TY - GEN
T1 - A two layered approach for securing an object store network
AU - Azagury, A.
AU - Canetti, R.
AU - Factor, M.
AU - Halevi, S.
AU - Henis, E.
AU - Naor, D.
AU - Rinetzky, N.
AU - Rodeh, O.
AU - Satran, J.
N1 - Publisher Copyright:
© 2003 IEEE.
PY - 2003
Y1 - 2003
N2 - Storage Area Networks (SAN) are based on direct interaction between clients and storage servers. This unmediated access exposes the storage server to network attacks, necessitating a verification, by the server, that the client requests conform with the system protection policy. Solutions today can only enforce access control at the granularity of entire storage servers. This is an outcome of the way storage servers abstract storage: an array of fixed size blocks. Providing access control at the granularity of blocks is infeasible there are too many active blocks in the server of entire servers is used. Object, stores (e.g, the NASD system) on the other hand provide means to address these issues. An object store control unit presents an abstraction of a dynamic collection of objects, each can be seen as a different array of blocks, thus providing the basis for Protection at the object level. In this paper we present a security model for the object store which leverages on existing security infrastructure. We give a simple generic mechanism capable of enforcing an arbitrary access control policy at object granularity. This mechanism is specifically designed to achieve low overhead by minimizing the cost of validating an operation along the critical data path, and lends itself for optimizations such as caching The key idea of the model is to separate the mechanisms for transport security from the one used for access control and to maximize the use standard security protocols when possible We utilize a standard industry protocol for authentication, integrity and privacy on the communication channel (IPSec for IP networks) anti fine a proprietary protocol for authorization on top of the secure communication layer.
AB - Storage Area Networks (SAN) are based on direct interaction between clients and storage servers. This unmediated access exposes the storage server to network attacks, necessitating a verification, by the server, that the client requests conform with the system protection policy. Solutions today can only enforce access control at the granularity of entire storage servers. This is an outcome of the way storage servers abstract storage: an array of fixed size blocks. Providing access control at the granularity of blocks is infeasible there are too many active blocks in the server of entire servers is used. Object, stores (e.g, the NASD system) on the other hand provide means to address these issues. An object store control unit presents an abstraction of a dynamic collection of objects, each can be seen as a different array of blocks, thus providing the basis for Protection at the object level. In this paper we present a security model for the object store which leverages on existing security infrastructure. We give a simple generic mechanism capable of enforcing an arbitrary access control policy at object granularity. This mechanism is specifically designed to achieve low overhead by minimizing the cost of validating an operation along the critical data path, and lends itself for optimizations such as caching The key idea of the model is to separate the mechanisms for transport security from the one used for access control and to maximize the use standard security protocols when possible We utilize a standard industry protocol for authentication, integrity and privacy on the communication channel (IPSec for IP networks) anti fine a proprietary protocol for authorization on top of the secure communication layer.
KW - Object Store Device
KW - SAN
KW - Storage Security
UR - http://www.scopus.com/inward/record.url?scp=84962752982&partnerID=8YFLogxK
U2 - 10.1109/SISW.2002.1183506
DO - 10.1109/SISW.2002.1183506
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84962752982
T3 - Proceedings - 1st International IEEE Security in Storage Workshop, SISW 2002
SP - 10
EP - 23
BT - Proceedings - 1st International IEEE Security in Storage Workshop, SISW 2002
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 1st International IEEE Security in Storage Workshop, SISW 2002
Y2 - 11 December 2002
ER -