Introduction

The next feather in the security cap of IBM Spectrum Scale is "immutability". Think of the “SnapLock® method” and you have the "immutability" feature in Spectrum Scale. Tamper proof data is guaranteed by the immutability feature, which falls in the storage system touch point “Storing of Data”.

Spectrum Scale immutability is based on immutable filesets. Immutable filesets allow managing immutable files similar to the SnapLock® method invented by NetApp Inc. Furthermore immutable filesets can also be exported via the Network File System protocol (NFS) and Server Message Block protocol (SMB). This makes it easy for applications supporting the SnapLock® semantic via NFS and SMB to adopt Spectrum Scale as an immutable file storage on different platforms.

The SnapLock® method allow to set files to immutable or append-only for a configurable retention time using standard file system commands. During the retention time immutable files cannot be deleted or modified. When the retention time has expired immutable files can be deleted, however modifications are not allowed at any time whatsoever.

With the SnapLock®-like immutability function, Spectrum Scale can be used for archiving use cases where regulatory requirement demand to prevent modification and deletion of files. To underline the compliance aspect, IBM plans to assess this function in accordance to US, German and Swiss laws and regulations and has engaged an independent and worldwide recognized auditor.

In this blog we highlight the benefits of the Spectrum Scale immutability function and explain the concept of immutable filesets. We further provide implementation guidance based on our work with an independent auditor.

Spectrum Scale is made for archiving

Archiving is characterized by medium to large volumes of data that have to be kept for long period of time. During this time, access to the files should always be possible, even if an unwanted situation like a disaster has occurred. Certain types of data – such as trade and tax records – have to be kept in an immutable manner according to laws and regulations. Because of the long archiving lifetimes it is important to manage cost for operations, power and cooling.

Spectrum Scale provides a comprehensive set of functions that are made for archiving, such as:

• High availability of file systems services and files across sites through synchronous replication and reliable quorum techniques. This allows continuous operations even in the case of a site outage.


• Disaster protection and recovery assures that in the event of a disaster files can be recovered from a remote site, either leveraging backup techniques or asynchronous replication. This facilitates instant failover and recovery.


• Tiered storage allows to transparently place files on the most appropriate storage medium during the lifecycle. Spectrum Scale supports many types of storage media including flash, disk and tape. This enables optimization of storage cost, for example by moving files that are no longer accessed but have to be retained for many years to tape. Tape provides 5-10 times lower total cost of ownership than disk [6].


• Immutability and encryption for all or subsets of files allows to prevent tampering of data and provides confidentiality. It helps to comply with legal requirements and business standard.

In the next section we explain the concept of immutable filesets and how to manage file immutability, accompanied by guidance helping to meet regulatory requirements.

Immutable filesets

A Spectrum Scale fileset is a partition in a file system that is seen as a directory from a user perspective. Certain function can be configured on a fileset level, such as immutability.

Spectrum Scale supports one of the following immutability modes for an immutable fileset:

• None: No immutability mode is set (default), the fileset is a regular fileset


• Advisory: Allows setting retention times and immutability, but files can be deleted with the proper file permission.


• Noncompliant: Advisory mode plus files cannot be deleted if retention time has not expired. However retention times can be reset and files can be deleted but not changed.


• Compliant: Noncompliant mode plus retention time cannot be reset. When retention time has expired files can be deleted but not changed.

The immutability mode on a given fileset can be upgraded from “advisory” to “noncompliant” to “compliant”, but not downgraded.

The following example demonstrates how to configure an immutable fileset in a Spectrum Scale file system. The first step is to create a fileset in the filesystem:

# mmcrfileset filesystem-name fileset-name --inode-space new

The fileset must be linked to a directory in the file system, using the following command:

# mmlinkfileset filesystem-name fileset-name -J

Now the immutability mode can be set, in this example we set the mode to “compliant”:

# mmchfileset filesystem fileset --iam-mode compliant

To list the IAM mode of a fileset use the following command:

# mmlsfileset filesystem fileset --iam-mode

Files stored in an immutable fileset can be set to immutable using a SnapLock®-like method. Setting files to immutable according to the SnapLock® method involves two steps:

• Setting the retention time of the file


• Setting the file to immutable

These two steps have to done for every file stored in an immutable fileset in order to make the file immutable. If a file is not processed this way it remains a normal file that can be modified and deleted.

File immutability can be managed with standard POSIX commands available in UNIX systems, with specific Spectrum Scale commands or via SMB using Microsoft Windows PowerShell®. We have demonstrated this in two other blogs:

• Managing immutability with Spectrum Scale commands [1]


• Managing immutability via NFS and SMB exports [2]

For more details, please consult the whitepaper: “Spectrum Scale Immutability – Introduction and Use Cases” [3].

Implementation consideration

In this section we give implementation guidance for Spectrum Scale immutable filesets to better meet regulatory requirements. This guidance is based on our work with the independent auditor who assesses the Spectrum Scale immutability function in accordance to the following laws and regulations:

• US: SEC17a-4f


• Germany: GoBD according to software assessment standard PS880


• Switzerland: Gebuehrenverordnung

The final assessment report is expected in the 3rd quarter of 2016. The following Spectrum Scale functions have been assessed in combination with the immutability function:

• Managing file immutability using Spectrum Scale commands


• Managing file immutability via NFS exports and SMB shares


• Spectrum Scale replication using synchronous mirroring


• Backup and restore of files using mmbackup


• Tiered storage with Spectrum Protect for Space Management

Consider the following configuration options when implementing immutable filesets

It is recommended to use fileset immutability mode “compliant” because this only mode does not allow to delete or modify immutable files during the retention time. It does also prevent setting the retention time backward to an earlier data. Non-empty immutable filesets configured in “compliant” IAM mode cannot be deleted using the Spectrum Scale “mmdelfileset” command. 

There is a new Spectrum Scale cluster wide parameter which controls the deletion of file systems:

indefiniteRetentionProtection=yes|no

The command “mmchconfig” can be used to set this parameter. The default value is “no” and allows the deletion of file systems. The value of “yes” does not allow the deletion of any file systems, regardless if the file system includes immutable filesets or not. Once the parameter is set to yes, it cannot be reset to no. It is recommended to set this parameter to yes. 

The time source required for Network Time Protocol services (NTP) should be protected. Manipulations of time services and system time within the Spectrum Scale cluster must be prohibited.

Direct root user access for administration of the Spectrum Scale cluster should be eliminated using the sudo-wrapper approach that was introduced with Spectrum Scale version 4.2 [4]. In addition the commands available for the sudo-user should be limited to the needs of the associated user and group.

It might be required to configure groups with different roles such as:

• Cluster administrator: can perform Spectrum Scale commands


• Security Administrator: can manage users, groups and sudo-permissions

The Spectrum Scale backup function “mmbackup” can be used to create a copy of immutable and append-only files in the Spectrum Protect server. Upon restore the immutability and append-only attributes are set to no, however the last access date reflects the retention time. When restoring immutable or append-only files to an immutable fileset additional steps must be provisioned to make the file immutable or append-only after the restore. 

If it is required to assure and prove the integrity of files in a Spectrum Scale file system it is recommended to leverage end-to-end-checksums with the Spectrum Scale Native RAID function [4]. This function is currently available with the Elastic Storage Server (ESS) deployment.

Summary

The Spectrum Scale immutability function provides added value for archiving use cases where files need to be kept in an immutable manner. It seamlessly integrates with other beneficial Spectrum Scale functions such as backup and tiered storage and leverages the leading availability and disaster protection characteristic of Spectrum Scale.

Because this function can be used in a similar way as SnapLock® it allows an easy integration with archive application supporting the SnapLock® method. To underline the compliance characteristic of the immutability function IBM has engaged an independent auditor to assess this function. The assessment report is planned to be available in 3rd quarter of 2016. Please contact the author if you have questions regarding this assessment.

References

• [1] Blog: Spectrum Scale immutability function
  https://www.ibm.com/developerworks/community/blogs/storageneers/entry/Insight_to_the_IBM_Spectrum_Scale_GPFS_Immutability_function?lang=en


• [2] Blog: Managing immutability via NFS exports and SMB shares
  https://www.ibm.com/developerworks/community/blogs/c8abdf40-97a5-47e6-93be-47abc3ed45b4/entry/Achieving_WORM_like_functionality_from_NFS_SMB_clients_for_data_on_Spectrum_Scale?lang=en


• [3] Whitepaper: Spectrum Scale Immutability – Introduction and Use Cases
  http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP102620


• [4] End-to-End checksums with Spectrum Scale Native RAID
  http://www-01.ibm.com/support/knowledgecenter/SSYSP8_3.5.0/com.ibm.spectrum.scale.raid.v4r11.adm.doc/bl1adv_introe2echecksum.htm?lang=en


• [5] Configuring sudo-wrappers in a Spectrum Scale cluster
  http://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_sudowrapper.htm?lang=en


• [6] Clipper Group: Disk and tape total cost of ownership study
  http://www.clipper.com/research/TCG2015006.pdf




Trademarks




The following terms are trademarks or registered trademarks of the IBM Corporation in the United States or other countries or both:  IBM logo, IBM Spectrum Scale.




Linux is a registered trademark of Linus Torwald.




SnapLock® is a registered trade mark of NetApp Inc. in the United States and other countries.




Microsoft® Windows® is a registered trademark of Microsoft Corporation in the United States and other countries.




Microsoft® Windows® PowerShell™ is a registered trademark of Microsoft Corporation in the United States and other countries.




Other company, product, and service names may be trademarks or service marks of others.