How does the Cloud Data Management Interface (CDMI™) International Standard work? Is it possible be to both S3 and CMDI compliant? What security measures are in place with CDMI? How, and where, is CDMI being deployed? These are just some of the topics we covered at our recent SNIA Cloud Storage Technologies (CSTI) webcast, “Cloud Data Management & Interoperability: Why A CDMI Standard Matters.”
CDMI is intended for application developers who are implementing cloud storage systems, and who are developing applications to manage and consume cloud storage.
Q. Can you compare CDMI to S3? Is it possible to be both CDMI and S3 compliant? Is it too complicated?
A. Yes, this is possible, and is relatively straightforward. Both protocols are HTTP-based, and while S3 is primarily a data access protocol, CDMI provides both management functionality and standardized access to object data. Many companies that implement CDMI allow management of data namespaces that are accessible via multiple protocols, including NFS, CIFS, and S3. CDMI has several capabilities that ease integration with S3:
- CDMI is designed so that any S3 URL can be used as a CDMI URL by specifying an Accept header with a CDMI content type.
- CDMI allows S3 header-style metadata to be accessed, queried, and managed through CDMI.
- CDMI supports S3 signed header authentication.
CDMI is also commonly used as a serialization representation for objects, files and LUNS, which eases transport between different storage systems and clouds.
Q: With the new CDMI Object Encryption feature is it possible to use it with the OASIS Key Management Interoperability Protocol (KMIP)?
A: CDMI does not directly use KMIP, but some organization have successfully used CDMI and KMIP together. At a basic level, KMIP can be used for the key management by a client and this client can then use the key material in its interactions with CDMI. Also noteworthy, both CDMI and KMIP use RESTful interfaces and have dependencies on the Transport Layer Security (TLS) protocol to support communications securities.
Q: Do any existing security standards provide guidance on the use of CDMI?
A: ISO/IEC 27040 (Information security – Security techniques – Storage security) does provide security guidance on cloud storage, and CDMI specifically. An important aspect of the CDMI security guidance is to use the capability queries to determine what security capabilities have been implemented and then to make a risk-based decision on whether the implementation offers adequate security protections.
Q. When users interact with each other, in real-time, how can we guarantee the information request comes from the safe end? Would you like to explain it in details, please?
A. If this question is about user authentication, then the use of TLS can provide some measure of protection; however, user authentication in CDMI will provide the best protection in this situation. See the next question for more details on TLS.
Q: HTTP is not a stateful protocol, but TLS is. Does this create problems?
A: When TLS is used with CDMI, it is important for the client to consistently use the same connection, especially when any load balancing is being employed with the CDMI servers. Unless pre-shared keys (PSK) are being used, switching between servers causes TLS to tear down the connection and to start a new session that imposes needless loads on the servers. TLS startups can involve significant calculations as part of the negotiations to establish a session key.