Security and Mobility for Cloud Storage
Cloud computing, like any IT trend, has given rise to a bunch of new buzzwords, some of which refer to real capabilities and many of which refer to capabilities that exist mostly on paper. One of the latter is “secure multi-tenancy”: the ability for a shared infrastructure to support multiple “tenants” (which could be separate applications, departments, or customers) while guaranteeing strict isolation between them.
Most storage vendors are still figuring out exactly what the requirements should be for securely partitioned, shared storage. NetApp, on the other hand, pioneered the idea of secure multi-tenancy with the introduction of its NetApp® MultiStore® solution in 2002—years before the first mention of cloud computing occurred in the industry press. MultiStore lets you create isolated logical partitions on a single storage system such that no information on a secured virtual partition can be accessed by unauthorized users. It also lets you easily migrate virtual partitions between storage systems and provides simple-to-manage yet powerful disaster recovery.
Figure 1) NetApp MultiStore divides a single storage system into multiple secure partitions called vFiler™ units. Individual vFiler units can be assigned to separate “tenants,” which can be individual applications, departments within a company, or external customers.
Whether you like the term secure multi-tenancy or not, many companies have concerns about data security in cloud environments. In this article, we look at the technology that makes MultiStore secure, discuss NetApp Data Motion™, and examine the most common use cases. A companion article in this issue of Tech OnTap discusses quality of service in an end-to-end, secure multi-tenant architecture that combines technology from VMware and Cisco with NetApp MultiStore.
The key design element of NetApp MultiStore is the vFiler unit, a virtual storage controller running within Data ONTAP®. A vFiler unit is a lightweight instance of a Data ONTAP multiprotocol server. A vFiler unit consists of data stored in volumes or qtrees, the IP address(es) and network configuration necessary to reach the vFiler unit, and the security and other attributes associated with the data. From the perspective of client systems and management software, the data stored within a vFiler unit is completely secured and isolated from all other vFiler units.
The network components associated with a vFiler unit consist of IP addresses, interfaces, and IPSpaces. An IPSpace is a unique, logical routing table. In addition to any logical network separation provided by VLANs, an IPSpace provides an additional layer of security between vFiler units because traffic cannot leave an IPSpace without going to a network gateway. Each interface or virtual interface belongs to only one IPSpace, but an IPSpace can have multiple interfaces. The dynamic association of a vFiler unit with its storage and networking resources makes the movement of resources a relatively easy operation.
When a storage system receives a request, the network driver passes the request to the IP protocol stack. This request is tagged with a context based on the destination IP address and the IPSpace associated with the network interface. This context is associated with each request for the entire time it is being processed. Each vFiler unit has its own protocol stack, enabling it to listen on its own ports. Since context is carried throughout the request, the same port number can exist in multiple vFiler units.
Similarly, a data set owned by one vFiler unit cannot be accessed by another vFiler unit. The storage system maps each volume and qtree to the vFiler unit that owns it. The context that is assigned to each request must match that of the file or directory being accessed. If there is a mismatch, the request fails immediately. If a symbolic link resolves to a path outside a vFiler unit’s boundary, the data access fails, since there is a mismatch in the context of the request.
Independent audits of MultiStore in 2004 and 2008 uncovered no vulnerabilities in the MultiStore security model.
NetApp Data Motion: Adding Mobility to Multi-Tenancy
The unique design of MultiStore allows it to support NetApp Data Motion: nondisruptive migration of NFS or iSCSI data sets between storage systems. With NetApp Data Motion, an entire vFiler unit can be migrated from one storage system to another without disrupting ongoing activity. NetApp Data Motion does for data what VMware® VMotion™, XenServer XenMotion, and Microsoft® Hyper-V™ Quick Migration do for virtual machines—making it simple to migrate data as VMs are moved. Combining these services with NetApp Data Motion provides mobility at every layer of your infrastructure for load balancing, for nondisruptive upgrades, or to satisfy other data center needs.
MultiStore security prevents tenant data from being compromised during migration. Synchronous SnapMirror is used to synchronize data sets between storage systems during the migration and cutover process. NetApp Operations Manager version 4.0 with the Provisioning Manager add-on automates NetApp Data Motion processes and cleanup.
Figure 2) Initiating NetApp Data Motion migration with the NetApp Provisioning Manager interface.
Getting Started with MultiStore
There are a few practical considerations for MultiStore users. For NetApp storage systems with 2GB of memory or more (most current models), MultiStore can support up to 65 vFiler units per storage system. MultiStore supports the following protocols: NFS, CIFS, iSCSI, HTTP, NDMP, FTP, FTPS, and SFTP. Note that FCP is not supported except from the root vFiler unit (vFiler0). Individual protocols can be enabled or disabled on a per-vFiler unit basis.
The vFiler units themselves create very little memory overhead, so a system with MultiStore can handle the same aggregate workload that a system without MultiStore can. It’s important to note, however, that a system with MultiStore cannot sustain more load than a system without it.
You can use NetApp FlexShare® software to prioritize some volumes (and thus the workloads associated with those volumes) over others in a multi-tenant environment. (FlexShare is described in detail in a previous Tech OnTap article.) When resources are under contention, transactions on volumes with higher priority are processed more quickly. When storage system resources are not in contention, any workload can utilize them regardless of FlexShare priority.
In terms of management, you can configure a tenant environment to grant a tenant varying degrees of control ranging from no management capability to monitoring to full management capabilities within the limits created by the vFiler unit. Management can be performed using either the command line or NetApp Operations Manager and its add-on products: Provisioning Manager and Protection Manager.
MultiStore Use Cases
There are four common use cases for MultiStore. These use cases are not mutually exclusive—you might utilize the data migration and/or disaster recovery use cases as part of your MultiStore hosting environment or file services environment.
Hosting. Since MultiStore allows you to easily create multiple administrative domains, it is the ideal multi-tenant foundation for any shared storage service or hosting service. Cloud providers—whether they offer infrastructure services or application hosting services—can partition the resources of a single storage system to create many separate MultiStore vFiler units for client companies. NetApp FlexShare provides up to five priority levels, making it possible to create a hosting environment with up to five tiers of service.
Similarly, an enterprise IT department can create MultiStore vFiler units to serve the needs of various departments within the enterprise. (The final use case, file services consolidation, is really just a limited application of this use case.)
Data Migration. Based on the NetApp Data Motion capabilities described above, MultiStore enables you to migrate data from one storage system to another without disruption or extensive reconfiguration on the destination storage system. Without MultiStore, you could migrate data using NetApp SnapMirror® technology to copy data from one storage system to another, but some disruption would result, and you might need to edit access control lists (ACLs), local user group definitions, user mapping information, and so on before users could access data. If the data being copied is stored with MultiStore, however, all user, group, and ACL information is encapsulated in the vFiler unit. Migration recreates the vFiler unit on the destination storage system with the encapsulated information, so data can be served from the destination storage system without reconfiguration.
Disaster Recovery. Perhaps the least known use case for MultiStore is automated disaster recovery. MultiStore enables simple, cross-site DR in which IP domains migrate with each vFiler unit instance. SnapMirror is used to replicate vFiler units based on a defined schedule, creating backup versions of each vFiler unit that are in sync with the primary versions. Should a failure occur, an administrator can trigger the switch to a backup vFiler unit using a single command, so the cutover is very quick, with minimal client impact. vFiler units at the DR site can resync back to the source once the cause of the problem has been resolved.
File Services Consolidation. A final MultiStore use case that has proven very popular is for file server consolidation. In many companies, each individual department has its own file server. Consolidating many small file servers into one larger one would improve utilization and decrease management overhead, but many departments are reluctant to give up management control. With MultiStore, each small file server can be consolidated using a vFiler unit, yielding the benefits of consolidation while allowing each department to retain administrative control.
Tier 3: Real-World Success
Tier 3, a leading provider of managed services for small and medium-sized businesses, chose MultiStore to support its rapidly growing cloud infrastructure. With MultiStore, the company can provision in less than an hour a vFiler unit for a new customer that offers all the features of a dedicated SAN, including DR, scalability, and fast backup and restore. Shared storage using MultiStore costs about 80% less for customers and 50% less for Tier 3 than dedicated storage. You can find out more about Tier 3 in a recent success story.
MultiStore is the leading solution for secure multi-tenancy in storage environments. Its robustness has been proven in both laboratory tests and customer environments over years of deployment. MultiStore works on all NetApp storage platforms, offers higher security, and is the only solution that integrates nondisruptive data migration.
| || |
Technical Marketing Engineer
Roger joined NetApp in 2007 to focus on storage security. Before coming to NetApp, he held many different roles in systems and network areas. Over the past several years he has focused on security, from wireless to service providers to storage. Roger has coauthored several books, including Linux Unwired and Wireless Hacks, 2nd Edition.
| || |
Senior Product Marketing Manager
Paul joined NetApp in 2005, focusing on core NetApp software, including Data ONTAP, MultiStore, FlexClone®, and thin provisioning. He has over 30 years of industry experience in product management, sales, marketing, and executive management roles. Prior to joining NetApp, Paul worked at Data General, Digital Equipment Corporation, MSI Consulting, and SEPATON.