Capability based Secure Access Control to Networked Storage Devices

Today, access control security for storage area networks (zoning and masking) is implemented by mechanisms that are inherently insecure, and are tied to the physical network components. However, what we want to secure is at a higher logical level independent of the transport network; raising security to a logical level simplifies management, provides a more natural fit to a virtualized infrastructure, and enables a finer grained access control. In this paper, we describe the problems with existing access control security solutions, and present our approach which leverages the OSD (Object-based Storage Device) security model to provide a logical, cryptographically secured, in-band access control for today's existing devices. We then show how this model can easily be integrated into existing systems and demonstrate that this in-band security mechanism has negligible performance impact while simplifying management, providing a clean match to compute virtualization and enabling fine grained access control.

[1]  John T. Kohl,et al.  The Evolution of the Kerberos Authentication Service , 1992 .

[2]  Garth A. Gibson,et al.  Security for a high performance commodity storage subsystem , 1999 .

[3]  Andrew W. Leung,et al.  Scalable security for large, high performance storage systems , 2006, StorageSS '06.

[4]  David Robinson,et al.  NFS version 4 Protocol , 2000, RFC.

[5]  Shai Halevi,et al.  Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control , 2005, IACR Cryptol. ePrint Arch..

[6]  Erik Riedel,et al.  The OSD security protocol , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[7]  Marianne Shaw,et al.  Denali: Lightweight Virtual Machines for Distributed and Networked Applications , 2001 .

[8]  Flavia Donno,et al.  24th IEEE Conference on Mass Storage Systems and Technologies (MSST 2007), 24-27 September 2007, San Diego, California, USA , 2007, MSST.

[9]  Michael Burrows,et al.  Proceedings of Fast '03: 2nd Usenix Conference on File and Storage Technologies 2nd Usenix Conference on File and Storage Technologies Block-level Security for Network-attached Disks , 2022 .

[10]  Randal C. Burns,et al.  Authenticating Network-Attached Storage , 2000, IEEE Micro.

[11]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[12]  Robert Rose Survey of System Virtualization Techniques , 2004 .

[13]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[14]  Hiroshi Yoshida,et al.  Storage Networking Industry Association , 2009, Encyclopedia of Database Systems.

[15]  Darrell D. E. Long,et al.  Strong Security for Network-Attached Storage , 2002, FAST.

[16]  David Larson,et al.  Advanced virtualization capabilities of POWER5 systems , 2005, IBM J. Res. Dev..

[17]  Dennis Shasha,et al.  Don't trust your file server , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[18]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[19]  Ran Canetti,et al.  A two layered approach for securing an object store network , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..

[20]  Peter F. Corbett,et al.  The Direct Access File System , 2003, FAST.

[21]  Samuel T. King,et al.  Operating System Support for Virtual Machines , 2003, USENIX Annual Technical Conference, General Track.