Cloud storage controllers soothe cloud anxiety

Cloud storage has the allure of being easy and cheap, at least in terms of zero capital investment. Yet more than a few companies are reluctant to consider using cloud storage in any capacity due to such bread-and-butter concerns as performance, availability, and security.

In this week’s New Tech Forum, Ranajit Nevatia, vice president of marketing at Panzura, tackles each of these concerns head-on. His discussion focuses on the use of cloud storage controllers, detailing how they work at a low level and how they address issues related to cloud storage at the enterprise level. — Paul Venezia

Surmounting barriers to cloud storage adoption

With a pay-as-you-grow economic model and unlimited scalability, cloud storage seems the ideal solution to the problem of heavy, ongoing investments in on-site data storage, particularly for multisite enterprises. These companies have either centralized file storage that must be accessed by remote offices over a WAN (with attendant latency issues and workflow disruptions), or they distribute storage among offices and must deal with file synchronization issues.

Cloud storage promises a way out of these problems, but many companies remain reluctant to move storage to the cloud. Let’s take a look at how cloud storage controllers overcome common objections to storing data in the cloud.

The cloud storage disconnect

One problem with moving to the cloud is that enterprises store “files” and clouds store “objects” — the latter being a new data construct required as part of the scalable cloud architecture.

Somehow, there must be a translation from file to object in order for enterprises to access cloud storage. Alternatively, customers can rewrite many of their applications to take advantage of cloud storage, but they’re unwilling to do so because of the high cost. Cloud providers offer basic on-ramps to their clouds — software that performs raw conversion from files to objects — and these might serve the needs of small businesses, but they are not adequate for most use cases in a large corporation.

Other barriers to enterprise cloud storage adoption include availability, performance, and security. Companies are concerned that their users won’t be able to access files in the cloud with the same speed as on-premises storage can deliver. Of course, there’s always the worry that a network or cloud provider could experience outages, denying them access to data at a critical time. Companies are also reluctant to store proprietary data in a public cloud for fear of a hack or breach.

Cloud storage controllers provide a new way of addressing these issues. The controller automatically translates files to objects, eliminating the need to rewrite applications for the cloud. A cloud storage controller is deployed in each branch office and main office, and it implements a global file system that leverages Internet connectivity between sites to present a unified view of the file system to all clients, regardless of the local cloud storage controller to which they are connected. And a cloud storage controller provides unbreakable security. Let’s look at how cloud storage controllers solve the issues of availability and security.

Availability: The cloud file system

The key feature of a cloud controller is its file system. A main principle behind the cloud controller’s file system is the physical and logical separation between payload data and metadata. In a traditional file system, a snapshot contains both payload data and metadata, and it’s managed as a single, large chunk of information. With a cloud controller file system, metadata can be easily extracted from a snapshot and transported separately from the payload data while maintaining file system consistency. When clients interact with a file system, the bulk of their actions are actually metadata operations that do not require access to the payload data.

Navigating through directory structures, opening folders, looking through file lists, and sorting/searching for files based on attributes such as file name, file size, file type, date created, and date modified are all metadata operations. The user experience is greatly impacted by how quickly metadata operations occur, so most file systems cache metadata in RAM to speed response times. Thus, a core design principle in a cloud controller file system is to preserve the response time for metadata operations in a global deployment.

Since the cloud controller presents the same file system view through all controllers, the metadata at each controller must be kept in sync. The file system accomplishes this by taking frequent snapshots of the file system, extracting the metadata changes from the snapshot, and rapidly distributing those changes to all controllers that are members of the file system. Each cloud storage controller receives metadata updates from all other controllers and applies them to its own metadata. In this manner, the file system always appears the same regardless of which controller presents it.

When clients browse through the cloud controller file system, their user experience is identical to browsing a local file system because they are, in fact, browsing a local copy of the file system metadata. Thus, even if the actual file data exists on a controller in a different site or in the cloud, it is always possible to navigate the file system quickly.

Lock management

Lock management is another crucial component in a global file system. Because multiple clients share access to a common file repository, there must be a mechanism that locks a file against simultaneous edits from multiple users. Once a user opens a file, the file is locked for editing to all others until the original user closes the file. An effective cloud storage controller includes a lock management system in which lock information is exchanged in real time among all controllers so that no two users ever contend for file editing privileges.

As for availability of files in the event of a cloud outage, cloud controllers can be set to automatically synchronize copies of files stored at two or more locations in the cloud, such as different Amazon sites. If one copy of the data becomes unavailable, the other copy is still on hand.

Security

Cloud controllers resolve the security issue by employing military-grade file encryption to all files stored in the cloud. The encryption keys are maintained at the customer’s own site to ensure complete security.

In cloud deployments, information will be transferred across the Internet. While in some cases virtual private networks may connect sites, or even the cloud, the cloud storage controller provides the utmost in protection for data in flight as well as at rest.

For example, all Panzura Quicksilver Cloud Storage Controllers ship from the factory with an RSA 2048-bit certificate. Customers may use this certificate if desired, but it is typically replaced by a customer-supplied X.509 certificate (PFX/PKCS#12, PEM, DER formats) of up to 4,096 bits.

When a cloud storage system is established, the system administrator designates the IP addresses of cloud controllers that are allowed to join the file system. Existing controllers in the file system use HMAC-SHA-256 authentication to establish a secure tunnel to the new controller and share the file system’s X.509 certificate with it, encrypting the certificate in flight using AES-CBC-256.

When data traverses the network, either between controllers or between a controller and a public or private cloud, the controller generates a random number that is changed every 32MB of data to ensure key rotation. The user data is AES-CBC-256 encrypted using the random number, and the random number itself is then AES-CBC-256 encrypted using the X.509 certificate’s public key and embedded in the header affixed to the chunk of data being transported/stored. The data is now safely encrypted, with the encryption used between chunks of data varying every 32MB, thwarting even brute-force decryption attempts.

Only a holder of the valid X.509 private key may decrypt the data. When a File Services Controller accesses encrypted chunks of information, the chunk header is examined, then the private key is used to decrypt the random number contained within the header, and finally the decrypted random number is used to decrypt the actual data.

Cloud storage controllers implement a robust global file system that delivers rapid access to files by separating metadata from payload data. In addition, cloud controller file systems implement global file lock management and can provide access to multiple copies of a file to protect against data center outages. Finally, cloud storage controllers implement military-grade encryption to eliminate fears about storing sensitive corporate information in a public cloud. Cloud storage controllers thereby overcome common barriers to cloud storage adoption.

New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to newtechforum@infoworld.com.

This article, “Cloud storage controllers soothe cloud anxiety,” was originally published at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.