Skip to main content

Secure Access to Storage Devices

Storage Research

Our Approach to SAN Security

We propose a security model (depicted in the figure below) for enforcing access control to storage devices and units that is inherently logical rather than physical. Our model is based upon the security model used by the Object Storage standard (OSD), and uses this security model to wrap existing block storage mechanisms. The OSD security model, as developed in the T10 technical community as a standard, is well understood and has been reviewed and implemented. It provides a mechanism for enforcing dynamic access policies by requiring that storage I/O commands must provide a cryptographic credential. This credential is obtained from a security/policy manager who ensures that only authorized machines (virtual or physical) are given credentials for a given logical unit. The storage subsystem grants or denies access based on the credential.

Click to see full size

The novelty of our approach stems from providing standard, uniform access management and control that are independent of the physical I/O infrastructure, and have the following advantages:

  • End-to-end protocol, between (possibly virtual) host and storage target, not involving any SAN networking component. Also, since the change is in the SCSI system, there is no impact on the base OS code or applications.
  • Well suited for server virtualization - the virtual hosts are the entities for whom access control is managed. The access is based on logical entities, independent of physical location, allowing for seamless VM migration without storage/SAN reconfiguration.
  • Simplified management - the security manager is the central point for managing access to storage devices in the SAN. Replaces management functions in the hosts, switches, and storage systems that are used today to map storage to systems.
  • End-to-end protocol works above the transport layer and is therefore independent of the transport layer type. Suitable for any type of SAN: FC, iSCSI, SAS, InfiniBand, and whatever will come later. Also provides management uniformity across different SANs and for heterogeneous SAN environments.
  • Works on the command level rather than on the connection level. It allows authorizing access for specific commands. For example, read-only access can be granted to a host for a specific LU. Access to control commands and special advanced commands can be authorized independently of data access (read/write).