1. Field of the Invention
The invention relates to secure access to data storage, and more particularly to data storage provided over a public network.
2. Description of the Related Art
As IT departments are increasingly placed under tighter budget constraints, cloud infrastructure, either private or public, is being employed to help keep costs down. One of the key inhibitors to adoption of cloud technology (in particular public cloud technology) is the concern of the exposure of customer data as it travels through, and is hosted in, the cloud provider's infrastructure. Although many different mechanisms exist for securing customer data in the cloud there are large areas for improvement. In particular, security of data at rest in the cloud is a big concern with potential cloud customers. Within that category, customers are particularly concerned about unauthorized access to their data.
Today in SAN (storage area network) environments, the main mechanisms for ensuring authorized access to logical unit numbers (LUNs) (the most common unit of storage) are provided by the file system (usually at the file level), zoning in the SAN fabric, and LUN masking on the target side. These solutions are generally acceptable in a single-tenant environment where the ultimate owner of the data is comfortable with allowing his storage and server administrators to setup the access control. However, in a multi-tenant public cloud environment, customers are much less comfortable with relinquishing this control to the cloud provider. Also, in the public cloud environment, there is greater opportunity for a rogue agent executing on the shared infrastructure to thwart these security mechanisms. Also, use of these mechanisms makes configuration and use of mobility services like VMWare Vmotion much more difficult. For example, LUN masking performed on the target requires the identification of a host by its WWPN. Only hosts with configured WWPNs are authorized to access a particular LUN. In a virtual machine (VM) mobility scenario, it is not always the case that VM maintains the same WWPN when it moves. To handle this issue, Storage Administrators may “open up” their LUN masking to allow the full set of WWPNs for all possible hosts in the infrastructure, thereby increasing their security perimeter for the LUN.