Site Security Example: Low Security Site - Spectra Logic T-Series Spectra T200 User Manual

Password(s) for Key Import and Export Passwords are also used to encrypt
keys for export and when importing previously exported keys. This
feature is only available after you log into the library as a superuser and
enter the encryption password. Your site may want to consider whether to
create different rules for these passwords, such as requiring that these
passwords are longer than the encryption access password(s), and
therefore more secure.
Monikers Your site may want to create rules governing naming
conventions for key monikers, an alphanumeric identifier used to refer to
the never-revealed true key value, which is a 256-bit key.
Password and Naming Standards Examples Create password and naming
standards, in part again depending on your site's security requirements.
For example, your site may require a high level of security for access to
encryption partitions, in which case you need to require some combination
of the following:

Site Security Example: Low Security Site

The following table describes the security considerations and encryption
configuration for a small company with 75 employees.
Security Considerations
Security goals
Encryption
principals
Data to encrypt
Level of security to
implement
Data sets requiring
isolation
Key escrow
method
Copies of each key
to store and their
locations
Key rotation plan
December 2008
A long password
A combination that requires alphabetic and numeric characters
No password that corresponds to a dictionary entry
Passwords to be reset at predefined schedules
Protecting company from legal liability associated with unauthorized access to
data stored on tape, both onsite and offsite, including transport to the offsite
location.
IT administrator, company president, corporate legal counsel.
Financial and consumer identity data.
BlueScale Standard Edition: single key per library is sufficient.
Standard initialization mode: encryption partitions are enabled at all times.
None. A single partition for encrypted data is sufficient.
Staff at company will escrow keys at a site remote from the data storage
location.
Keep three copies of each key: one with the senior IT administrator, one with
the company president, one in a corporate safety deposit box.
Create a new key every six months.
BlueScale Encryption Overview
T200, T380, and T680 Libraries
203