Qumulo Bolsters Data Security with NFSv4.1 Enhancements Including Kerberos-based Authentication and Improved File Locking

Data is growing at unprecedented rates. In 2018, IDC predicted that the amount of new data captured, created, and replicated in a given year would grow from 33 zettabytes in 2018 to 175 zettabytes by 2025.1 Their latest prediction expects that amount to more than double from now to 2026.

This avalanche of data creates not only opportunity, but also threats. In fact, cyber threats are noticeably more frequent today, with 93% of organizations suffering from data-related business disruption from attacks in the last 12 months. You can bet that data security will be top of mind for your organization, as it grows more reliant on the data it creates and stores. 

Qumulo is committed to keeping you ahead of impending threats. With the latest release of Qumulo Core, we addressed two critical aspects of data security at massive scale: 1.) knowing exactly who is accessing your data storage system and 2.) controlling what data certain users are allowed to access and modify.

Secure File Access for Anyone from Anywhere

As the complexity of data environments grows, applications, devices, and users need to access file data in different ways, while maintaining the highest level of security. Qumulo customers have benefited from strong authentication and access control via SMB. NFSv3 provides access to a common pool of data across a protocol commonly used by Linux operating systems, but lacks the strong authentication mechanism of SMB. Since expanding our multi-protocol support to include NFSv4.1 in 2021, we’ve built our protocol stack from the ground up focusing on simplicity, efficiency, and security. 

The latest versions of Qumulo Core enhance data security for NFSv4.1 workloads with authentication support via Kerberos, improved file locking control, and more intuitive ACL-based data permission management for multi-protocol environments. Now, any user can benefit from superior file data access through multiple protocols, while maintaining the highest standard of security and control. 

Authentication Via Kerberos

Qumulo now offers strong, Kerberos-based authentication for NFSv4 clients, which has significant security advantages over NFSv3. In NFSv3, users can impersonate any user they wish with root access to their client machine. Kerberos solves this problem using a key-and-ticket system to securely authenticate users from Microsoft Active Directory, effectively eliminating the problem of savvy users who could spoof another user’s identity to access data over NFSv3. 

ACL Enhancements

The latest version of Qumulo Core also includes a more streamlined ACL editor, providing more user-friendly information to identify users and groups. This enhancement lets you see and leverage AD/LDAP user and group names, rather than going through a complicated, error-prone process of tracking and using UID and GID strings when managing file owner/trustee/access settings. Qumulo’s NFSv4.1 ACLs will interoperate cleanly in a cross-protocol environment. The ACLs they manipulate over NFSv4.1 can be configured, using either the standard Linux nfs-acl-tools utility from any NFSv4 client, or directly from the Qumulo CLI, to match the Windows NTFS ACLs on the SMB side, and vice-versa.

The table below shows one example of how permissions can be configured to match across both NFSv4 and SMB, using the same AD group (Everyone) to grant matching access (Read/Execute) to the same file (myfile.ext) on the Qumulo cluster.

 

Permissions NFSv4.1 Command Qumulo CLI Command NTFS (SMB) ACL Command
Add Read and Execute permissions to the file myfile.ext nfs4_setfacl -a “A::EVERYONE@:rtRx” myfile.ext qq fs_modify_acl –-path /myfile.ext add_entry -y Allowed -t “EVERYONE” -r Execute/Traverse, Read icacls \myfile.ext /grant EVERYONE:RX

 

Combining fine-grained ACL control with Kerberos-based authentication lets you guarantee only authorized users can access certain data sets and limit users to specific directories on the file system. This is especially critical for organizations with highly-sensitive data  looking to:

1: Consolidate data into large, shared pools, while maintaining granular control for various user access levels.

2: Maintain a standard level of security and data awareness for regulatory compliance

3: Enable more secure data access for a large Linux/POSIX user base over NFSv4.1

Lock Handling Support

The latest release also includes improved lock handling for file access. When files are accessed by a client, they are placed in a locked state to ensure other clients aren’t able to write data to the file, preventing potential corruption or version conflict issues. NFSv3 had known problems with orphaned sessions leaving files locked, and administrators had to run a process to release locks from time to time. NFS v4.1 provides superior lock control and time outs to release locked files after some interval of inactivity. 

Additionally, our NFSv4.1 protocol was built from the ground up in Rust, allowing us to provide the highest level of integration and interoperability with our existing protocols.  This ensures that the best performance possible remains consistent with each node added as you scale. It also enables us to deliver constant, incremental improvements to your file system more frequently, to ensure that any user, device, or application in the organization can always take full advantage of your data while keeping it safe and secure. 

Access the Qumulo Trust Center

Protect Your File Data Storage from Ransomware with Holistic Security

How to Use Qumulo’s Built-in Security Controls for Data Protection

Share this post