Storage virtualization systems provide organizations with an effective and efficient way to manage data stored on a network attached storage (“NAS”) system. An information technology (“IT”) administrator can implement a storage virtualization system to migrate, copy or re-direct user data files from a primary NAS system to a secondary NAS system, without disrupting or involving the user. Storage virtualization systems act as intermediaries between the user's client computer and the primary NAS system, also called the source server. In order to effect seamless operations, storage virtualization systems must be fully compatible with the primary NAS system.
Full compatibility may require seamless integration with a NAS system's security protocols. There are many security protocols used by NAS systems, but one of the more well-known security protocols is based upon the Kerberos delegation protocol. The mechanics of the Kerberos delegation protocol are well understood. It involves a separate dedicated authentication server that establishes a user's identity or account access privileges before the user connects to an application server, rather than a direct interaction and password exchange between the user and the application server. By separating out the authentication process from the application server, the user's security credentials cannot be compromised by the application server. If a user requests access to run secure intranet applications through an internet connection, the Kerberos protocol will require that the external user be authenticated before access is granted. The user will be authenticated by the web server, and the web server will assume the identity of the user as a delegate. The web server communicates with the application server as the user delegate and enables data to pass back to the user. The web server's delegation authority may be limited in time so that access to the application server is closed after that time period ends. This overcomes limitations in direct user password access, where access is indefinite until the user changes the password.
Some NAS systems permit a combination of security protocols. For example, NAS systems may require that an intermediary authenticate the user before the user accesses the Kerberos-protected application server. The intermediary may be the web server in the previous example, or it may be a storage virtualization system. In such a case, the intermediary will first confirm the user's identity with an authentication protocol other than Kerberos, such as SSL, NTLM, RSASecurID or other authentication protocols known in the art. Once the user is authenticated by the intermediary, the intermediary then authenticates using Kerberos. This methodology is termed protocol transition because the authentication is transitioning from a non-Kerberos environment to a Kerberos environment. This type of authentication works with a storage virtualization system because it permits the storage virtualization system to securely impersonate the user and enable data migration or re-direction to a secondary NAS system.
Other NAS systems may be designed to restrict user access to only certain services. This is known in the art as “constrained delegation.” Constrained delegation can be applied to storage virtualization systems as well, since storage virtualization systems may sometimes need to impersonate a user account in order to gain access to data files. With constrained delegation, the access privilege of the intermediary storage virtualization system can be restricted to a limited set of services. As such, a NAS system administrator may delegate the intermediary to act on behalf of other users for only specific services on specific servers. This is helpful in network environments where access to sensitive data must be restricted to specific users who are capable of doing limited operations on the data. In the event the intermediary's access is compromised, the damage from a security breach would only be limited to those services to which the storage virtualization system has access.
While constrained delegation is an important security feature of many NAS systems in the market, it does cause problems with some storage virtualization systems. As noted previously, a storage virtualization system can aid an administrator in the migration and re-direction of data. Some storage virtualization systems are used in routine data file storage optimizations, and some are used to migrate data to new servers. This may occur for any number of reasons. For example, during a corporate merger, it is common for the new corporate entity to merge or migrate data from legacy NAS systems. In another example, an organization may consolidate or centralize data assets and will need to migrate data to a new NAS system, and cause future data files to be stored on the new NAS system. In any case, the older NAS system may have been keyed to a specific authentication server, whereas the new NAS system may not be. In addition, the older NAS system may have a different domain name than the new NAS system. As a further complication, user file and account permissions become disrupted by the transfer to the new domain. As such, future interaction with the new NAS system may be prohibited, since the new NAS system may not recognize that the same users are trying to access the same files, just in a new domain location. Some NAS system security protocols simply do not provide the capacity for authentication across different domains. Specifically, the Kerberos delegation protocol does not support delegation across domains.
What is needed is a way to permit data migration and re-direction to a secondary NAS system, while preserving the access controls and permissions already in place. What is needed is added functionality to present storage virtualization systems that will permit this data migration and re-direction without disrupting or involving the user with new security requirements. What is further needed is a way to allow seamless data migration while remaining compatible with current NAS systems and NAS system security protocols, especially in instances where the NAS system has adopted a constrained delegation feature. Additionally, what is needed is a way to permit cross domain delegation using a storage virtualization system.