would need to have the encryption key or the computer processing resources available to "crack" the key by systematically attempting every possible key combination. Analysts point out that encryption itself is not necessarily enough to mitigate corporate liability for lost or stolen data. "Does encryption let you off the hook totally? No," Schulz says. "Being able to demonstrate that you've taken some level of precaution (including encryption) does eliminate some liability." The underlying message is that encryption should be implemented to complement or expand the existing IT security strategy. Considering encryption An encryption strategy must start with a complete evaluation of corporate security vulnerabilities. In other words, you need to know what needs to be encrypted and at what points. Not all files must be encrypted, and encryption may not be needed at every location in the enterprise. According to analysts, encryption is best suited for "at-risk" data that must leave the data center onto an unsecured network. "You should consider using it [encryption] when you have data that you believe could potentially be accessed by an unauthorized person," says W. Curtis Preston, vice president of data protection at GlassHouse Technologies. "I wouldn't use it where the cost significantly outweighs the risk." Once you identify the data that needs encryption, it's important to define where the encryption will be implemented. Encryption can be used to protect data in flight across a network and at rest on a hard drive (or tape) in the data center. Protecting data in flight is particularly important when corporate data must be transmitted over open or unsecured networks such as the Internet. Protecting data at rest is a more recent consideration and is typically applied to tape backups that are sent off site. However, an increasing number of corporations will also opt to encrypt data on disk in the data center to guard against data loss from hackers or employee theft. Although encryption works the same way on any target media (including hard drives, optical disc and tape), it's important to consider the implications of encryption on tape compression. "Encrypted data, by its nature, cannot be compressed," Preston says. For example, if you receive an average of 2:1 compression on a 10 gigabytes (GB) tape, you can fit up to 20 GB of data on the tape. If the data is encrypted first and is uncompressible, you'll need to use two 10 GB tapes -- doubling your tape media costs. To avoid this potential problem, implement encryption after compression. Encryption is a mathematically intensive process, and can have a negative impact on the performance of your network depending on the type of encryption, the way it is implemented and the amount of files being protected. Strong encryption (such as AES 256) is more intensive than other weaker forms of encryption. More data takes more time to encrypt. And of course, software encryption products also take much more of a performance hit than hardware-based products. Analysts note that software encryption can impose a 40-50% performance hit on your network. By comparison, a hardware encryption box might only impair performance by 10% or less. The trick is to find a product that meets your needs with a minimum performance penalty. For example, suppose you only need to encrypt a single database. A software encryption tool might only cost about $500, while the extra few minutes needed to encrypt the database (and the extra storage space for that uncompressed file on tape) might barely be noticeable. When encrypting the entire data center, however, it probably makes more sense to use encryption hardware to minimize the performance penalty across a huge volume of data -- even though you will have to spend about $30,000 per box. Finally, any move to encryption must involve a close examination of key management. Lost keys can render corporate data inaccessible, so a potential adopter must learn how encryption keys are held or maintained and understand the risk involved. "The risk is that you lose your key," Preston says. "If you lose your key you've lost your own data." Key management policies and practices must be implemented along with any encryption technology. Vendors and product selection There are essentially three means of encryption for the enterprise, and the choice of technology will largely dictate your vendor selection. The first approach is 'source encryption' -- encrypting data at its source directly through a particular application. Most operating system and application vendors (including Microsoft and Oracle) provide a means of data encryption. A second means of encryption is typically provided through backup software applications including EMC Corp.'s Legato, Symantec/Veritas NetBackup and IBM's Tivoli. The backup software can encrypt data on its way to tape. This enables the tape to be transported and stored securely off site. The third avenue of encryption is a relatively new breed of dedicated encryption hardware devices from vendors including Decru Inc.'s DataFort security appliances, the StrongBox SecurDB from Crossroads Systems Imance needlessly. In actual practice, only sensitive data needs to be encrypted -- and the strongest encryption may only be needed for the most sensitive data. Implement encryption so that it addresses business needs without bringing productivity to a standstill.