Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Storage and security trends in enterprise IT

Storage Expo : 01 October, 2008  (Technical Article)
Luo Quingchao of Huawei Technologies examines aspects of enterprise data transfer and storage that impacts IT security requirements
Along with the popularization of network applications, people have recognized the importance of data and are attaching greater attention to data security. However, in most cases people associate data security with hackers and viruses only. In fact, data security should cover all aspects, including system security, technical security, computation security, storage security, transmission security, product security, and service security. Therefore, data security is no longer confined to simple concepts, such as encryption, decryption, public key, and private key. Instead, data security is a broad concept especially involving storage security, that is, the secure transfer and storage of data with data integrity and reliability guaranteed.

The Internet is widely applied with the popularization of PCs. Networks become a necessity for communications in people's living. Data is transmitted from PCs over networks and ultimately reaches servers. The security of the transmission path already attracted people's attention at early time. In the 1990s when people were crazy about networks, emerging global data communication vendors such as Cisco, Juniper and Huawei already considered the network security issue. Security products, such as firewalls and VPN devices, sprang up in the world. CIH and worms threatened the security of ordinary PCs and caused a panic in the world. In such a background, numerous antivirus software vendors, such as Semantic, Trend, and Rising, emerged.

The process of transmitting data from servers to storage media evaded people's eyes and was somewhat mysterious due to the high technical threshold and poor advertisement. Later, as more and more IT applications were deployed on a large scale, people were increasingly concerned about the storage requirement, data reliability and data security, especially following the 9.11 event. Storage vendors, such as EMC, HDS, NetApp, and Veritas (currently merged with Semantic), emerged and played an important role in the IT world.

The process of transmitting data from servers to storage media becomes more and more complex with the rising of the data-sharing Storage Area Network (SAN) solution. Just like the TCP/IP protocol used in networks, the process involves various processing layers, modules, and transmission devices. As potential security threats exist in every layer of the entire transmission process, the security and reliability of data along the storage path must be addressed.

The SAN is composed of hosts, a storage switch, and a storage array. It implements data sharing, avoids isolated information domains, strengthens the expandability, and provides powerful performance and reliability guarantee. The SAN is an infrastructure for protecting the storage security of enterprise data. Below is a deep look into the security of the three components.

Security and Reliability of Data Flows on the Host

Today the operating system that runs on a server may be a Unix, Linux, or Windows OS. Whatever platform is running, all the data requests transmitted over the network are sent through network adapters to application programs. The data is transmitted from the application layer till the kernel of the operating system. Therefore, potential security and reliability troubles exist in every layer.

1 Security and reliability of applications. Today, new applications emerge one after another. Accordingly, more and more security vulnerabilities arise, and new viruses keep emerging along with the deployment of applications such as QQ, MSN, and WORD. Malicious software and programs harass people. Antivirus software vendors are making great effort to deal with these harms.

2 Security and reliability of the file system. After passing the application programs, the data arrives at the file system. The storage seems to be mysterious, because the operating system encapsulates the storage details. External users need only to find the correct file to read or write. The file reading or writing process is transparent. However, security and reliability threats exist in this process, for instance, common problems such as file system down and unintended file deletion often take place. For this reason, the log file system and Continuous Data Protection (CDP) technology come up. Moreover, the cluster technology and the cluster file system came into being to prevent single-point failure of servers.

3 Security and reliability of volume management. After passing the file system, the data is transmitted to the volume management layer. The concept of a volume is similar to the concept of a partition, except that a volume may comprise several partitions. However, a volume composed of only one partition cannot provide the redundancy function. Therefore, such a volume may pose a security defect, that is, the entire volume fails once the data in this partition is damaged. To provide security protection for the data, the volume management and snapshot technologies are applied.

4 Security and reliability of the Host Bus Adapter (HBA). After passing all the above, the data reaches the HBA. The HBA transfers the data to the storage device. The HBA provides the data storage and access paths for the server. As a single path gives rise to potential data security threats, a multi-path technology is designed to improve the performance and guarantee the reliability, thus thoroughly solving the data security in the event of single point failure.
Security of Switching in the SAN

The main parts of the SAN are fibres and the IP network, which transmit storage data and commands. Fibers transmit data through Fiber Channels (FCs), but the IP network transmits data through the TCP/IP protocol. The security and reliability of SAN switching need be considered.

1 Security and reliability of the paths. For the switching devices in the SAN, single-point failure of the network paths, whether FCs or the IP network, need be considered. Therefore, it is very important to design redundant links and properly manage the paths.

2 Security and reliability of device access. Zones are used in the FC switch whereas VLANs are used in the Ethernet switch to isolate users. Both are security techniques for user access isolation. In the IP network, the credibility of hosts must be considered by the server, that is, what authentication mode is applied to enable hosts to freely access the storage device. This is crucial.

When the server sends a request to the array in the SAN, the data is transmitted through the SAN director or switch and ultimately arrives at the storage array. The SAN array is mostly applied in enterprise environments and invisible to ordinary users. Therefore, the SAN array is even more mysterious. In fact, the security and reliability of the array can be considered in the following aspects:

1 Security and reliability of the storage controller. If the array has only one storage controller, single-point failure may occur to the storage controller. Therefore, dual controllers are designed to improve the reliability and enhance the processing performance through I/O processing.

2 Security and reliability of the Cache. The Cache is used to improve the performance of the array, but a huge threat exists if the Cache uses ordinary memory, that is, the data will be lost after the power fails. To protect the security of the data, a Cache with batteries is usually designed in the array, so that the Cache can still store data even in the event of power failure.

3 Security and reliability of the disks. In most cases, the RAID mode is employed to implement disk redundancy for protecting the security of the disks. For instance, RAID5, RAID1, and RAID6 can all provide disk redundancy, and the RAID can still process the I/O even when a disk fails.

The security and reliability of the three SAN components must not be ignored. As is known to all, Huawei is a leading vendor of communication switching networks, Semantic is a leading vendor of security software, and Veritas is a leading vendor of storage software. Obviously, all of them can provide total solutions for enterprise data protection. This is also an important reason why Huawei and Semantic joined hands to establish a joint venture.
New Storage Technologies

While great importance is attached to storage security during the application of the existing storage technologies, storage security is considered in the early design of new storage technologies.

Today VMware is enthusiastic about host virtualization, and NetApp is advocating the convergence of Network Attached Storage (NAS) and SAN. In fact, the essence of virtualization is to express physical entities through logical entities and remove the hardware dependency. Virtualization enables information to be better isolated and protected, for instance, a Linux virtual machine can be created on a Windows PC and then data is placed in this Linux virtual machine, so that the data is isolated from the original Window operating system and thus the security of the data is protected. As for the unified storage combining NAS and SAN, an inevitable issue is how to enable the NAS to access the disks using the file system mode and whether to allow simultaneous SAN access and NAS access. The design for mutually-exclusive access is a focus and a hard nut to crack.

Conventional storage data management methods are mostly based on file system management. In object-oriented storage, the file system is further divided into the user application layer and the storage management layer.

1 The user application layer processes the application data such as files and records, queries the storage information such as data block allocation information, checks the user access properties such as the access time, and detects the supporting operations, such as opening files, closing files, reading files, writing files, or setting the file access properties.

2 The storage management layer allocates and releases storage device blocks. It also provides the query function.

In object-oriented storage, the user application layer and the storage management layer are separated, and the object metadata manager independently exists. Therefore, the system provides higher expandability. Nevertheless, a certain security mechanism is needed for the communications between the host, object metadata manager, and the object-based array in this architecture. For this reason, the authentication or encryption technology must be applied.

Today, enterprise users do not fully understand the concept of storage, let alone the security and reliability of storage. Moreover, enterprise users have to consider the cost. Under such conditions, the convergence of storage and security is not ideally applied. Nowadays there arises a tide of merges and acquisitions in the storage industry, for instance, Semantic merged Veritas, EMC acquired RSA, NetApp acquired Decru, and even the media vendor Seagate joined the DriveTrust technology to enhance the data security. In this background, Huawei and Semantic walked together to offer complete software and hardware solutions for the storage security of enterprise data. As greater attention is paid to the importance of data, the security vulnerabilities and reliability of data flows increasingly attract people's eyes. People will surely reach a consensus on the transmission security and storage security of data. Data storage and data security will ultimately converge.

Huawei Technologies is exhibiting at Storage Expo 2008 the UK's definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo