Specifications

© IBM Copyright, 2012 Version: January 26, 2012
www.ibm.com/support/techdocs 44
Summary of Best Practices for Storage Area Networks
access which LUN by means of the storage device control program. Whenever the
host accesses a particular LUN, the storage device will check its access list for that
LUN, and it will allow or disallow access to the LUN.
Server-level access control is called persistent binding. Persistent binding uses
configuration information stored on the server, and is implemented through the
server’s HBA driver. The process binds a server device name to a specific Fibre
Channel storage volume or logical unit number (LUN), through a specific HBA and
storage port WWN. Or, put in more technical terms, it is a host-centric way to direct
an operating system to assign certain SCSI target IDs and LUNs. When zoning,
LUN masking and persistent binding features are used in combination, the result is a
more secure SAN.
SANs and their ability to make data highly available, need to be tempered by well
thought out, and more importantly implementing, security policies that manage how
devices interact within the SAN. It is essential that the SAN environment
implements a number of safeguards to ensure data integrity, and to prevent
unwanted access from unauthorized systems and users.
It is a well-known fact that “a chain is only as strong as its weakest link” and when
talking about computer security, the same concept applies: there is no point in
locking all the doors and then leaving a window open. A secure, networked
infrastructure must protect information at many levels or layers, and have no single
point of failure.
As true as it is in any IT environment, it is also true in a SAN environment that
access to information, and to the configuration or management tools, must be
restricted to only those people that are need to have access, and authorized to make
changes. Any configuration or management software is typically protected with
several levels of security, usually starting with a user ID and password that must be
assigned appropriately to personnel based on their skill level and responsibility.
Whether at rest or in-flight, data security comprises of both data confidentiality and
integrity. This is a security and integrity requirement aiming to guarantee that data
from one application or system does not become overlaid, corrupted, or otherwise
destroyed, whether intentionally or by accident, by other applications or systems.
This may involve some form of authorization, and/or the ability to fence off one
system’s data from another system.
This has to be balanced with the requirement for the expansion of SANs to
enterprise-wide environments, with a particular emphasis on multi-platform