Securing Data Across SANs, WANs, and Shared File Systems: Page 3
What Does Not Work
There is so much that does not work. I am unaware of any end-to-end total solutions that have:
- MLS support for access control within the operating system
- MLS support within a file system that supports high performance IOPS and streaming I/O
- MLS support for a heterogeneous shared file system
- The ability to perform encryption within the file system
- Authentication for every path to the device (HBA, Fibre Channel switch, IP router, RAID, and tape)
- Standard encryption for access control of every device (HBA, Fibre Channel switch, IP router, RAID, and tape)
- Support for HSM encryption or backup encryption to/from tape
- Support for WAN encryption
- Support for encrypted remote mirroring of the RAIDs (if required)
What I'm outlining is the requirement for total data security from the time data is moved into or created within the system until the time data is destroyed — i.e. security through every aspect of all of the systems within a heterogeneous environment. Of course, this will have overhead, and in many cases these requirements might be overkill given that some systems contain no sensitive data.
We are a long, long way from having total end-to-end data security. The operating system is the critical path to the development of a truly secure system. Most vendors are looking at host-based solutions, and I am unaware of any modern file system (the next level) that meets all of the security requirements. Of course, having a file system is much more difficult in a heterogeneous environment, but while a homogenous OS could provide the basis of this security nirvana, this is something most experts believe is not on the short-term horizon.
A shared file system with MLS capabilities that supports heterogeneous access, HSM, and data security is the ideal, but it remains a pipe dream for now. The operating systems vendors need to develop truly secure MLS systems that can interoperate, which is not going to happen anytime soon. As a result, what we are currently left with are various band-aids for shoring up security in the areas where we are most vulnerable.