AnIBM Storage Ceph cluster’s daemons typically run on nodes that are subnet isolated and behind a firewall, which makes it relatively simple to secure a cluster. By contrast, IBM Storage Ceph clients such as Ceph Block Device (rbd), Ceph Filesystem (cephfs), and Ceph Object Gateway (rgw) access the IBM storage cluster, but expose their services to other cloud computing platforms.
Figure 1 illustrates the security-optimized architecture for the different IBM Storage Ceph cluster daemon and client types.
Figure 1. Security-optimized architecture
