Secure Access to Storage Devices is a security model for enforcing access control to storage devices and units that is inherently logical rather than physical. The model and the related protocols have been developed in the Haifa Research Lab. Our model is based upon the security model used by Object Storage standard (OSD), and uses this security model to wrap existing block storage mechanisms. The OSD security model, as developed in the T10 technical community as a standard, is well understood, has been reviewed and implemented. It provides a mechanism for enforcing dynamic access policies by requiring that storage I/O command must provide a cryptographic credential. This credential is obtained from a security/policy manager which ensures only authorized machines (virtual or physical) are given credentials for a given logical unit. The storage subsystem grants or denies access based on the credential.
The novelty of our approach stems from providing a standard, uniform access management and control that is independent on the physical I/O infrastructure, and has the following advantages:
- End-to-end, between (possibly virtual) host and storage target, not involving any SAN networking component. Also since the change is in the SCSI system, no impact on base OS code or applications.
- Well suited for server virtualization – the virtual hosts are the entities for which access control is managed. The access is based on logical entities – independent on physical location, allowing for seamless VM migration without storage/SAN reconfiguration.
- Simplified management – the security manager is the central point of managing access to storage devices in the SAN. Replaces management functions in the hosts, switches and storage systems that are used today to map storage to systems.
- End-to-end protocol that works above the transport layer, therefore independent on the transport layer type. Suitable for any type of SAN – FC, iSCSI, SAS, InfiniBand and whatever will come later. Also provides management uniformity across different SANs and for heterogeneous SAN environments.
- Works on the command level rather than on the connection level. It allows authorizing access for specific commands. For example, read-only access can be granted to a host for a specific LU. Access to control commands and special advanced commands can be authorized independently of data access (read/write).
CbCS is now an approved standard at the T10 technical committee of INCITS. For more details, please refer to the project status page.