In order to provide improvements in storage area networking, embodiments of the present invention provide an automated, policy-based system and method for providing device security at various levels in the network, including on the baseline inventory, physical devices, commands, and network frame. This approach improves over the conventional distributed security model by centralizing security in one multi-level management structure. Embodiments of the present invention may also provide a scheme for mapping vendor-unique opcodes to access rights.
An embodiment of a method of controlling security of information on a storage area network (SAN) comprises providing a SAN comprising a plurality of host and storage devices and a management interface. A plurality of users of the SAN are identified, each user having a different security profile. Each user is assigned a user domain. A list of authorized user domains is assigned to each device of the SAN during a device initialization process, such that the existence of the device on the SAN is revealed only to users assigned the authorized user domain. A security reporting policy is created through the management interface, such that attempted detection of a SAN device by a user lacking the authorized user domain produces an output recognizable by an administrator of the SAN.
An alternative embodiment of a method of controlling security of information on a storage area network (SAN) comprises providing a SAN comprising a plurality of host and storage devices and a management interface. A baseline inventory of all devices connected with the SAN is conducted. A security reporting policy is created through the management interface, such that a change in the baseline inventory of the SAN produces an output recognizable by an administrator of the SAN.
Another alternative embodiment of a method of controlling security of information on a storage area network (SAN) comprises providing a SAN comprising a plurality of host and storage devices and a management interface. An information frame in a first frame format including a header and a payload is received at a personality modulate from a host device, the header including source device information and destination device information corresponding to the host device. The personality module is caused to encapsulate the information frame into a second frame including a header and a payload, the header including a copy of the source device information and the destination device information. The second frame is transmitted to a storage processor of the SAN, and the storage processor is caused to detect consistency between the source device information and the destination device information of the header and the payload. A security reporting policy is created through the management interface, such that a failure to match the source device information and the destination device information of the header and payload of the second frame produces an output recognizable by an administrator of the SAN.
Still another embodiment of a method of controlling security of information on a storage area network (SAN) comprises providing a SAN comprising a plurality of storage devices and a management interface. A plurality of host devices are in communication with the SAN, the host devices configured to transmit vendor-specific opcodes to the SAN. A storage processor is provided including a table correlating the vendor-specific opcodes with a level of access right specific to a particular storage device, the level of access right selected from the group consisting of ALL, READ ONLY, LIMITED, and NO ACCESS. The user is allowed to access the particular storage device according to the access rights granted by the vendor-specific opcode. A security reporting policy is created through the management interface, such that attempted access of a particular storage device contrary to the granted access rights produces an output recognizable by an administrator of the SAN.
An additional alternative method of controlling security of information on a storage area network (SAN) comprises providing a SAN comprising a plurality of storage devices and a management interface. A plurality of host devices are provided in communication with the SAN, the host devices configured to transmit opcodes to the SAN. A storage processor is provided including a table correlating the opcodes with a level of access right specific to a particular storage device, the level of access right selected from the group consisting of ALL, READ ONLY, LIMITED, and NO ACCESS. The user is allowed to access the particular storage device according to the access rights granted by the opcode. A security reporting policy is created through the management interface, such that attempted access of a particular storage device contrary to the granted access rights produces an output recognizable by an administrator of the SAN. A rule-based security action policy is also created through the management interface, such that the granted access rights can be automatically scheduled and varied over time as authorized by an administrator of the SAN.
Details of particular embodiments of the present invention can be seen in the following drawings and detailed description.