Companies that want blanket encryption coverage on the back end before it goes to backup should consider appliances that sit between servers and storage systems and encrypt the data as it moves back and forth, says W. Curtis Preston, vice president of data protection at GlassHouse Technologies Inc., a storage services company in Framingham, Mass.

Specialized encryption appliances like Decru Inc.'s DataFort, which was acquired by Network Appliance Inc. last summer, and NeoScale Systems Inc.'s CryptoStor can run in storage-area network (SAN), network-attached storage (NAS), iSCSI and tape infrastructures. They encrypt data at close to wire speed, with little latency. Both vendors have also developed versions of their products that will encrypt backup tapes. Decru's offering encrypts NetApp storage, as well as EMC Corp., Hewlett-Packard Co., Sun Microsystems Inc. and IBM storage.

Fusca says encrypting and decrypting data goes unnoticed by users at Dartmouth. "When they get up on the analytical servers and start drawing data through either the tape library or the electronic storage through the DataForts, it is relatively transparent, and there are no discernable delays in accessing the data," he says.

Key management has been simplified. "Once we identify the appropriate client stations that are on the virtual private network that can draw requested encrypted data into their 'cryptainer' [a device that stores decrypted data on the desktop], it's relatively fast and painless for them," Fusca adds.

Appliances also trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed, which is a tape-drive space savings of 1.5 to 1. "These hardware devices have a compression chip in them, so they compress before they encrypt," Preston says.