This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."
Download it now to read this article plus other related content.
Some storage managers physically or virtually isolate NAS storage, so it's only accessible via a separate network. "Although we have all our systems behind firewalls, to further reduce exposure and risk, we decided to run our NAS on an isolated network," says Vincent Fusca III, operations director, Center for the Evaluative Clinical Sciences at Dartmouth College, Lebanon, NH.
Electronic Data Systems (EDS) Corp., a technology service company in Plano, TX, creates logically isolated environments for its customers. "We put clients into a container, which typically means that their systems are firewalled, preventing one customer from seeing another customer's data, regardless if the customer has a dedicated NAS or if he is on a shared NAS offering," says Tim Bowers, EDS' Storage Services product manager. "Furthermore, we separate management, data and backup networks."
|CIFS and NFS file-system security|
Because NAS is accessed via NFS and CIFS file-systems protocols, understanding how these two protocols handle access will help you properly secure files and shares.
a user session. Information about who can access a file or share is stored as meta data in the file system itself and is contained in the file's security descriptor, which comprises the owner SID, group SID and an access control list (ACL). The ACL can contain several access control entries (ACEs) that specify the users and groups who can access a file/share and the type of access.
Similarly, when NFS clients access a file with Unix security information, the NAS checks the user's credentials against the file's security information to determine whether or not an operation is permissible. The file security information comprises a user ID; group ID; and read, write and execute permissions.
As most non-Windows NAS systems--such as BlueArc Corp.'s Titan, EMC Corp.'s Celerra and Network Appliance Inc.'s filers--support both NFS and CIFS, these multiprotocol NAS systems provide a mapping mechanism that allows NFS clients to access files written with CIFS clients and vice versa (see below).
This was first published in September 2007