Tech ONTAP Articles

NetApp MultiStore: Security and Mobility for Cloud Storage

Tech_OnTap
5,611 Views

Cloud computing, like any IT trend, has given rise to a bunch of  new buzzwords, some of which refer to real capabilities and many of which refer  to capabilities that exist mostly on paper. One of the latter is “secure  multi-tenancy”: the ability for a shared infrastructure to support multiple  “tenants” (which could be separate applications, departments, or customers)  while guaranteeing strict isolation between them.


Most storage vendors are still figuring out exactly what the  requirements should be for securely partitioned, shared storage. NetApp, on the  other hand, pioneered the idea of secure multi-tenancy with the introduction of  its NetApp® MultiStore® solution in 2002—years before the  first mention of cloud computing occurred in the industry press. MultiStore  lets you create isolated logical partitions on a single storage system such  that no information on a secured virtual partition can be accessed by unauthorized  users. It also lets you easily migrate virtual partitions between storage  systems and provides simple-to-manage yet powerful disaster recovery.

NetApp MultiStore divides a single storage system into multiple secure partitions called vFiler™ units. Individual vFiler units can be assigned to separate “tenants,” which can be individual applications, departments within a company, or external customers

Figure 1) NetApp MultiStore divides a single storage system into multiple secure partitions called vFiler™ units. Individual vFiler units can be assigned to separate “tenants,” which can be individual applications, departments within a company, or external customers.

Whether you like the term secure multi-tenancy or not, many  companies have concerns about data security in cloud environments. In this  article, we look at the technology that makes MultiStore secure, discuss NetApp  Data Motion™, and examine the most common use cases. A companion  article in this issue  of Tech OnTap discusses quality of service in an  end-to-end, secure multi-tenant architecture that combines technology from  VMware and Cisco with NetApp MultiStore.

MultiStore Security

The key design element of NetApp MultiStore is the vFiler unit,  a virtual storage controller running within Data ONTAP®. A vFiler unit  is a lightweight instance of a Data ONTAP multiprotocol server. A vFiler unit consists  of data stored in volumes or qtrees, the IP address(es) and network  configuration necessary to reach the vFiler unit, and the security and other attributes  associated with the data. From the perspective of client systems and management  software, the data stored within a vFiler unit is completely secured and  isolated from all other vFiler units.

The network components associated with a vFiler unit consist of  IP addresses, interfaces, and IPSpaces. An IPSpace is a unique, logical routing  table. In addition to any logical network separation provided by VLANs, an  IPSpace provides an additional layer of security between vFiler units because  traffic cannot leave an IPSpace without going to a network gateway. Each  interface or virtual interface belongs to only one IPSpace, but an IPSpace can  have multiple interfaces. The dynamic association of a vFiler unit with its  storage and networking resources makes the movement of resources a relatively  easy operation.

When a storage system receives a request, the network driver  passes the request to the IP protocol stack. This request is tagged with a  context based on the destination IP address and the IPSpace associated with the  network interface. This context is associated with each request for the entire  time it is being processed. Each vFiler unit has its own protocol stack,  enabling it to listen on its own ports. Since context is carried throughout the  request, the same port number can exist in multiple vFiler units.

Similarly, a data set owned by one vFiler unit cannot be  accessed by another vFiler unit. The storage system maps each volume and qtree to  the vFiler unit that owns it. The context that is assigned to each request must  match that of the file or directory being accessed. If there is a mismatch, the  request fails immediately. If a symbolic link resolves to a path outside a  vFiler unit’s boundary, the data access fails, since there is a mismatch in the  context of the request.


Independent audits of MultiStore in 2004 and 2008 uncovered no vulnerabilities in the MultiStore security model.

NetApp Data Motion: Adding Mobility to Multi-Tenancy

The unique design of MultiStore allows it to support NetApp Data  Motion: nondisruptive migration of NFS or iSCSI data sets between storage  systems. With NetApp Data Motion, an entire vFiler unit can be migrated from  one storage system to another without disrupting ongoing activity. NetApp Data  Motion does for data what VMware® VMotion™, XenServer  XenMotion, and Microsoft® Hyper-V™ Quick Migration do for  virtual machines—making it simple to migrate data as VMs are moved. Combining  these services with NetApp Data Motion provides mobility at every layer of your  infrastructure for load balancing, for nondisruptive upgrades, or to satisfy  other data center needs.

MultiStore security prevents tenant data from being compromised  during migration. Synchronous SnapMirror is used to synchronize data sets  between storage systems during the migration and cutover process. NetApp  Operations Manager version 4.0 with the Provisioning Manager add-on automates  NetApp Data Motion processes and cleanup.

NetApp MultiStore divides a single storage system into multiple secure partitions called vFiler™ units. Individual vFiler units can be assigned to separate “tenants,” which can be individual applications, departments within a company, or external customers

Figure 2) Initiating NetApp Data Motion migration with the NetApp Provisioning Manager interface.

Getting Started with  MultiStore

There are a few practical  considerations for MultiStore users. For NetApp storage systems with 2GB of  memory or more (most current models), MultiStore can support up to 65 vFiler  units per storage system. MultiStore supports the following protocols: NFS,  CIFS, iSCSI, HTTP, NDMP, FTP, FTPS, and SFTP. Note that FCP is not supported except  from the root vFiler unit (vFiler0). Individual protocols can be enabled or  disabled on a per-vFiler unit basis.

The vFiler units themselves  create very little memory overhead, so a system with MultiStore can handle the  same aggregate workload that a system without MultiStore can. It’s important to  note, however, that a system with MultiStore cannot sustain more load than a  system without it.
You can use NetApp FlexShare®  software to prioritize some volumes (and thus the workloads associated with  those volumes) over others in a multi-tenant environment. (FlexShare  is described in detail in a previous Tech OnTap article.)  When resources are under contention, transactions on volumes with higher  priority are processed more quickly. When storage system resources are not in  contention, any workload can utilize them regardless of FlexShare priority.


In terms of management, you can  configure a tenant environment to grant a tenant varying degrees of control  ranging from no management capability to monitoring to full management  capabilities within the limits created by the vFiler unit. Management can be  performed using either the command line or NetApp Operations Manager and its  add-on products: Provisioning Manager and Protection Manager.

MultiStore Use Cases

There are four common use cases for MultiStore. These use cases  are not mutually exclusive—you might utilize the data migration and/or disaster  recovery use cases as part of your MultiStore hosting environment or file  services environment.

Hosting. Since  MultiStore allows you to easily create multiple administrative domains, it is  the ideal multi-tenant foundation for any shared storage service or hosting service.  Cloud providers—whether they offer infrastructure services or application  hosting services—can partition the resources of a single storage system to  create many separate MultiStore vFiler units for client companies. NetApp  FlexShare provides up to five priority levels, making it possible to create a  hosting environment with up to five tiers of service.

Similarly, an enterprise IT department can create MultiStore vFiler  units to serve the needs of various departments within the enterprise. (The  final use case, file services consolidation, is really just a limited  application of this use case.)

Data  Migration. Based on the NetApp Data Motion capabilities described above, MultiStore  enables you to migrate data from one storage system to another without disruption  or extensive reconfiguration on the destination storage system. Without  MultiStore, you could migrate data using NetApp SnapMirror®  technology to copy data from one storage system to another, but some disruption  would result, and you might need to edit access control lists (ACLs), local  user group definitions, user mapping information, and so on before users could  access data. If the data being copied is stored with MultiStore, however, all  user, group, and ACL information is encapsulated in the vFiler unit. Migration  recreates the vFiler unit on the destination storage system with the  encapsulated information, so data can be served from the destination storage  system without reconfiguration.

Disaster Recovery. Perhaps the least known use case for MultiStore is automated  disaster recovery. MultiStore enables simple, cross-site DR in which IP domains  migrate with each vFiler unit instance. SnapMirror is used to replicate vFiler  units based on a defined schedule, creating backup versions of each vFiler unit  that are in sync with the primary versions. Should a failure occur, an  administrator can trigger the switch to a backup vFiler unit using a single  command, so the cutover is very quick, with minimal client impact. vFiler units  at the DR site can resync back to the source once the cause of the problem has  been resolved.

File  Services Consolidation. A final MultiStore use case that has proven very popular is  for file server consolidation. In many companies, each individual department  has its own file server. Consolidating many small file servers into one larger  one would improve utilization and decrease management overhead, but many  departments are reluctant to give up management control. With MultiStore, each  small file server can be consolidated using a vFiler unit, yielding the  benefits of consolidation while allowing each department to retain  administrative control.

Tier 3: Real-World Success

Tier 3, a leading provider of managed services for small and  medium-sized businesses, chose MultiStore to support its rapidly growing cloud  infrastructure. With MultiStore, the company can provision in less than an hour  a vFiler unit for a new customer that offers all the features of a dedicated  SAN, including DR, scalability, and fast backup and restore. Shared storage  using MultiStore costs about 80% less for customers and 50% less for Tier 3  than dedicated storage. You can find out more about Tier 3 in a recent  success story.

Conclusion

MultiStore is the leading solution for secure multi-tenancy in storage  environments. Its robustness has been proven in both laboratory tests and  customer environments over years of deployment. MultiStore works on all NetApp  storage platforms, offers higher security, and is the only solution that  integrates nondisruptive data migration.

Got opinions about MultiStore?
Ask questions, exchange ideas, and share your thoughts online in NetApp Communities.

Roger Weeks 

Roger Weeks
Technical Marketing Engineer
NetApp

Roger joined NetApp in 2007 to focus on storage security. Before coming to NetApp, he held many different roles in systems and network areas. Over the past several years he has focused on security, from wireless to service providers to storage. Roger has coauthored several books, including Linux Unwired and Wireless Hacks, 2nd Edition.

Paul Feresten

Paul Feresten
Senior Product Marketing Manager
NetApp

Paul joined NetApp in 2005, focusing on core NetApp software, including Data ONTAP, MultiStore, FlexClone®, and thin provisioning. He has over 30 years of industry experience in product management, sales, marketing, and executive management roles. Prior to joining NetApp, Paul worked at Data General, Digital Equipment Corporation, MSI Consulting, and SEPATON.

Explore

Please Note:

All content posted on the NetApp Community is publicly searchable and viewable. Participation in the NetApp Community is voluntary.

In accordance with our Code of Conduct and Community Terms of Use, DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information (PII)
  • Copyrighted materials without the permission of the copyright owner

Continued non-compliance may result in NetApp Community account restrictions or termination.

Replies

Sounds great - but there are a lot of pitfalls and drawbacks, especially when you start using Operations Manager / Protection Manager and/or SnapManager integration.

Have a look at:

http://communities.netapp.com/message/14451#14451

http://communities.netapp.com/message/22800#22800

or search for "SnapManager Protection Manager"...

there is a lot of work ahead and even more in educating people, so they know how NetApps Software Engineers designed and meant it to work (documentation at this time is rather poor, sorry, what is untypical for NetApp)


Mark

Public