Storage area networking and data security: choosing the right solution for maximizing storage and integrity. (SAN/NAS Backup).Storage area networks (SANs) continue to attract attention as enterprises look for ways to reduce management costs, enable data growth and increase utilization of storage assets. The ability to distribute storage resources over a network, consolidate management and allow multiple applications and users to share disks holds a lot of promise and appeal, and the options and tools for creating this type of architecture are rapidly expanding.
However, some customers fail to realize that plugging everything into the same switched network merely provides physical connectivity, better bandwidth and better problem isolation. Left at that, the possibilities for unintentional and malicious data access and corruption in this many-to-many network actually increase. That's why securing, centralizing cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. and consolidating control and monitoring of the network storage resources requires comprehensive storage management--a layer of software that oversees all facets of data storage and retrieval and enforces site specific policies for who gets what.
Storage security concerns need to be coped with at the host, management and storage levels. This article concentrates on the core capabilities and benefits of SANs, current trends in "virtualized storage," methods of implementing open storage networks and some of the impacts on security resulting from these implementation choices.
The Path to Storage Networks
Storage configurations, in the absence of storage networking, are constrained by cabling and bandwidth requirements Bandwidth requirements (communications)
The channel bandwidths needed to transmit various types of signals, using various processing schemes. Every signal observed in practice can be expressed as a sum (discrete or over a frequency continuum) of sinusoidal of small computer standard interface (SCSI SCSI
in full Small Computer System Interface
Once common standard for connecting peripheral devices (disks, modems, printers, etc.) to small and medium-sized computers. SCSI has given way to faster standards, such as Firewire and USB. ) hardware: short segment lengths of 30 meters or less, limited ability to address multiple devices per host bus adapter See host adapter. (HBA (Host Bus Adapter) See host adapter. ), and exposure and sensitivity to hardware failure and downtime. Inherently, SCSI disk devices are slaves to individual servers because of this wiring limitation. Resources are bound to specific hosts with no way to reallocate Verb 1. reallocate - allocate, distribute, or apportion anew; "Congressional seats are reapportioned on the basis of census data"
allocate, apportion - distribute according to a plan or set apart for a special purpose; "I am allocating a loaf of the spare capacity. In practice, it is common to have one server completely exhaust its disk space and incur downtime for reconfiguration, while adjacent servers have surplus space going to waste.
Fibre Channel: A Step in the Right Direction
With Fibre Channel products came the introduction of SANs, and connectivity became much easier: fewer cables, stretching dramatically longer distances and attaching numerous devices. Fibre Channel switches Major manufacturers of Fibre Channel switches are: Brocade, Cisco, McData and Qlogic.
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. of management and uniformity of administration.
Still, in a Fibre Channel-based SAN, disk capacity remains enslaved Enslaved may refer to:
Obviously, this is not only a major security problem but a data integrity issue as well. One approach to these concerns to "zone" Fibre Channel switches, i.e. segregate seg·re·gate
v. seg·re·gat·ed, seg·re·gat·ing, seg·re·gates
1. To separate or isolate from others or from a main body or group. See Synonyms at isolate.
2. data paths using a management interface for the switch, is to block competing servers from seeing the same storage device. While this prevents one server from viewing and tampering tampering The adulteration of a thing. See Drug tampering. with another server's data, the process requires a lot of individual attention to each storage path and practically negates any management advantages of networked storage. In large enterprises, it's not uncommon for IT staff to dedicate a significant amount of time to simply managing the zones of switches and changing the configuration for various reconfiguration and maintenance tasks.
Storage Pooling: Key to the Value of SANs
Regardless of the type of SAN connectivity, the foundation for achieving simplified management and increased storage capacity utilization Capacity Utilization measures the rate at which a firm makes use of their capital productive capacities, such as factories and machinery. Capacity Utilization generally rises when the economy is healthy and falls when demand softens. is the ability to consolidate a variety of storage assets into a "storage pool" from which one can freely allocate capacity wherever and whenever it's needed. Although storage area networking has evolved significantly, the ability to flexibly pool and allocate storage remains limited. Many early adopters assumed that the hardware advances of improved performance, longer cable lengths, and a more sophisticated network infrastructure alone would naturally include storage pooling.
Unfortunately, that is not the case. Fibre Channel-based SANs allow application servers to be physically separated by greater distances from the storage devices and enable multiple servers to attach to each disk array, but additional intelligence is needed to appropriately allocate and share disk space. This intelligence is the key to easing administration, automating tasks, eliminating planned downtime and fully utilizing available disk capacity.
And as one major healthcare provider learned, even though a high-end, SAN-connected, intelligent storage subsystem The part of a computer system that provides the storage. It includes the controller and disk drives. See storage system. may have its capacity fully allocated to applications, this is very different from being fully utilized. Some applications didn't use all the space given, while others used it faster than anticipated. As a result, this healthcare organization faced the need to purchase an additional, expensive and identical piece of proprietary hardware, because much of the available existing disk space was simply inaccessible. They instead opted to implement storage pooling technology.
Storage pooling is the result of a technique called "storage-virtualization," which breaks the one-to-one relationship between servers and disks and treats all storage as a consolidated resource, making it easier to allocate volumes of capacity, perform maintenance and other common tasks non disruptively. Virtualization An umbrella term for enhancing a computer's ability to do work. Following are the ways virtualization is used.
Partitioning the computer's memory into separate and isolated "virtual machines" simulates multiple machines within one physical computer. enables additional layers of features, functions and automation that further ease the task of administration.
There are many ways to define and describe storage-virtualization and a few different methods of implementation. In this discussion, two important things should be kept in mind:
* All vendors do not uniformly implement virtualization. Many confine its use to very narrow hardware or software environments. This article mentions many capabilities of virtualization, but not all products will necessarily have all these features.
* Virtualization, while vital to many of the benefits of SANs, is not a solution in and of itself, no more so than an engine is the equivalent of a car. Features such as replication, point-in-time volume copy, remote mirroring, caching, and automation layered on virtualized underpinnings complete the value proposition of consolidated SANs.
Storage-Based Virtualization and Management: On the Move
Historically, storage management has been a core feature of intelligent storage arrays. Advanced features such as automated provisioning The ability to set up new communications services for customers automatically. Carriers use automated provisioning to set up their network based on customers' requirements. Such systems control all network devices from a central console and greatly speed up deployment time from days to of disk space, protection of data by keeping current redundant copies, etc. are appealing and successful at reducing some of the management burden. The resident volume allocation features of the storage array in combination with switch zoning provide a measure of volume-access security.
The primary drawback of intelligent arrays is that the functionality is built on proprietary, custom-configured hard-ware and embedded firmware A category of memory chips that hold their content without electrical power. Firmware includes flash, ROM, PROM, EPROM and EEPROM technologies. When holding program instructions, firmware can be thought of as "hard software." See flash memory, ROM, PROM, EPROM, EEPROM and FOTA. with very narrow coverage. This design choice has important ramifications ramifications npl → Auswirkungen pl for end-users:
* If more than one storage device is in place, as is true for nearly any enterprise, the management tools and benefits of array-based storage virtualization Treating storage as a single logical entity without regard to the hierarchy of physical media that may be involved or that may change. It enables the applications to read from and write to a single pool of storage rather then individual disks, tapes and optical devices. often only apply to the single device from that vendor (in other cases, users are restricted to using the same exact model of storage to retain cross-hardware management functionality). This creates a lock-in condition for the customer, which means higher costs for upgrades, service and expansion.
* Feature upgrades are complex and costly for the vendor due to the proprietary nature of the storage hardware and firmware. These costs are naturally passed on to the customer. Upgrade cycles can be slow and major improvements in performance or technology generally correspond with "forklift" replacement when new technology finally arrives.
Limiting storage virtualization to the proprietary storage array makes it nearly impossible to maintain both backward compatibility See backward compatible.
(jargon) backward compatibility - Able to share data or commands with older versions of itself, or sometimes other older systems, particularly systems it intends to supplant. and purchasing flexibility in future storage acquisitions. It is common for suppliers of these storage subsystems to recommend abandoning existing storage assets in order to install a new storage network.
The advanced functionality that these devices offer is appealing, but the costs increase with lock-in pricing and slow adoption of important new technologies. The inability to mix-and-match storage devices diminishes the ability to optimize utilization. Data that could be adequately served with midrange midrange Epidemiology The halfway point or midpoint in a set of observations; for most data, MR is calculated as the sum of the smallest observation and the largest observation, divided by 2; for age data, one is added to the numerator; a midrange is usually disk arrays is confined to the premium-priced storage. Although array-based virtualization is common today, the economic pressures of data storage growth and management are making sole reliance on this strategy untenable.
The good news is that, in recognition of the complications posed by the proprietary array-based approach, every major storage vendor has announced intentions of developing network storage virtualization engines that remove many of these complexities. While most in-house virtualization development and related initiadves are still at least a year in the making, many storage suppliers are OEMing and reselling virtualization software, and offering customers a wide range of options and benefits today.
Host-Dependent Approaches Are Complex to Manage, Scale and Secure
Some host volume management tools technically incorporate basic forms of virtualization -- partitioning bigger disks under their control into smaller volumes and concatenate To link structures together. Concatenating files appends one file to another. In speech synthesis, units of speech called "phonemes" (k, sh, ch, etc.) are concatenated to produce meaningful sounds. smaller disks into large volumes. Similarly, a few storage virtualization approaches depend on software agents on each application server to receive instructions from a management device elsewhere in the network. Still, others propose to use embedded proprietary code in specific HBAs or software drivers. One thing remains constant with all these techniques: dependency on some host-based "agent," i.e. proprietary technology that resides on the server to help accept and enforce storage-related instructions, which enables virtualization. "LUN masking," "asymmetric virtualization," and "out-of-band virtualization" are common labels for these implementations.
These methods attempt to compensate for the fact that operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. are not designed to share storage resources between servers. When connected to a storage network, each host would normally claim any visible storage as its own, leading to major security holes and data corruption Data corruption refers to errors in computer data that occur during transmission or retrieval, introducing unintended changes to the original data. Computer storage and transmission systems use a number of measures to provide data integrity, the lack of errors. . The server-based agent limits access to only the resources that each host "sees."
There are several security and management implications with host-dependent approaches:
* Security of the data path is left to an "honor system honor system
A set of procedures under which persons, especially students or prisoners, are trusted to act without direct supervision in situations that might allow for dishonest behavior.
Noun 1. ." It is possible for servers unequipped Adj. 1. unequipped - without necessary physical or intellectual equipment; "guerrillas unequipped for a pitched battle"; "unequipped for jobs in a modern technological society" with these proprietary agents to wreak wreak
tr.v. wreaked, wreak·ing, wreaks
1. To inflict (vengeance or punishment) upon a person.
2. To express or gratify (anger, malevolence, or resentment); vent.
3. havoc on corporate data.
* Installation and management is required on every server, adding to the total time and cost to bring a system online and perform upgrades, as well as distributing responsibility for secure volume allocation.
Each set of applications could potentially have different functional owners, requiring complex coordination of IT staff resources and planned downtime to ensure proper compliance and configuration of the agents.
For it to be effective, the specialized agent must be available for each operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. version in use. The developer of the driver can choose to stagger the release of support for various platforms, or not support a particular platform at all. This inherently exposes the corporation to the risk of introducing an unsupported platform and delaying needed system upgrades until the storage control agent is updated and tested. These types of dependencies slow growth and responsiveness to changing operational needs.
It has the potential to steal processing cycles from applications. Feature-rich storage management capabilities at the host expose applications to bottlenecks, even though on paper they appear to be out of the data path.
A platform-independent approach, one that does not require any specialized agents or drivers on the application servers, isn't susceptible to these problems.
Last year, a large government agency was investigating ways to consolidate storage and storage management for a typically mixed bag of application servers that included HP-UX HP's version of Unix that runs on its 9000 family. It is based on SVID and incorporates features from BSD Unix along with several HP innovations.
(operating system) HP-UX - The version of Unix running on Hewlett-Packard workstations. , Sun Solaris, Microsoft Windows See Windows.
(operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. and Novell Netware (operating system, networking) Novell NetWare - Novell, Inc.'s proprietary networking operating system for the IBM PC.
NetWare uses the IPX/SPX, NetBEUI or TCP/IP network protocols. It supports MS-DOS, Microsoft Windows, OS/2, Macintosh and Unix clients. . In the search, the agency explored a range of options, and every host-dependent storage management product was eliminated for a very basic reason: the lack of unilateral support for all platforms in the environment. Even with promises of support for a given platform in the future, the shortcomings A shortcoming is a character flaw.
Shortcomings may also be:
Network-Based Virtualization and Control
A network-based solution centralizes virtualization and management services in independent management devices, i.e. servers dedicated to the task of managing the storage network, sometimes called "storage control nodes." This solution is best positioned to eliminate most dependencies and provide the most durable, flexible virtualizadon and management mechanism without sacrificing data security.
Independence from server and storage enables each to grow and change without adversely effecting the storage management scheme set in place and offers significant cost benefits. Properly designed, this solution leverages other manufacturers' expertise in hardware, infrastructure, connectivity and systems design, and delivers storage control functionality via software. The inherent compatibility with any vendor's storage and any operating system gives the customer a wide range of purchasing options to negotiate a satisfactory price. Finally, correctly implemented network-based virtualization can rapidly accommodate emerging connection technologies, without requiring a fundamental redesign of the network.
Placing the responsibility and control for all storage volume allocations centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. in the network, regardless of the application environment and the storage back-end, delivers significant management benefits. There is no need to install or manage agents at the host to prevent them from gaining unauthorized access to storage. With passwords and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. limited to specific management nodes, ensuring physical and logical security over storage allocation Noun 1. storage allocation - (computer science) the assignment of particular areas of a magnetic disk to particular data or instructions
allocation is much easier.
In addition, some leading implementations of network storage management can generally eliminate the complications of switch zoning. Rather than creating many zones connecting some servers to some storage, advanced solutions create essentially two zones that entirely separate servers from storage. The path to storage is handled exclusively and centrally through the virtualization and management nodes, again resulting in consolidated, secure control over volume allocations.
The network-based model for consolidated storage management, enabled by host and storage independent virtualization, is arguably ar·gu·a·ble
1. Open to argument: an arguable question, still unresolved.
2. That can be argued plausibly; defensible in argument: three arguable points of law. the fastest growing solution in SAN management. There is a noticeable trend taking hold: From a security management perspective, several major entities in the financial, healthcare, defense and administrative government sectors-all of which have strict security requirements-are some of the earliest adopters of network-based storage management solutions and the momentum is growing.
In-Band Virtualization Assists Security
Notice that in the points above we are specifically discussing an implementation where the data flows through the management nodes, known as an "inband" approach--this is deliberate, and the importance of this approach has a direct correlation Noun 1. direct correlation - a correlation in which large values of one variable are associated with large values of the other and small with small; the correlation coefficient is between 0 and +1
positive correlation with security issues.
Implementations that use a sidelined management console A terminal or workstation used to monitor and control a network. See Microsoft Management Console. while data flows directly from server to storage "out-of-band" sound comforting in concept, but there are limitations inherent in outfitting application servers with software or hardware elements that control authorized access to a particular volume:
* Managing servers is increasingly complex as the organization scales
* Security is an issue when relying on these distributed access-control mechanisms
* The drivers might not be available for all platforms and all versions of each OS
* Implementation and upgrades are more difficult when account for so many points of control
Differentiating In-Band Alternatives
In-band approaches must contend with latency and availability issues--will the storage control node slow response and what happens if the node should fail? These are valid questions, and each vendor's solution deals with these issues to varying degrees.
With regards to availability, well-designed solutions enable cost-effective "N+l" redundancy, exploiting the end-to-end design A major feature of the Internet. The intelligence and functions in an Internet-based application reside at both ends of the network (client side and server side), not within the Internet backbone. The Internet acts as a transport between the two. of the storage network to eliminate single points of failure. In this model, the solution is sized-based on performance, bandwidth, and connectivity requirements; adding one more collaborating device covers the workload in the event of an outage out·age
1. A quantity or portion of something lacking after delivery or storage.
2. A temporary suspension of operation, especially of electric power. . In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , if five management nodes are needed to meet performance criteria, a sixth is added to protect against failures. There are several products that take a "2N" approach, where every device is backed up by a secondary device, but clearly these are more costly and difficult to scale.
For performance, a few network-base storage management nodes implement caching algorithms, very similar to those found in all the leading enterprise storage arrays. With caching, not only can one eliminate latency issues, but users actually experience across the board performance improvements.
A printing and publishing business, after installing a storage networking platform that incorporates caching, documented a performance improvement of an astounding a·stound
tr.v. a·stound·ed, a·stound·ing, a·stounds
To astonish and bewilder. See Synonyms at surprise.
[From Middle English astoned, past participle of astonen, 300%--so tremendous that even the pre-press production staff complimented the IT director on the new efficiency. The workload, types of data transfer and configuration of the solution also affects the ability to achieve such results, but these types of acceleration techniques are viable.
Not all in-band offerings provide the same level of protection and performance enhancement; price to deliver availability and high performance can also vary significantly depending on the hardware platform used for the virtualization device.
It's Decision Time
Storage networks are a fast-growing reality in enterprise data centers. Many organizations are still making the transition from direct-attached storage Direct-attached storage (DAS) refers to a digital storage system directly attached to a server or workstation, without a storage network in between. It is a retronym, mainly used to differentiate non-networked storage from SAN and NAS. to networked storage, and from network-connected to truly open, consolidated, managed networking.
With all this movement and diversity of hardware and software, one thing has remained constant: storage virtualization techniques, and the features and automation built on top of them, are critical to fully realizing the benefits of SANs.
For these reasons, it's essential to incorporate security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security in your decision-making criteria along with manageability, scalability, and performance-and to do so from the outset. Like quality, security is difficult to add on after the fact.
Calvin Hsu is product marketing manager at DataCore Software (Ft. Lauderdale, Fla.)