{"id":1370,"date":"2009-11-24T04:25:52","date_gmt":"2009-11-23T18:25:52","guid":{"rendered":"http:\/\/nsrd.wordpress.com\/?p=1370"},"modified":"2018-12-12T15:17:16","modified_gmt":"2018-12-12T05:17:16","slug":"storage-tiering-vs-ilm","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2009\/11\/24\/storage-tiering-vs-ilm\/","title":{"rendered":"Storage Tiering vs ILM"},"content":{"rendered":"

Over at StorageNerve<\/a>, and on Twitter, Devang Panchigar has been asking Is Storage Tiering ILM or a subset of ILM, but where is ILM?<\/em><\/a> I think it’s an important question with some interesting answers.<\/p>\n

Devang starts with defining ILM from a storage perspective:<\/p>\n

1) A user or an application creates data and possibly over time that data is modified.
\n2) The data needs to be stored and possibly be protected through RAID, snaps, clones, replication and backups.
\n3) The data now needs to be archived as it gets old, and retention policies & laws kick in.
\n4) The data needs to be search-able and retrievable NOW.
\n5) Finally the data needs to be deleted.<\/p><\/blockquote>\n

I agree with items 1, 3, 4 and 5 \u2013 as per previous posts, for what it’s worth, I believe that 2 belongs to a sister activity which I define as Information Lifecycle Protection (ILP)<\/a> \u2013 something that Devang acknowledges as an alternative theory. (I liken the logic to separation between ILM and ILP to that between operational production servers and support production servers<\/a>.)<\/p>\n

The above list, for what it’s worth, is actually a fairly astute\/accurate summary of the involvement of the storage industry thus far in ILM. Devang rightly points out that Storage Tiering (migrating data between different speed\/capacity\/cost storage based on usage, etc.), doesn’t address all of the above points \u2013 in particular, data creation and data deletion. That’s certainly true.<\/p>\n

What’s missing from ILM from a storage perspective are the components that storage can only peripherally control. Perhaps that’s not entirely accurate \u2013 the storage industry can certainly participate in the remaining components (indeed, particularly in NAS systems it’s absolutely necessary, as a prime example) \u2013 but it’s more than just the storage industry. It’s operating system vendors. It’s application vendors. It’s database vendors. It is, quite frankly, the whole kit and caboodle.<\/p>\n

What’s missing in the storage-centric approach to ILM is identity management<\/em><\/a> \u2013 or to be more accurate in this context, identity management systems<\/a>. The brief outline of identity management is that it’s about moving access control and content control out<\/em> of the hands of the system, application and database administrators, and into the hands of human resources\/corporate management. So a system administrator could have total systems access over an entire host and all its data but<\/em> not be able to open files that (from a corporate management perspective) they have no right to access. A database administrator can fully control the corporate database, but can’t access commercially sensitive or staff salary details, etc.<\/p>\n

Most typically though, it’s about corporate roles, as defined in human resources, being reflected from the ground up<\/em> in system access options. That is, human resources, when they setup a new employee as having a particular role within the organisation (e.g., “personal assistant”), triggering the appropriate workflows to setup that person’s accounts and access privileges for IT systems as well.<\/p>\n

If you think that’s insane, you probably don’t appreciate the purpose of it. System\/app\/database administrators I talk to about identity management frequently raise trust (or the perceived lack thereof) involved in such systems. I.e., they think that if the company they work for wants to implement identity management they don’t trust<\/em> the people who are tasked with protecting the systems. I won’t lie, I think in a very small number of instances, this may be the case. Maybe 1%, maybe as high as 2%. But let’s look at the bigger picture here \u2013 we, as system\/application\/database administrators currently have access to such data not because we should<\/em> have access to such data but because until recently there’s been very few options in place to limit data access to only those who, from a corporate governance perspective, should<\/em> have access to that data. As such, most system\/app\/database administrators are highly ethical \u2013 they know that being able to access data doesn’t equate to actually accessing that data. (Case in point: as the engineering manager and sysadmin at my last job, if I’d been less ethical, I would have seen the writing on the wall long before the company fell down under financial stresses around my ears!)<\/p>\n

Trust doesn’t wash in legal proceedings. Trust doesn’t wash in financial auditing. Particularly in situations where accurate logs aren’t maintained in an appropriately secured manner to prove that person A didn’t access data X. The fact that the system was designed to permit A to access X (even as part of A’s job) is in some financial, legal and data sensitivity areas, significant cause for concern.<\/p>\n

Returning to the primary point though, it’s about ensuring that the people who have authority over someone’s role within a company (human resources\/management) having control over the the processes that configure the access permissions that person has. It’s also about making sure that those work flows are properly configured and automated so there’s no room for error.<\/p>\n

So what’s missing \u2013 or what’s only at the barest starting point, is the integration of identity\/access control with ILM (including storage tiering) and ILP. This, as you can imagine, is not an easy task. Hell, it’s not even a hard task \u2013 it’s a monumentally difficult<\/em> task. It involves a level of cooperation and coordination between different technical tiers (storage, backup, operating systems, applications) that we rarely, if ever see beyond the basic “must all work together or else it will just spend all the time crashing” perspective.<\/p>\n

That’s the bit<\/em> that gives the extra components \u2013 control over content creation and destruction. The storage industry on its own does not have the correct levels of exposure to an organisation in order to provide this functionality of ILM. Nor do the operating system vendors. Nor do the database vendors or the application vendors \u2013 they all have to work together to provide a total solution on this front.<\/p>\n

I think this answers (indirectly) Devang’s question\/comment on why storage vendors, and indeed, most of the storage industry, has stopped talking about ILM \u2013 the easy parts are well established, but the hard parts are only in their infancy. We are after all seeing some very early processes around integrating identity management and ILM\/ILP. For instance, key management on backups, if handled correctly, can allow for situations where backup administrators can’t by themselves perform the recovery of sensitive systems or data \u2013 it requires corporate permissions (e.g., the input of a data access key by someone in HR, etc.) Various operating systems and databases\/applications are now providing hooks for identity management (to name just one, here’s Oracle’s details on it<\/a>.)<\/p>\n

So no, I think we can confidently say that storage tiering in and of itself is not the answer to ILM. As to why the storage industry has for the most part stopped talking about ILM, we’re left with one of two choices \u2013 it’s hard enough that they don’t want<\/em> to progress it further, or it’s sufficiently commercially sensitive that it’s not something discussed without the strongest of NDAs.<\/p>\n

We’ve seen in the past that the storage industry can cooperate on shared formats and standards. We wouldn’t be in the era of pervasive storage we currently are without that cooperation. Fibre-channel, SCSI, iSCSI, FCoE, NDMP, etc., are proof positive that cooperation is possible. What’s different this time is the cooperation extends over a much larger realm to also encompass operating systems, applications, databases, etc., as well as<\/em> all the storage components in ILM and ILP. (It makes backups<\/em> seem to have a small footprint, and backups are amongst the most pervasive of technologies you can deploy within an enterprise environment.)<\/p>\n

So we can hope<\/em> that the reason we’re not hearing a lot of talk about ILM any more is that all the interested parties are either working on this level of integration, or even making the appropriate preparations themselves in order to start working together on this level of integration.<\/p>\n

Fingers crossed people, but don’t hold your breath \u2013 no matter how closely they’re talking, it’s a long way off.<\/p>\n","protected":false},"excerpt":{"rendered":"

Over at StorageNerve, and on Twitter, Devang Panchigar has been asking Is Storage Tiering ILM or a subset of ILM,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,12,13,21],"tags":[91,435,452,454,455,477,571,943,1030],"class_list":["post-1370","post","type-post","status-publish","format-standard","hentry","category-architecture","category-general-technology","category-general-thoughts","category-security","tag-access-management","tag-hierarchical-storage-management","tag-identity-management","tag-ilm","tag-ilp","tag-information-systems-management","tag-management","tag-storage-tiering","tag-trust"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-m6","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/1370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=1370"}],"version-history":[{"count":1,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions"}],"predecessor-version":[{"id":7588,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions\/7588"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=1370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=1370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=1370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}