Storage area networks (SAN) connect a pool of storage devices to one or more host devices via a communication infrastructure such as Fibre Channel, Small Computer Systems Interface (SCSI), or Internet SCSI (iSCSI). In many storage systems, accesses by the host to the storage pool are controlled by a file server. The file server may include authentication and authorization mechanisms to protect the storage against malicious host accesses.
One problem with using file servers to control delivery of data to hosts is that it reduces the performance of host applications that require frequent I/O or large block transfers. Thus there has arisen a need to allow hosts to directly access the block storage devices, with minimal file server intervention. One method of delegating data access to the storage array to hosts is described in patent application Ser. No. 11/394,768 entitled “A Method for Providing Access to Shared Storage and Shared Storage Services in Grids and Clusters with Very Large Numbers of Nodes” filed on, filed Mar. 31, 2006 and incorporated herein by reference. In the disclosed system, hosts retrieve logical to physical file mapping information associated with their files from a file system via the file server. The file mapping information is used by the host to perform direct accesses of the raw disks devices.
One problem with permitting direct host access to raw devices is that storage arrays generally include only limited protection mechanisms and as a result the potential for malicious data access is increased. For example, SCSI storage devices are identified using Logical Unit Numbers (LUNs). Host accesses to particular LUNs may be controlled through appropriate setting of bits in a LUN mask. LUN access is typically controlled by registering the authorized hosts with each LUN using a World Wide Name (WWN) of host, uniquely generated by its associated Host Bus Adaptor (HBA) or a host initiator.
Another problem with the LUN mask approach is that it lacks the ability to protect the data with any granularity; any user at an authorized host to may gain access to all data of the LUN if the mask bit for the host is set, whether the particular user is authorized to access the data or not.
Yet another problem with relying on LUN masking to secure data arises as a result of the evolution of the data center. LUN masks have been effective in the traditional data center storage environment because a single host generally supported a single application (such as a database or simulation engine) and there was a one-to-one mapping between applications and LUNs. In such an environment, the application-level access control policies could easily be mapped to host-level policies, and user access control could be provided at the application level.
However the growing need for increased storage and disaster recovery capabilities has changed the concept of what constitutes a ‘data center’ from a co-located host and storage device arrangement to a geographically distributed Internet accessible storage grid. In grid storage architectures multiple applications may be mapped across multiple servers and often multiple applications may be mapped to a single server. The concepts of Virtual LUNs are introduced to provide seamless movement of data within the grid. With the advent of Virtual LUNs, the one-to-one mapping of application to server breaks down and it is no longer possible to map application level access control policies to host level access control policies.
In addition, because the data center is Internet accessible, the WWN/LUN masking security construct is especially vulnerable to hackers. In traditional co-located host/storage environment there was very little need for access control and security mechanisms within a data center because the host was a trusted, known entity. However, with the advent of iSCSI, host initiators can gain access to data storage arrays remotely via the Internet, from outside the data center. The potential for hacking of data storage is increased as the WWN was replaced by an initiator name for iSCSI initiators and may easily be hacked, allowing malicious users to gain access to the storage.
It would be desirable to identify a mechanism for protecting distributed shared storage arrays from malicious access while still allowing direct access to the storage arrays by hosts.