Connection encryption between SQL Server and BackupExec

  • We are in the mists of securing all internal communications via encryption, a security requirement by law for us...

    We are using SQL Server encryption from the server to the clients for all sensitive databases, but we have no turned on force encryption yet due to not knowing how some programs might act.

    One such program is Symantec's BackupExec. We are using BE 2012 and the SQL Server backup agent to backup our database servers. We have contacted Symantec about this and they don't seem to have a clue what we are asking. They keep telling us the agent is encrypted if you have hardware encryption turned on the tape... well that's not what we need to know... we wanted to know if you force encryption at the database server connection level how does the agent react...

    We need to make sure we are not leaving an unencrypted path between the server and the backup agent. We know from the agent to the media server are encrypted via certificate / key exchanges. We know the media server to the tape are encrypted via a key we provided. We just don't know how or if the data from the server to the agent are encrypted...

    Anyone have any experience with this or any knowledge of how BackupExec handles a require encrypted connection setting?

  • The item that I find is this:

    http://www.symantec.com/connect/blogs/backup-exec-2012-security-improvements

    However, I am unaware of anywhere that the law requires this, where are you?

    CEWII

  • Elliott Whitlow (7/2/2013)


    The item that I find is this:

    http://www.symantec.com/connect/blogs/backup-exec-2012-security-improvements

    However, I am unaware of anywhere that the law requires this, where are you?

    CEWII

    We have encryption requirements in the industry I am in, and we need to reasonably assure that all data traffic between devices is "secured" so since we are encrypting server to client, we wanted to make sure all points of transit follow a similar scheme or at least be able to say we researched them to get an idea of what is or isn't securable

  • Fair enough, even when I worked in banking this wasn't required, but alright..

    Based on that article the agent to the back end is encrypted or at least can be. If the agent is ON the box then it is likely using the shared memory provider which has no encryption..

    CEWII

  • How are you planning on enforcing the encryption for the connection? I ask because if you are using FIPS I would test it out because you can break application functionality if something depends on non-FIPS validated algorithms.

    Joie Andrew
    "Since 1982"

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply