BOSaNOVA delivers connectivity to iSeries A Tradition of Excellence
90-day 100% Satisfaction Guarantee
Click here for details  
10ZiG...The Benchmark for quality, service and support

LTO4 with encryption on iSeries

Why it might not be what you expect.

It is clear that with the very large number of confidential records being compromised every month and of those a large number due to theft or loss of backup tapes, companies need to treat the need to encrypt backups as a “must do now” project. The announcement from IBM that they would be the first-to-market embedded encryption in their new LTO4 tape drive appeared at first sight to offer the way forward in dealing with this continued loss of private and confidential data. This article looks at the possible issues of using this approach and offers some alternative options. For iSeries users the IBM offering would appear to be a straightforward solution but when looking at this in detail several issues become clear. 

Interface
The first surprise is that the LTO4 with encryption is not available with the SCSI interface for the iSeries. This forces users to add a fibre channel IOP if they do not already have one. Even if there is already an existing fibre IOP the advice from IBM is that the drive should have its own dedicated IOP. This means the system must be brought down in order to install and configure the new hardware which will likely require an IBM SE. In addition, if there is not room to add the fibre card and IOP, an expensive expansion tower/drawer will have to be purchased. This may cause some users the headache of getting staff to work outside normal hours to allow this to be done when least disruptive to the business.

Library
LTO4 encryption for iSeries is only supported with library based units; stand-alone drives are not supported. This clearly increases the cost and complexity of an installation. It may require more physical space which needs to be considered. In addition, a library might require expensive electrical additions to the data center.

Media
The next surprise to many industry insiders was the fact that the encryption will only work when using LTO4 media. This brings two issues, first, the extra cost associated with buying a complete new set of media and second, what happens to the existing media pool. The LTO4 media lists at $160 each and although the capacity of the new tape is twice that of the previous iteration of LTO media, most companies can’t take advantage of this.

Configuration & Control
TThe next item of interest is how this encryption is configured and controlled. Using encryption with the LTO4 on the iSeries also requires the use of Backup Recovery Media Services (BRMS). Not all iSeries customers are using this package as part of their backup procedures today. This means replacing the package currently in use, purchasing BRMS (5722-BR1) and learning how to work with it. Even for those customers who are using BRMS, the backup and recovery procedures will need to be changed to utilize encryption. The learning aspect of this is certainly something that needs to be carefully considered.

Archive
Most businesses will have a pool of data on existing media; the question will be just what to do with it. The data on these tapes may need to be retained for a given period but it is essential to ensure the data on it is secured. To copy all these tapes on new LTO4 media using some duplication method such as DUPTAP will be both time consuming and will affect system resources. Once this is completed the old media then needs to be destroyed as it cannot be re-written in encrypted mode. This is again another expense that needs to be considered.

Key Management
The Java based Encryption Key Management (EKM) package for the LTO4 encryption requires a separate server or partition (LPAR) to run. This software itself may provide potential security flaws dependant on how it is implemented because anywhere the security keys can be accessed outside of the server is a possible weakness. IBM recommends that two EKM’s be used for fault tolerance, without the EKM tapes cannot be read. Of course, these server(s) need to be backed up.

Restore considerations
With the IBM solution, the iSeries needs to be operational with the OS loaded, and the key management server needs to be up and running before restoring any encrypted data. This leads to a complex restore procedure. Because this is a fiber channel interfaced unit, the system cannot IPL from this LTO4 drive, unlike a SCSI drive that is used as an alternate IPL device.

Interoperability
Most companies send data from time-to-time to other companies, the LTO4 can only write to LTO3 or LTO4; therefore, for the supplier / customer to be able to read these tapes they will need at least an LTO3 drive. And since the LTO4 is so new, the most common drive in the market today is the LTO2.

Speed
There is often a misunderstanding over the throughput of tape drives. Many people are under the impression that the tape drive is the slowest item, but frequently the tape drive sits idle while the system retrieves the data. Therefore a faster drive does not always mean faster backup. Retrieving data from a large capacity tape like the LTO4 may also be slower as the data needed may be near the end of the tape.

Hardware
As an example the following gives a list of the hardware needed for a simple system.

Item Cost
3573-L2U TS3100 Tape Library Express $4,000.00
5900 Transparent LTO encryption $2,500.00
8144 Ultrium 4 Fiber Channel Drive $10,770.00
6013 13m LC/LC Fiber Channel Cable $184.00
5761 Fiber adapter for i5 HW $5,495.00
2844 IOP for 5761 $2,100.00
25 x LTO4 tapes (estimate) $4,000.00
Installation ?
Hardware Investment $29,049.00

We assumed 25 pieces of media at $160 each this equals $4,000.00, 25 pieces is a conservative estimate. You also need to add any installation costs to this.

If you do not already own BRMS this is another cost to be considered both in the basic acquisition and also for the training costs and time. BRMS runs from $700 to $24,000 depending on the processor Group class and $995 for Media and Storage Extensions (feature 0664) for the library.

Should you be running an older version of OS, you will need to upgrade to V5R2 or later.

Please contact us at info@theq3.com with any questions about IBM's LTO4 on the iSeries or to discuss our Q3i tape drive with built-in encryption.

For more information please contact us at 800-866-6267 or


live help
IBM Business Partner Member of PartnerWorld for Developers. IBM PCI Security Vendor Alliance IBM System Storage Proven


Home     About Us     Press Releases     Contact     Q3     Q3i     Resources     Compliance     FAQs     Articles     Headlines     Site Map