Multi-Tenancy question

[Jeff]

How many of you are doing "Secure multi-tenancy"?  

I'd like to hear about what storage equipment you are using, as well as it's configuration and what factors led you to your decision to go with your current setup.  We have an upcoming project that will need Secure multi-tenancy and I'm sorting my way through vendor propaganda and various forums.  But I want to hear from the "real world" too.

Thanks in advance folks, have a great weekend!

[Luc Simard]

Can you expand on your expectation of the terminology "Secured" and "Multi-Tenancy " ?

These terms mean different thing to different people , like "cloud based storage" is another one that also comes to mind .

Are you looking for physical segregation or logical ( directory based), what are the expectation on user authentification ? 

Luc Simard - 415-793-0989

simard.j...@gmail.com

Messages may contain confidential information.

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jason Davis]

Are you thinking of something like the vFiler functionality on NetApp's 7 mode DataOn Tap stuff?

If so, from what I have seen the Isilon doesn't do this deep isolation like this. OneFS allows for segregation of data based on authentication zones but the underlying namespace is still the same one space.

[Rob Peglar]

Jason said:

“OneFS allows for segregation of data based on authentication zones but the underlying namespace is still the same one space.

Be careful here.  The way auth zones work, from the users’ POV, the namespace is distinct from all others (i.e. any other zone, including the system zone).  In other words, even if the user knows the names of other shares (other == not in the same auth zone) they cannot see it.  They cannot interrogate it, map it, anything.  Everything outside the zone is invisible. 

 

So each zone indeed does have its own namespace, separate from all other zones including the system zone.  Underneath, it’s one filesystem, so our data may end up sharing disks (although with SmartPools there are methods to segregate that as well) but the namespaces are unique.  I can have H:\foo.txt, you can have H:\foo.txt; they are two completely different entities.

 

Having said that, it is possible to map a given share into > 1 auth zone, thus conflating namespaces and allowing for overlapping shares, but that is an administrative decision.   Most implementations I’ve seen have complete isolation.

 

Rob

[Jason Davis]

Yup, for sure although when I think of the vFiler paradigm on a NetApp, I envision something more on the lines of a BSD Jail or Solaris Zone, a more complete form of isolation.

Not so say that you can't do multi-tenancy on the Isilon, just pointing out that it's different that what you would see on a NetApp.

[Keith Nargi]

Also as a point of clarification Isilon doesn't say that access zones are multi-tenant.  Access zone provides multi domain authentication for SMB clients and domains.   That feature does provide a layer of separation between zones but they are still managed via the same management console.  There are subtle difference between what Isilon does and what Netapp and other vendors do but in the end Isilon is still providing multiple namespaces for client access that can be separated logically. 

Sent from my iPhone

[Jeff]

To expand on this question, we have a couple projects in mind that potentially could have FERPA/HIPAA type data storage consequently that data needs to be stored to those standards at the very minimum.  I suspect that physical segregation would only come into play if we start dealing with other types of data, eg NSF and DOD, which isn't out of the realm of possibilities.