/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsIn the current business scenario data is the main asset for any enterprise. Securing the data and preserving its integrity is the most critical issue. Data security is about ensuring that only authorized users are able to access data. Data integrity is about ensuring consistency/ accuracy of the data that is written to/read from storage.
From the storage perspective, there are two types of data integrity problems: One is the storage integrity problem. I write a block of data to my storage subsystem. I expect that when I go to read it I will get some data back and that that data will be what I last wrote, even if a disk failed in the meantime.
The second is the file system integrity problem. I write a file. I expect that when I go to read it, the operating system will be able to find my file and that it will contain what I last wrote. Furthermore, I expect that quotas are properly calculated, that every block on the disk is either available or used, that deleting a file frees up all of its blocks, and so forth; I expect that the file system works as advertised.
Key steps
Data integrity is an inherent feature of our core storage systems. Some of the ways in which this is implemented in our systems are as follows (NB: Data ONTAP is the core storage OS that underlies all our storage systems):
RAID checksums: When Data ONTAP writes data to disk, each 4kB block generates a checksum that is stored as part of the block's metadata. When data is later read from disk, a new checksum is calculated and compared to the original checksum from the block's metadata. If the read data generates a different checksum, the requested data is recreated from parity and provided to the client. In addition, the data from parity is rewritten to the original 4kB block, then read back to verify its accuracy.
RAID scrubs: The RAID checksum approach described earlier ensures data being read from disk is accurate before being served to requesting clients. In other words, frequently read data tends to benefit the most from RAID checksums. However, not all data is frequently read from disk. Examples are files in home directories, which tend to be accessed less frequently as they age, or archived files that are rarely accessed again over the course of their retention life. RAID scrubs are a feature configurable by NetApp that traverses the storage to read each 4kB block, which in turn triggers the RAID checksum protection discussed earlier. Regardless of how little or often data is accessed, proactive RAID scrubs ensure media errors occurring over time do not affect the integrity of stored data.
Maintenance center: Maintenance Center (MC) software is part of the NetApp suite of proactive, self-healing storage resiliency tools. Consisting of Storage Health Monitor (SHM), NetApp Health Triggers (NHT), and NetApp Drive Self Tests (NDST) software, Maintenance Center promotes drive self-healing and preventive/corrective maintenance. Customer benefits include higher data availability, enhanced data integrity, and lower drive maintenance costs.
SnapValidator: For Oracle deployments, SnapValidator can be used to provide an additional layer of integrity checking between the application and NetApp storage. SnapValidator allows Oracle to create checksums on data transmitted to NetApp storage for writes to disk and include the checksum as part of the transmission. When Data ONTAP receives the data, it generates a new checksum and compares it to the one generated by Oracle. If the two match, the Oracle write is acknowledged and the data is written to disk. As part of writing data to disk, the inherent features of Data ONTAP, such as RAID checksums, are engaged and continue to guarantee data integrity going forward. If the checksums do not match, the write is aborted, so no data corruption occurs and an alert is generated so corrective action can be taken.
Data ONTAP/ NVRAM: The NVRAM on our storage systems not only ensures that the file system remains consistent but also that if a system comes up after a crash, the file system is re-created as it was at the moment of the crash.
However, file system consistency also requires a reliable storage system underneath. Disks fail, and when they do, they lose data, which is why we have RAID. Before writing data to disk, the RAID subsystem in our systems writes sufficient information to the NVRAM to identify the stripe that is being written and to ensure that all the good data in the stripe can be reconstructed even if a disk fails or the system crashes while the stripe is being written.
Trends
Today, thanks to advances in storage technology, the contents of 20 million pounds of paper can fit on a single backup tape. Imagine stealing 20 million pounds of paper, and then imagine stealing a backup tape. The better technology gets at putting more and more data on a single tape or disk, the more data is put at risk in a single security breach.
Implementation of storage networks that provide for the centralization and consolidation of storage can simplify administration and reduce overall costs. However, consolidation brings risks: a single security breach can threaten vast amounts of data that comes not from just a single department, but from across the entire organization.
Normal data backup operations also put your data at risk. Data replication techniques used in backup and off-site mirroring processes distribute multiple copies of clear text data (unencrypted data that can easily be read) outside the data center. Most disaster recovery plans place data off-site in remote or outsourced facilities. Once your data leaves the data center, it is more vulnerable.
Today's attacks on data are more likely to be conducted by criminals who intend to gain financially from stealing your data or by disgruntled individuals who want to hurt your organization. In a typical enterprise, the access points to your data assets are too varied to be completely controlled, in spite of user-level access controls. If you are going to protect your data from all possible types of attacks, you need to protect the data itself with the additional security that only a storage security system with encryption can ensure.
Until recently, encryption was just too painful to implement. It degraded performance; it was difficult to integrate it and make it work. Today, however, while the risks of a security breach are increasing and the costs of damage control are going up, the challenges of implementing encryption are going down. With encryption solutions of today, the advantages of encrypting your valuable and at-risk backup data by far outweigh the implementation challenges.
The most advanced storage security solution is storage encryption appliances deployed on the network itself. These solutions can be deployed with virtually zero downtime because they require no modification to applications, hosts, or servers. Further, these appliances capable of compressing and then encrypting data at wire speeds, making them especially well suited for a wide variety of backup and recovery environments. Designed to provide the most robust security available, encryption appliances today come with strong logging capabilities, access controls, and secure key management systems.