This section gives an overview of the T10000A/B/C tape drives and explains the general principles of tape drive security. This security guide covers the T10000A, T10000B, and T10000C tape drives.
The T10000A/B/C family of Enterprise tape drives attach to both open systems SCSI over Fibre Channel protocol and to mainframe over FICON protocol. The T10000 tape drives transfer data to and from a host and stores it on a removable magnetic media. The T10000 family of tape drives intend primarily to provide high reliability, high capacity back up, archive, and data processing capabilities for enterprise customers that demand high duty cycle and reliability. Each product in the family provides optional data encryption. The customer has the option to enable the encryption feature. All products meet the minimum Federal Information Processing Standard (FIPS 140-2 Level 1). Each tape drive product was enhanced for capacity and native tape speed. In addition, data management features were also added along the way. The following describes the capacity and performance migration from one generation to the next.
500 GB capacity and 120 MB per second native tape speed
1TB capacity and 120 MB per second native tape speed
5TB capacity and 240 MB per second native tape speed
All tape drive products are designed and documented for use within a controlled hardware environment. Tape Drives are always located inside a controlled data center and they are typically located inside of a Tape Library. In some cases the customer will use a rack mount version but that is rare. The controlled data center is also inside a fire wall that is protected by the customer's own security policies. This will give the best functionality and protection from compromise, both from the internet in general and from the internal entity operating the tape drive.
The following principles are fundamental to using any product securely.
One of the principles of good security practice is to keep all software versions and patches up to date. Throughout this document, we assume software level of:
Keep the tape drive behind a data center firewall. The firewall provides assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary. As an alternative, a firewall router substitutes for multiple, independent firewalls. It is recommended that you identify the hosts allowed to attach to the Tape Drive and block all other hosts if possible.