Capability-based Command Security is an access control protocol for the virtualized data center.
Access control mechanisms in storage area networks today are tied to physical network components and are hard to manage. Now IBM computer scientists have developed a way to ensure access control in storage area networks within virtualized environments. Capability-based Command Security (CbCS) lets
SAN managers work at a higher logical level independent of the transport network; raises security to a logical level simplifies management; provides a more natural fit to a virtualized infrastructure, and enables a finer grained access control.
New vs. old
Storage area networks (SAN) implementations today use transport level abstractions, not storage level abstractions, to facilitate access control for SAN attached storage. More concretely, access control in current SANs is achieved by using port zoning and/or LUN masking.
At the heart of these and similar schemes are access rules that work like this: Requests coming from a node connected to port a can get responses from a node connected to port b.
Yet this approach has a fundamental drawback in that it involves entities – ports – that have nothing to do with controlling which executing images can access which persistent storage. This basic flaw has resulted in several problems.
- Because access is linked to ports, changing the physical connection of a node requires updating the SAN security configuration. This is problematic in a world of compute virtualization, where virtual machines co-exist inside the same physical machine sharing physical resources and migrate between physical machines.
- Even without virtualization, mixing levels of abstraction is a recipe for management confusion: To specify which (logical) host can access which storage volume, one needs to map from a virtual machine to a physical host, from a host to a port and a port to another port and to a volume.
- Access control mechanisms are transport-dependent. Hence, different mechanisms must be developed, deployed and maintained for IP SAN, FC SAN, SAS SAN, etc. For fibre channel storage networks, two emerging standards can be combined to address some of the aforementioned weaknesses: FC-SP, which provides port authentication, and N Port ID virtualization (NPIV), which provides means to dynamically create virtual FC ports. Adopting them, however, requires hardware changes. Moreover, the access policy is still managed in the port level, which means that they still suffer many of the weaknesses outlined above.
To address these weaknesses, IBM researchers proposed a new security model enforcing access control to storage in SANs. The model is based on the Object Store Device (OSD) security model, developed in the OSD technical working group in the Storage Networking Industry Association (SNIA), which built on research done at Carnegie Mellon University and IBM. CbCS applies the OSD model, which is well understood, reviewed and implemented, to Small Computer System Interface (SCSI) logical units in general.
Figure 1. The security model architecture.
The model provides a mechanism for enforcing dynamic access policies by requiring that storage I/O commands, initiated by some application client, provide a cryptographically hardened credential (see Figure 1). This credential is obtained from a security/policy manager, which ensures that only authorized clients are given appropriate credentials for a given storage device. The storage device grants or denies access based on this credential. It uses a secret key – shared with the security manager – to validate the authenticity of the credential shown by the client. The cryptographically hardened credential is coupled with the client’s I/O command by using an extension paradigm in which a secure I/O command extends the original (legacy) I/O command with the credentials. By using extensions, the protocol enables reuse of the existing commands by adding security layers, which in turn add extensions to legacy commands and process extensions of received commands, leaving the rest of the command processing unchanged. In this way, researchers avoid the need for massive changes in the host servers and storage systems.
This approach – Capability based Command Security (CbCS) – addresses the weaknesses described above. CbCS provides an access control mechanism that is highly amenable for use in a virtualized environment because it secures the logical entities at the appropriate level of abstraction. It also provides fine-grained access control that works at the command rather than the connection level. It is independent of transport because it is an end-to-end protocol at the SCSI level. Finally, it simplifies management by providing a single point where storage access control needs to be managed. Table 1 compares CbCS with existing solutions.
| Metric | Traditional zoning/masking | Zoning/masking with NPIV/FC-SP | CbCS |
| Prevents identity spoofing | No | Yes | Yes |
| Supports differentiated access per command | No | No | Yes |
| Supports physical adapter/port sharing | No | Yes | Yes |
| Transport layer independent | No | No | Yes |
| Single point of management | No | No | Yes |
Standardizing the new approach
A protocol that implements the CbCS approach on open systems SAN is now incorporated into the new SCSI standard draft (SPC-4) by the T10 technical committee of INCITS. IBM led the standardization of the CbCS protocol by the committee's Commands, Architecture and Protocols (CAP) working group, which included members from other leading industry companies.
Prototyping the new approach
IBM researchers have built a prototype system to demonstrate the feasibility of the good path data flow in a virtualized environment as well as to measure the performance impact of the protocol. The prototype system comprises a Xen virtualization server running a Xen user domain acting as the application client. The storage device is IBM’s SAN Volume Controller.
Running well-known benchmark tests shows a negligible impact of the protocol on the I/O path performance. Figures 2 and 3 show the performance results of two different benchmarks – Postmark and Bonnie++. Postmark is designed to simulate short-lived small files workloads; Bonnie++ performs sequential I/O on large files ensuring bypass of the file system’s cache. The benchmarks were executed from a bare metal Linux and a Xen virtual machine with and without the security protocol.
Figure 2. Postmark benchmark results
Figure 3. Bonnie++ benchmark results
Related Publications
Michael Factor, Dalit Naor, Eran Rom, Julian Satran and Sivan Tal. Capability-based Secure Access Control to Networked Storage Devices. 24th IEEE Conference on Mass Storage Systems and Technologies. 2007. [ download ]
Michael Factor, David Nagle, Dalit Naor, Erik Riedel and Julian Satran. The osd security protocol. SISW '05: Proceedings of the Third IEEE International Security in Storage Workshop. IEEE Computer Society, 2005. [ download ]
Patents
IL9-2006-0043, System, Method and Computer Program Product for Secure Access Control to a Storage Device. Dalit Naor, Michael Factor, Sivan Tal, Julian Satran, Michael Rodeh.
CbCS project page
Secure Access to Storage Devices
Last updated June 11, 2008
Innovator's corner
Sivan Tal Researcher
What is the most exciting potential future use for the work you're doing?
It has the potential to change the SAN environment significantly, creating new challenges and opportunities, and allowing more heterogeneous and diverse deployments that share storage resources securely without having to rely on mutual trust.
What is the most interesting part of your research?
Applying cryptographic technologies and protocols in storage systems and components, and implementing new access control mechanisms.
What inspired you to go into this field?
Storage security is a crucial part of overall IT security, yet little had been done in this area. I found there was a lot of room for development and innovation.
What is your favorite invention of all time?
The airplane -- for the spirit and faith and the capabilities it enables. Who would have considered going into outer space without having airplanes around?
Research team
Michael Factor, Dalit Naor, Eran Rom, Itai Segall, Julian Satran, Liran Schour, Sivan Tal