There's quite a bit of discussion these about network security and the lack thereof, including the latest proposal from Huawei, who says “The web needs globally backed, verifiable security standards.” But why is there no discussion of storage security as part of the overall security discussion?
We still have the same basic storage security we had in the 1990s. And most of it came from the 1980s, users, groups and ACLs (access control lists). I think this has not changed for a few reasons. First and foremost is that making changes will require changes to file systems or objects. This is a big deal for vendors, as it requires significant file system or objects changes. And that costs lots of money for the development and, most important, for the testing, which has a long term cost for the hardware and running the tests for each release.
Another reason is that there is only one other common operating system that supports enhanced security, SELinux. There are a few specialized operating systems that provide this support but they come at a very high cost. Yet SELinux is not widely used, I think because there is a chicken and egg problem. There is no scalable file system that will support high speed I/O and 100s of TB of space available on SELinux and NFS does not support SELinux mandatory access controls – so back to the chicken and egg problem.
The storage security problem needs to be addressed in a holistic way, globally. Someone needs to create a reference model that works and is successful so that the problem is addressed. Given that SELinux is available and works and solves the problem – at least in the kernel – it is now up to the file system community to develop a solution. As Linux seems to becoming the OS of choice for many environments, I hope that there is some movement forward in the area of security.
Labels: storage security,data storage
posted by: Henry Newman