IBM Spectrum Scale Security

IBM Spectrum Scale Security

by Felipe Knop, Sandeep R. Patil, Alifiya Kantawala, Larry Coyne
Released September 2018
Publisher(s): IBM Redbooks
ISBN: 9780738457161

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Storage systems must provide reliable and convenient data access to all authorized users while simultaneously preventing threats coming from outside or even inside the enterprise.

Security threats come in many forms, from unauthorized access to data, data tampering, denial of service, and obtaining privileged access to systems.

According to the Storage Network Industry Association (SNIA), data security in the context of storage systems is responsible for safeguarding the data against theft, prevention of unauthorized disclosure of data, prevention of data tampering, and accidental corruption. This process ensures accountability, authenticity, business continuity, and regulatory compliance.

Security for storage systems can be classified as follows:


  • Data storage (data at rest, which includes data durability and immutability)
  • Access to data
  • Movement of data (data in flight)
  • Management of data

      IBM® Spectrum Scale is a software-defined storage system for high performance, large-scale workloads on-premises or in the cloud.

      IBM Spectrum™ Scale addresses all four aspects of security by securing data at rest (protecting data at rest with snapshots, and backups and immutability features) and securing data in flight (providing secure management of data, and secure access to data by using authentication and authorization across multiple supported access protocols). These protocols include POSIX, NFS, SMB, Hadoop, and Object (REST). For automated data management, it is equipped with powerful information lifecycle management (ILM) tools that can help administer unstructured data by providing the correct security for the correct data.

      This IBM Redpaper™ publication details the various aspects of security in IBM Spectrum Scale™, including the following items:


      • Security of data in transit
      • Security of data at rest
      • Authentication
      • Authorization
      • Hadoop security
      • Immutability
      • Secure administration
      • Audit logging
      • Security for transparent cloud tiering (TCT)
      • Security for OpenStack drivers

          Unless stated otherwise, the functions that are mentioned in this paper are available in IBM Spectrum Scale V4.2.1 or later releases.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Secure data in transit
    1. 1.1 Secure cluster communication
      1. 1.1.1 Important commands for secure cluster communication
    2. 1.2 Secure access of IBM Spectrum Scale file interfaces
      1. 1.2.1 Secure access with SMB
      2. 1.2.2 Secured NFS transfers
    3. 1.3 Secured object data access
    4. 1.4 Secure access with IBM Spectrum Scale HDFS Transparency
    5. 1.5 References
  5. Chapter 2. Secure data at rest
    1. 2.1 Encryption keys
    2. 2.2 Encryption policies
    3. 2.3 The remote key management service
    4. 2.4 Illustration of the encryption policy
    5. 2.5 Highly available key servers
    6. 2.6 Multicluster and disaster recovery
    7. 2.7 Secure deletion
    8. 2.8 NIST and FIPS
    9. 2.9 Encryption: Performance impact
    10. 2.10 References
  6. Chapter 3. Authentication
    1. 3.1 File interface
      1. 3.1.1 Integration with an RFC2307 schema-compliant LDAP server
      2. 3.1.2 Integration with a Microsoft Active Directory server
      3. 3.1.3 Integration with a Network Information Service server
      4. 3.1.4 Kerberos authentication
      5. 3.1.5 Netgroups
    2. 3.2 Object interface
      1. 3.2.1 Secure communication
    3. 3.3 References
  7. Chapter 4. Authorizing protocol users
    1. 4.1 Authorizing NFS and SMB users
      1. 4.1.1 NFSv4 ACLs
      2. 4.1.2 Inheritance in NFSv4 ACLs
      3. 4.1.3 ACLs in the SMB protocol
      4. 4.1.4 ACLs in the NFS protocol
      5. 4.1.5 Mapping between NFSv4 ACLs and SMB ACLs
      6. 4.1.6 Special ACL entries
      7. 4.1.7 SMB export ACLs
    2. 4.2 Authorizing Object (OpenStack Swift and S3) users
      1. 4.2.1 OpenStack Swift ACLs
      2. 4.2.2 OpenStack Swift3 ACLs
      3. 4.2.3 Recommendations for ACL usage
      4. 4.2.4 Access control in IBM Spectrum Scale object
    3. 4.3 References
  8. Chapter 5. Secure administration
    1. 5.1 Remote Shell and Remote Copy
    2. 5.2 Running IBM Spectrum Scale without remote root login
    3. 5.3 Secure administration by using the GUI
    4. 5.4 Secure administration by using the REST API
      1. 5.4.1 REST API version 1
      2. 5.4.2 REST API version 2
      3. 5.4.3 REST API and Cross-Origin Resource Sharing (CORS)
    5. 5.5 References
  9. Chapter 6. Immutability
    1. 6.1 IBM Spectrum Scale as an archive storage
    2. 6.2 Immutable filesets
    3. 6.3 References
  10. Chapter 7. Audit logging
    1. 7.1 File audit logging
      1. 7.1.1 Installation and enablement
    2. 7.2 Audit logging for cluster configuration changes
      1. 7.2.1 Message format
    3. 7.3 References
  11. Chapter 8. Hadoop security
    1. 8.1 An introduction to Hadoop support in IBM Spectrum Scale: HDFS Transparency
    2. 8.2 Kerberos
    3. 8.3 Authentication
    4. 8.4 Authorization
      1. 8.4.1 HDFS
      2. 8.4.2 Authorization for other Hadoop services
    5. 8.5 Auditing
    6. 8.6 Securing REST access
    7. 8.7 Data protection
      1. 8.7.1 Data at rest
      2. 8.7.2 Data in motion
      3. 8.7.3 Secure Erase
    8. 8.8 Securing the Hadoop distribution components
    9. 8.9 References
  12. Chapter 9. Security for transparent cloud tiering
    1. 9.1 Securing data in flight and at rest
    2. 9.2 Securing the keys that are used to protect the data
    3. 9.3 Configuring transparent cloud tiering with an external key manager: IBM Security Key Lifecycle Manager
      1. 9.3.1 Rotating a key with IBM Security Key Lifecycle Manager
    4. 9.4 Configuring transparent cloud tiering with local key manager: Java Key Store
      1. 9.4.1 Rotating an encryption key with Local Key Manager
    5. 9.5 TCT client-server communication security
    6. 9.6 Security of TCT commands
    7. 9.7 Data integrity protection
    8. 9.8 Security considerations while configuring a cloud object storage
    9. 9.9 References
  13. Chapter 10. Security for OpenStack drivers
    1. 10.1 OpenStack components
    2. 10.2 OpenStack components and IBM Spectrum Scale security
    3. 10.3 References
  14. Chapter 11. Security for AFM
    1. 11.1 AFM and Authentication/ID Mapping
    2. 11.2 AFM and secure data in transit
    3. 11.3 References
  15. Chapter 12. Firewall recommendations
    1. 12.1 Types of networks
    2. 12.2 IBM Spectrum Scale installation and basic cluster operation
    3. 12.3 GUI
    4. 12.4 Performance Monitoring tools
    5. 12.5 Transparent cloud tiering
    6. 12.6 Cluster Export Services
      1. 12.6.1 NFS file protocol (Cluster Export Services)
      2. 12.6.2 SMB file protocol (Cluster Export Services)
      3. 12.6.3 Object protocol (Cluster Export Services)
      4. 12.6.4 iSCSI protocol (Cluster Export Services)
    7. 12.7 File audit logging
    8. 12.8 Active File Management
    9. 12.9 IBM Spectrum Scale remote mounting of file systems
    10. 12.10 IBM Spectrum Protect connectivity by using mmbackup and HSM
    11. 12.11 IBM Spectrum Archive connectivity
    12. 12.12 IBM Spectrum Control connectivity
    13. 12.13 Key server ports
    14. 12.14 References
  16. Appendix A. Examples of how to open firewall ports
    1. Red Hat 7.x
    2. SLES12
    3. Ubuntu and Debian
    4. Windows 2008R2
    5. The iptables option
  17. Glossary
  18. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  19. Back cover

Product information

  • Title: IBM Spectrum Scale Security
  • Author(s): Felipe Knop, Sandeep R. Patil, Alifiya Kantawala, Larry Coyne
  • Release date: September 2018
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738457161