White PapersHeadlines about data theft, tape loss, and compromised customer records containing unencrypted data are appearing more frequently. These events underscore the need to focus on securing critical and sensitive company data, including copies of data created during backup operations. The window of risk to your sensitive data expands as the value of your data increases. Some of these risks include:
• Unencrypted removable media taken offsite for “security” is less secure than almost any other corporate data.
• Theft of a tape and removable media is a major risk that is difficult to track due to the size of the media.
• Data may become available to third parties if a tape is lost or left unprotected.
• There is no way to tell if a tape has been copied or duplicated for unauthorized purposes.
• Tapes are often taken offsite by the lowest cost method instead of the most secure method.
• Operators can initiate an unauthorized restore of a tape redirected to their system.
Symantec Backup Exec" 11d for Windows ServersNew Encryption CapabilitiesUntitled DocumentContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Need for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Safe, secure, and easy encryption with Backup Exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Cost versus protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Lack of flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Lengthened backup process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Product highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Creating and using encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Common and restricted keys for restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Backup process with encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Managing encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Deleting encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Tracking changes to encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Restore process with encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Encryption best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Other encryption architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Software-based versus hardware-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19White Paper: Enterprise SecuritySymantec Backup Exec 11d for Windows ServersUntitled DocumentExecutive summarySecurity and compliance risks to businesses and their data are greater than ever. Businessesdepend on their data being protected in a safe and secure manner when it is stored internally and taken offsite. With the emergence of new compliance regulations, any data loss can adversely impact the bottom line, including possible additional regulatory and complianceconcerns. Implementation of an encryption strategy for your company s backups plays a vital role in safeguarding the integrity and availability of your data.Need for encryptionHeadlines about data theft, tape loss, and compromised customer records containing unencrypteddata are appearing more frequently. These events underscore the need to focus on securingcritical and sensitive company data, including copies of data created during backup operations. The window of risk to your sensitive data expands as the value of your data increases. Someof these risks include:" Unencrypted removable media taken offsite for security is less secure than almost any othercorporate data." Theft of a tape and removable media is a major risk that is difficult to track due to the size ofthe media. " Data may become available to third parties if a tape is lost or left unprotected." There is no way to tell if a tape has been copied or duplicated for unauthorized purposes." Tapes are often taken offsite by the lowest cost method instead of the most secure method." Operators can initiate an unauthorized restore of a tape redirected to their system.Encryption is the most effective method for securing data on portable media. Analysts,government, law enforcement, and regulatory agencies continue to advise on the criticality ofencryption, and yet many companies have not yet implemented encryption as part of their backupprocess. The main reasons given for this decision are that encryption can add layers of complexityto their processes and that it will increase the time required to successfully complete the backupor restore process. Symantec Backup Exec 11d for Windows Servers4Key Benefits" Helps reduces security risks to your datathrough integrated 128-/256-bit AESindustrial-strength encryption" Integrated encryption key managementsystem for easy setup and management" Included with Backup Exec 11d forWindows Servers at no additional chargeUntitled DocumentSafe, secure, and easy encryption with Backup Exec Symantec" Backup Exec 11d for Windows Servers now includes encryption capabilities thatprovide an additional layer of protection for your sensitive data, while helping to ensure that theuse of encryption does not hinder the backup or restore process critical to safeguarding companyassets. The new encryption capabilities of Backup Exec 11d attempt to address the concernstraditionally associated with backup encryption such as: " Cost versus protection" Complexity" Lack of flexibility" Lengthened backup processCost versus protectionBackup Exec 11d uses industrial-strength, 128-/256-bit Advanced Encryption Standard (AES)encryption. This allows Backup Exec to provide one of the highest levels of encryption that meet or exceed strict U.S. government and corporate standards. Backup Exec 11d encryption supports both files and databases. It provides security for yourbackup data regardless of where it resides or what happens to it after it leaves your site.Unlike competing solutions, Backup Exec 11d includes these encryption capabilities at noadditional charge. In this way, Symantec helps ensure that all organizations that use Backup Exec have access to safe, secure, and easily encrypted backups regardless of their budget tosafeguard their important data.ComplexityIn today s complex IT world, encryption must not only be industrial strength, but it also must beeasy to manage so that it is used whenever possible. The Backup Exec 11d integrated encryptionkey management system helps ensure that encryption is easy to use and manageable all fromwithin the familiar Backup Exec console. 5Symantec Backup Exec 11d for Windows ServersUntitled DocumentSymantec Backup Exec 11d for Windows Servers6Lack of flexibilityBackup Exec 11d encryption implementation offers the flexibility to encrypt only the data youwant when you want and where you want. Encryption can be enabled: " On a per-backup-job basis" On a per-policy basis for increased automation of policy-based protection" On a global basis to help ensure all backups are encrypted per company standards" On tape and/or disk backupsBy using software as the controller of encryption rather than media hardware, administratorsgain a heterogeneous security option that allows them to encrypt and decrypt data regardless ofthe hardware platform used for backup or recovery.Lengthened backup processBackup Exec 11d encryption is flexible, which allows it to occur only during a particular stage of a backup. For example, companies using disk staging or disk-to-disk-to-tape (D2D2T) can enableencryption only on the tape portion of the backup. Companies that are concerned about theperformance impact of software-based encryption on production systems can now perform fast, unencrypted backups to secure disk locations using the included backup-to-disk (B2D)technology. They can then configure a duplication job to run immediately after the initial disk-based backup or at a later scheduled time regardless of the backup window. This portion of thebackup can be done to another disk location or to removable media, such as tape, for offsitestorage where encryption is most critical. This avoids lengthening the initial backup process andalso avoids any encryption-related performance impact on production systems, as the duplicationjob involves only data movement on the Backup Exec server.Untitled Document7Product highlightsSymantec Backup Exec 11d for Windows Servers*See the table in the System requirements section for a complete listing of all agents supported with encryption.**Backups enabled for encryption and sent to a disk-based backup target with Backup Exec 11d for Windows Servers new Granular Recovery Technology (GRT) are not stored in an encrypted format. GRT allows individualobject-level recovery for Microsoft Exchange, SharePoint, and Active Directory objects. GRT-enabled backups targeted to B2D devices are encrypted at the source server during the network transit, but they are stored inan unencrypted format on the final B2D target location. Tape-based GRT-enabled backups are stored on tape in an encrypted format and so do not have this limitation.Feature128-/256-bit SymmetricEncryption Integrated Encryption KeyManagementFile System and DatabaseSupport*Flexible EncryptionConfigurationClient, Network, and Storage-Level EncryptionTape- and Disk-based BackupSupport**Limited Performance ImpactIntegrated Audit LoggingDescription" Provides data encryption using either 128-bit or 256-bitOpenSSL ciphers" Create both common and restricted encryption keys" Integrated into Backup Exec s console" Checksum validation of encryption keys" Key regeneration" Designed for future hardware-based tape encryption standards" Provides encryption support for file systems and databasesincluding Windows, Linux , Macintosh , UNIX, and Microsoft Exchange and SQL Server" Encryption can be enabled on a per-job, per-policy, or globaldefault basis for backups " Encryption occurs on the source client as the backup occurs" Data is encrypted over the network in transit to the BackupExec server" Data is written to tape or disk in an encrypted format byBackup Exec for long-term storage" Backups can be written to tape or disk in an encrypted formatby Backup Exec 11d" Backups can be written to disk locations in an unencrypted format for best possible raw performance and later duplicatedto tape for offsite storage " Built-in Audit Log to track any changes to encryption keys,including username, time/date, and change description" Ability to save and export Audit LogsBenefit" Meets both U.S. government and corporate standardsof encryption quality" Restricts access to encryption keys to the proper personnel in your organization to help ensure only the proper personnel have access to critical or sensitive backup data" No need for separate encryption key management application or hardware" Encryption keys are checksum validated on restore operations to prevent any tampering of keys in the Backup Exec database" If the encryption key gets deleted or destroyed, the key can be regenerated using the pass phrase" Allows Backup Exec to manage encryption keys for future hardware-based tape encryption devices" Provides security for all of your backup data regard-less of what it is, where it lives, or what happens to it" Provides flexibility to back up and encrypt only the data you want, when you want, and where you want based on your established policies" Protects your backup data at all times during thebackup process from start to finish, beginning at theprotected server" Prevents network access to the data during the back-up process over the network" Prevents unauthorized access, tampering, or duplication of backup data while it is stored onsite or offsite on tapes or removable media" Provides the flexibility to choose where data is storedin an encrypted format" Helps ensure there is no performance impact on thesource production server during the duplicationprocess of a backup where data is encrypted fromdisk to tape for offsite storage " Increases security for compliance, and regulatoryconcerns of any and all changes made to encryptionkeys" Helps ensure that any and all changes made toencryption keys are recorded, saved, and exported forauditing purposesUntitled DocumentHow it worksBackup Exec 11d encryption is designed to be a comprehensive and integrated solution thatworks seamlessly with your normal backup operations.Creating and using encryption keysThe process of applying and managing encryption keys is simplified through integration withBackup Exec. Simply select the level of encryption you want, create the encryption key passphrase you want when configuring backup jobs, and leave the rest to Backup Exec (see Figure 1).Encryption keys are safely stored inside of the Backup Exec database (BEDB) in an encryptedformat. The pass phrase itself is not stored in the database; only the key generated by the passphrase is stored. Once created, encryption keys can be reused by Backup Exec for other jobs. Youcan set a default encryption key to use when you create: " Backup jobs" Templates" Duplicate backup set jobs" Backup policies" Policy-based backup templates " Policy-based duplicate backup set templates" Policy-based synthetic full-backup policiesHowever, you can also override the default key for any specific job. Symantec Backup Exec 11d for Windows Servers8Untitled Document9Figure 1. Creating an encryption keyCommon and restricted keys for restoresThe encryption key can be either common (making it shareable) or restricted (making it private tothat user). For backup jobs, any user can use any key available, regardless of whether it is commonor restricted. The job log of the backup will indicate if encryption was used. The pass phrase is notincluded in the job log.If a user creates a backup job using another user s restricted key, the user will get a promptwarning that the data can only be restored if the user knows the correct pass phrase for the key.For restore jobs, key validation is performed based on ownership: " Common keys: Anyone can use the key to encrypt data during a backup job and to restoreencrypted data. If a common key exists in the database, any user can use the key for restores." Restricted keys: Anyone can use the key to encrypt data during a backup job. If a user otherthan the key owner tries to restore data that was encrypted with a restricted key, Backup Execprompts the user for the key s pass phrase. If the user cannot supply the correct pass phrasefor the key, the user cannot restore the data. Symantec Backup Exec 11d for Windows ServersUntitled DocumentFor example:" If User B tries to restore a set that was encrypted with User A s restricted key, User B will beprompted for the pass phrase. If the pass phrase is validated, User A s key will be used forrestore, and no new key will be created in the database." If User B tries to edit a restore job that uses User A s restricted key, User B will be prompted forthe pass phrase.Important Note: Backup Exec 11d utilizes industrial-strength 128-/256-bit AES encryptionthat meets both U.S government and corporate standards of encryption quality. Once data hasbeen encrypted, it cannot be recovered by anyone without the encryption key pass phrase,including Symantec. You will be prompted with a warning message when creating a new encryption key toremember the pass phrase or store it in a secure location (see Figure 2). Figure 2. Pass phrase warningBackup process with encryptionWhen you install Backup Exec, the installation program installs the necessary encryption softwareon the Backup Exec media server and on remote computers that use the Remote Agent.Backup Exec software performs the data encryption on the client via the Remote Agent,transfers the data across the network, and then stores it on tape or disk in the encrypted format.The backup process follows this sequence:1. The Backup Exec 11d media server sends the encryption keys to the Backup Exec RemoteAgent installed on the client system. The keys are protected via asymmetric encryption duringthis transfer.Symantec Backup Exec 11d for Windows Servers10Untitled Document112. Data is encrypted at the Backup Exec 11d Remote Agent client with symmetric encryptionusing the specified AES 128-bit or 256-bit key.3. Data is sent encrypted over the network to the Backup Exec 11d media server and written tothe backup device specified in the backup job.Figure 3 shows the data flow of Backup Exec 11d encryption from original source servers, to network, to final storage location using the Backup Exec 11d Remote Agent and media server.Figure 3. Data flow of Backup Exec 11d encryptionManaging encryption keysOrganizations often have a difficult time identifying and tracking which data should be encrypted.Should the whole backup database be encrypted or only part of it? Should all the data on thenetwork be encrypted? Should all backups be encrypted or only a portion of them? Backup Exec 11d provides flexible methods for configuring backups to include encryption ona per-backup-job basis, per-policy basis, or as a global default setting for all backups. This allowsyou to encrypt data based on established policies in your company. To assist with this process,Backup Exec 11d includes an integrated Encryption Key Management feature that is accessiblefrom the Backup Exec 11d Tools/Encryption Keys menu or from within any backup job or policy(see Figure 4).S Y M C S Y M C S Y M C S Y M C E x c h a n g e M e d i a S e r v e r S e c u r i t y + A v a i l a b i l i t y = L o c a l + R e m o t e E n c r y p t i o nF i l e S e r v e r s LTD r i vT a p e L i b r a r y B a c k u p t o D i s k L o c a t i o n S Y M C Symantec Backup Exec 11d for Windows ServersUntitled DocumentFigure 4. Accessing Encryption Key ManagementThe Encryption Key Management screen allows you to view, manage, create, and deleteencryption keys available for use by Backup Exec 11d. These keys are managed in a mannersimilar to the Backup Exec logon accounts that are used for providing authentication to networkresources to back them up. Keys can also be set as default keys to be used for a job, a policy, or all jobs (see Figure 5).Symantec Backup Exec 11d for Windows Servers12Untitled Document13Figure 5. Encryption Key ManagementA key that is created on a media server is specific to that media server. You cannot move keysbetween media servers. However, you can create new keys on a different media server by usingexisting pass phrases. A pass phrase always generates the same key. In addition, if you delete akey accidentally, you can re-create it by using the pass phrase. If a Backup Exec database becomes corrupted on a media server and is replaced by a newdatabase, you must manually re-create all of the encryption keys that were stored on the originaldatabase. If you move a database from one media server to another, the encryption keys remainintact as long as the new media server has the same user accounts and is in the same domain asthe original media server.Deleting encryption keysBe cautious when you delete encryption keys. When you delete an encryption key, you cannotrestore the backup sets that you encrypted with that key unless you create a new key that usesthe same encryption key and pass phrase as the original key. You can delete encryption keys if:" The encrypted data on the tape has expired or if the tape is retired." The encryption key is not the default key.Symantec Backup Exec 11d for Windows ServersUntitled Document" The encryption key is not being used in a job or a template. If the key is being used, you mustselect a new key for the job or template." The encryption key is not being used in a selection list for restore jobs and for verify duplicatebackup set jobs. If you delete a key that is being used in one of the listed job types, theselection list can no longer be used.If you delete an encryption key that is being used in a scheduled restore job, you cannotreplace the key. Therefore, any scheduled restore job in which you delete an encryption key fails.Tracking changes to encryption keysBackup Exec 11d includes comprehensive audit logging capabilities to track most configurationchanges made to Backup Exec settings, including changes made to encryption keys. The Audit Log is easily accessible via the Backup Exec 11d console s Tools/Audit Log menu (see Figure 6).The Backup Exec Audit Log tracks:" Creation of new encryption keys" Deletion of encryption keys" Modification of encryption keys" User name of user who made change" Date/time of change" Description of changeFigure 6. Audit LogsSymantec Backup Exec 11d for Windows Servers14Untitled Document15The Backup Exec 11d Audit Log can be saved and exported to help ensure compliance with government and corporate requirements. This Audit Log can also be used to provide keydocumentation in audit situations. In addition, the contents of the Audit Log can be included inthe Backup Exec 11d Audit Log Report. This report can be scheduled to run just like any other jobwithin Backup Exec and can be automatically distributed to key compliance-focused personnel viaemail. See the Backup Exec 11d Administrator s Guide, Chapter 14, Reports in Backup Exec, formore information on running and configuring Backup Exec reports.Restore process with encryptionRestores of encrypted data with Backup Exec 11d are just as easy as the backup, provided thatyou have the necessary pass phrase for the encryption key needed for the restore. Encryptedbackup sets are identified in the restore selection list by an icon with a lock on it. The restoreprocess of encrypted data follows this sequence:1. When you select encrypted data for restore, Backup Exec verifies that encryption keys for the data are available in the database. If you use encryption keys with the Intelligent DisasterRecovery Option, the wizard prompts you for the pass phrase of each encrypted backup setthat is required to complete the recovery.2. If any of the keys are not available, Backup Exec prompts you to re-create the missing keys.Anyone can generate keys or restore any tape provided they have the pass phrase used for the original encryption key.3. Once the key has been re-created or the pass phrase provided, the encrypted data is read from media and transferred across the network to the client before decryption. Encryption best practices" Protect your pass phrases: Be sure to keep track of your pass phrases when you createencryption keys. This is the single most important step to remember when using Backup Exec11d encryption. Pass phrases can be written down and stored in secure locations such as safesor safe deposit boxes, or they can be stored electronically in other secure locations." Backup Exec supports two types of encryption: 128-bit and 256-bit AES. The 256-bit AESencryption provides stronger security because the key is longer for 256-bit AES than it is for128-bit AES. However, 128-bit AES encryption enables backup jobs to process more quickly.Symantec Backup Exec 11d for Windows ServersUntitled Document" If you use encryption in a synthetic backup policy, all the templates in the policy must use thesame encryption key. You should not change the key after you create the policy. " The minimum number of characters for 128-bit AES encryption is 8. The minimum number ofcharacters for 256-bit AES encryption is 16. Symantec recommends that you use more than theminimum number of characters. " Symantec recommends that you avoid using hardware compression with encryption. Hardwarecompression is performed after encryption. Data becomes randomized during the encryptionprocess, and compression does not work properly on data that is randomized." You can use software compression with encryption for a backup job. First, Backup Execcompresses the files and then encrypts them. However, backup jobs take longer to becompleted when you use both encryption and software compression. " To catalog a tape on a different media server, you need to know the key and the encryptionmethod (128/256 bit). " Do not delete keys without first considering which backup jobs are currently scheduled andconfigured to use those keys. " When you create a duplicate backup set template or a duplicate backup set job, backup setsthat are already encrypted are not reencrypted. However, you can encrypt any unencryptedbackup sets. " If you use encryption in a synthetic backup policy, all the templates in the policy must use thesame encryption key. You should not change the key after you create the policy. " For the synthetic backup template, Backup Exec automatically uses the encryption key that youselect for the other templates in the policy. When you select encrypted data for restore, BackupExec verifies that encryption keys for the data are available in the database. If any of the keysare not available, Backup Exec prompts you to re-create the missing keys. If you delete the keyafter you schedule the job to run, the job fails. " If Backup Exec cannot locate an encryption key while a catalog job is processing, Backup Execsends an alert. You can then re-create the missing encryption key if you know the pass phrase.If you use encryption keys with the Intelligent Disaster Recovery Option, special considerationsapply.Symantec Backup Exec 11d for Windows Servers16Untitled Document17System requirementsTo use the new encryption capabilities of Backup Exec 11d for Windows Servers, the Backup Execserver must have the following items installed:" Windows 2000, Windows XP, or Windows Server 2003" Backup Exec for Windows Servers 11d or laterIn addition, Backup Exec 11d or later Remote Agents must be used.Symantec Backup Exec 11d for Windows Servers*The following Backup Exec Agents do not support encryption: Backup Exec Continuous Protection Agent (CPA) and Backup Exec Remote Agent for NetWare (RANW).**The following Backup Exec Agents do not support encrypted disk-based backups when enabled with GRT: Backup Exec Agent for Microsoft Exchange Server, BackupExec Agent for Microsoft SharePoint, and Backup Exec Agent for Microsoft Active Directory.Platform Agents Supported*" Backup Exec Remote Agent for Windows Servers (RAWS)" Backup Exec Agent for Linuxand UNIX Servers (RALUS)" Backup Exec Agent for Macintosh Systems (RAMS)" Backup Exec Desktop and LaptopOption (DLO)Application Agents Supported" Agent for Microsoft ExchangeServer**" Agent for Microsoft SharePoint**" Agent for Lotus Domino " Agent for Microsoft DPM" Agent for Microsoft Active Directory*Database Agents Supported" Agent for Microsoft SQL Server" Agent for Oracle Servers" Agent for IBM DB2 Serverson Windows" Agent for SAP ApplicationsBackups enabled for encryption and sent to a disk target with new GRT for individual object-level recovery for Microsoft Exchange, SharePoint, and Active Directory are encrypted at thesource during the network transit, but they are stored in an unencrypted format on the finalbackup disk target location. Tape-based GRT-enabled backups do not have this limitation and arestored on tape in an encrypted format.Other encryption architecturesEncryption for backup purposes can be done in both hardware and software. Each has its ownadvantages and disadvantages. Backup Exec 11d provides powerful software-based encryption at no additional charge.However, some companies may want to take advantage of the features that a dedicated hardware-based encryption solution provides. Companies need to evaluate their environment and decidewhich method works best for them. The following table provides some guidance on the variousadvantages and disadvantages of software-based and hardware-based encryption As the world sleading storage and security-focused company, Symantec is not recommending one type ofencryption over the other. We simply believe in providing the highest level of security possible thatbest meets an organization s needs, regardless of whether or not it is hardware or software based.Untitled DocumentSoftware-based versus hardware-based encryptionSymantec Backup Exec 11d for Windows Servers18ConsiderationsCostKey ManagementConfigurabilityPerformance Impactson BackupEase of Data RecoveryEncryption TypeManagementBackup Exec 11dIncluded with Backup Exec 11d at noadditional chargeIncluded and integrated with BackupExec 11dCan be enabled on/off on a per-job, per-policy, or global default basis fromdisk to disk to tape (D2D2T), tape totape (T2T), and disk to tape (D2T)Depends on type of encryption (128-bitversus 256-bit) and server hardwarecapabilities and performanceEncryption is pass phrase based, allowing the encryption key to be re-created at any Backup Exec 11d server for recovery128-/256-bit AES encryption withOpenSSL ciphersNo additional servers or hardware tomanage for encryption capabilitiesDedicated Hardware Encryption SolutionsVaries, but always more costlyVaries, vendor suppliedVaries, but usually complete data path from source to network to final destinationVaries, but usually minimal compared withsoftware-based encryptionVaries, but usually not portable; requireshardware replacement or cluster solution if encryption device is lostSimilarAdditional hardware to manage, power, and cool within an environmentHardware-based encryption devices provide performance advantages that only a dedicatedhardware-based solution can provide (see Figure 7). In this topology, the security appliance forhardware-based encryption serves as the device responsible for managing and controlling allencryption activities, including data that is protected through Backup Exec. When a job isscheduled to run, Backup Exec is unaware that a hardware-based encryption solution is presenton the network. The hardware-based encryption device is responsible for all encryption anddecryption duties including key management. It is required to be present and available in orderfor the data to be accessible.Untitled Document19Figure 7. Hardware-based encryptionSummaryWith the new encryption capabilities offered by Backup Exec 11d for Windows Servers, yourcompany s critical and sensitive data can be easily protected in a secure format from unauthorizedaccess. By combining the industrial-strength encryption capabilities of 128-/256-bit AES OpenSSLencryption with Backup Exec software s ease of use and flexible implementation to encrypt what,when, and where you want, businesses that rely on Backup Exec can be confident that theircritical data is secure wherever it may reside. S Y M CS Y M CS Y M CS Y M CE x c h a n g eM e d i a S e r v e rH a r d w a r e B a s e d L o c a l + R e m o t e E n c r y p t i o nS e c u r i t y A p p l i a n c e f o rH a r d w a r e - b a s e d E n c r y p t i o nF i l e S e r v e r sS Q LTD r i vT a p e L i b r a r yB a c k u p t oD i s k L o c a t i o nS Y M CSymantec Backup Exec 11d for Windows ServersUntitled DocumentFor specific country offices andcontact numbers, please visitour Web site. For productinformation in the U.S., calltoll-free 1 (800) 745 6054.Symantec CorporationWorld Headquarters20330 Stevens Creek BoulevardCupertino, CA 95014 USA+1 (408) 517 80001 (800) 721 3934www.symantec.comCopyright 2006 Symantec Corporation. All rightsreserved. Symantec, the Symantec logo, and BackupExec are trademarks or registered trademarks ofSymantec Corporation or its affiliates in the U.S. andother countries. Macintosh is a trademark of AppleComputer, Inc., registered in the United States and other countries. Microsoft and Windows are registeredtrademarks of Microsoft Corporation in the United Statesand other countries. Other names may be trademarks oftheir respective owners. Printed in the USA. 10/0611305664About SymantecSymantec is the world leaderin providing solutions to helpindividuals and enterprisesassure the security, availability,and integrity of their information.Headquartered in Cupertino,Calif., Symantec has operationsin more than 40 countries.More information is available atwww.symantec.com.
