• Home
• Articles Archive
• Features List

• Media Pack
• Contact Us
• Subscribe

ONLY CONNECT …

From STORAGE Magazine Vol 7, Issue 2 - March/April 2007

Safeguarding data in this age of advanced connectivity has become a highly vexed question. We pinpoint some of the key strategies that can bring success

As networks have grown, both in size and complexity, security problems have become more prevalent and the risks involved in using a network have soared. Network Attached Storage NAS) and Storage Area Network (SAN) technologies have had a similar effect on storage. Indeed, storage devices are experiencing many of the problems other network devices do.

Servers can now access hundreds, or even thousands, of storage devices and corrupt data on a scale not previously witnessed. The potential harm is multiplied by the high degree of connectivity that a modern storage infrastructure demands. So what are the best strategies for avoiding a connectivity disaster? How should they be implemented? And how do you make sure they are observed across the business?

It's a complex challenge, as Ian Bond, consulting systems architect, Cisco Systems, points out. "One of the fundamental shifts in IT departments over the past five years has been the increasing use of networked data storage systems. The emergence of a networked storage architecture has delivered many benefits, not least the greater flexibility now available in the allocation of storage to application servers, but it has also brought with it a problem of how to protect the data in this open environment.

"Traditionally, storage systems were considered secure, because access to data was limited to the owning application through physical separation - the application server and associated storage were in their own isolated environment, even when a storage network was employed. Now it is not uncommon to find a storage network that physically connects all servers and all storage devices in a data centre, and even spans across multiple data centres."

What is clear is that, in order to prevent the data held on the many storage volumes being vulnerable to corruption by malicious or accidental action from any of the servers attached to the storage network, some form of segmentation of the connectivity environment - with associated resource access controls - has to be applied.
There are many facets to this, says Bond. "The use of virtualisation technology underlies all control of connectivity, delivering multiple virtual storage networks within one physical environment. This enables the isolation of each virtual storage network, policed by network infrastructure hardware, limiting access between servers and storage devices to those that are in the same virtual network.

"Virtual networks also have the benefit of selectively locking down operator privileges, using role-based authentication and minimising the possibility of misconfigurations having network-wide effects.”

Further securing data to protect against corruption or illegal use falls into two areas: data in transit - ie, storage networking security - and data at rest, which is storage data security.

"Many features enabling security in both these areas, including encryption of data in transit on both fibre channel and IP networks as well as the encryption of data on storage media, are now being delivered by storage technology vendors and should be included in any security policy as an extra line of defence," Bond adds. "The segmentation of physical storage connectivity, using virtual storage networks, retains the flexibility, high utilisation rate and speed of service delivery that are characteristic of the latest storage networks.

“However, it also delivers the control of access to data that is necessary in a secure data centre environment. This can be backed up by encryption of data in transit and at rest to secure information access further."

Scott K. Cleland, director of marketing, AMCC Storage, spotlights the way in which the deployment of NAS and SAN-based storage technologies (including Fibre Channel, SAS, and iSCSI), combined with the Serial ATA interface, have greatly enhanced scalability and increased connectivity options for IT infrastructures.
"Accordingly, effective storage strategies have become extremely important," he reasons. "A major consideration in a sound storage approach is how data protection is accomplished while maintaining the highest levels of performance."

Redundant Array of Independent Disks (RAID) technology, deployed by a true hardware-based RAID controller, is the data protection lynchpin in serious storage implementations, he argues. Common RAID levels include 0, 1, 5, 6, 10, and 50, with each level offering unique data protection and performance attributes.

Until recently, RAID 5, which protects data in the event of a single drive failure with a single parity calculation, was the bellwether for combining fault tolerance and performance in high-end systems. But now, states Cleland, "RAID technology pioneers like AMCC Storage have upped the ante with the introduction of RAID 6, the poster child for maximum data protection. RAID 6 eliminates the risk of data loss, if a second hard disk drive fails or an unrecoverable read error occurs while the RAID array is rebuilding.

“In a RAID 6 enabled system, a second set of parity is calculated, written and distributed across all the drives. This second parity calculation provides significantly more robust fault tolerance, because two drives can fail without resulting in data loss.

“AMCC's 3ware RAID controllers take RAID 6 performance to unmatched heights by uniquely making both parity calculations simultaneously."

RAID 6 certainly represents a sea change in the RAID landscape. It provides the industry with higher levels of data protection, data availability and fault tolerance than RAID 5. "By assuring data availability following a second drive failure, users can rest assured that they are enjoying maximum data protection, both in normal and degraded modes," he adds. And, with RAID 6 enabled 3ware controll- ers, RAID 6 will not cripple performance.

Yet it is also important to bear in mind that RAID 6 does not come without costs. RAID 6 requires the equivalent capacity of two drives in the array to be dedicated to storing only parity information.

Furthermore, most RAID 6 systems carry a heavy write performance burden, due to the additional parity calculation and the additional memory interrupts.

According to Cleland, "AMCC's simult- aneous parity calculations mitigate these performance impediments to provide the fasted RAID 6 solution available. Today's advanced hardware RAID capabilities allow applications requiring sophisticated connectivity expanded scalability and the highest levels of sustained performance, without being burdened by system IO overhead." ST