Secure host access to storage system resources via storage system interface and internal switching fabric

What is claimed is: 1. A storage network comprising: a data storage system that is a physically discrete component and provides data services for a plurality of host systems, including: a plurality of physical storage devices on which data is stored; one or more directors that process I/O operations for the data stored on the plurality of physical storage devices, each of the one or more directors including one or more processing cores having compute resources for processing I/O operations; and an internal switching fabric, physically contained within the data storage system, for communication between components internal to the data storage system, wherein a first interface of the data storage system is communicatively coupled between the internal switching fabric and the plurality of physical storage devices, wherein the first interface is configured to manage I/O communication exchanges between a host system, which is directly connected to the internal switching fabric, and the plurality of physical storage devices, and wherein the components of the data storage system which communicate over the internal switching fabric include the one or more directors that process I/O operations, a cache and the first interface; the plurality of host systems, including the host system including a first physical part that includes one or more operating systems on which one or more applications are executed, the execution of the applications resulting in first I/O operations for data stored on the data storage system, the first I/O operations including I/O communications associated with the I/O operations; an external network that is external to the data storage system and that interconnects the host system to one or more other components of the storage network; and a storage system interface external to the data storage system physically coupled between the first physical part of the host system and the internal switching fabric of the data storage system, wherein the storage system interface is physically directly connected to the internal switching fabric and exchanges the I/O communications with the data storage system independently of the external network and the one or more directors and communicating directly with the data storage system over the internal switching fabric, wherein the storage system interface includes validation logic that validates each I/O communication received from the first physical part of the host system before allowing a corresponding I/O communication to be transmitted over the internal switching fabric, wherein the storage system interface is included within a second physical part of the host system physically coupled by one or more peripheral device interconnects to the first physical part of the host system and the internal switching fabric of the data storage system, wherein responsive to receiving a first I/O communication on a first of the one or more peripheral device interconnects from a first application executing on the first physical part of the host system, the validation logic performs processing, in accordance with predefined rules controlling access to resources of the data storage system, to verify that the first I/O communication is authorized to be transmitted on the internal switching fabric, and wherein the components of the data storage system which communicate over the internal switching fabric further include a global memory of the data storage system, wherein the global memory includes the cache, and wherein the storage system interface of the host system includes I/O processing logic for controlling read operation processing for a read operation, wherein the read operation processing performed by the I/O processing logic of the storage system interface of the host system includes: the I/O processing logic of the storage system interface of the host system determining whether metadata regarding the requested read data is stored on the host system; and responsive to the I/O processing logic of the storage system interface of the host system determining that the metadata regarding the requested read data is not stored on the host system, the storage system interface of the host system performing further processing including: issuing one or more read requests directly to the global memory of the data storage system, over the internal switching fabric, for the metadata regarding the requested read data; receiving, from the global memory by the storage system interface, the metadata regarding requested read data; and storing the metadata regarding the requested read data on the host system. 2. The storage network of claim 1 , wherein the storage system interface is on a network interface card connected to the first part of the host system by a PCIe interconnect. 3. The storage network of claim 1 , wherein the storage system interface includes a first NVMe controller that accepts from the host system only I/O communications configured in accordance with NVMe. 4. The storage network of claim 1 , wherein the storage network further comprises: the plurality of host systems, including the host system, each of the plurality of host systems including a first physical part that includes one or more operating systems on which one or more applications are executed resulting in I/O operations, the plurality of host systems collectively including a plurality of peripheral device interconnects over which to communicate with the data storage system; and a plurality of storage system interfaces, including the storage system interface, each of the plurality of storage system interfaces physically coupled between a first part of one of the plurality of host systems and the internal switching fabric of the data storage system by one or more of the plurality of peripheral device interconnects, and including validation logic that validates each I/O communication received from the first part of the respective one host system before allowing a corresponding I/O communication to be transmitted on the internal switching fabric, wherein the first parts of the plurality of host systems exchange I/O communications with the data storage system only over the plurality of peripheral device interconnects through the plurality of storage system interfaces. 5. The storage network of claim 1 , wherein the storage system interface further includes: code validation logic for validating code running on the storage system interface that processes I/O operations; and one or more security credentials accessible to the code validation logic to validate the code. 6. The storage network of claim 1 , wherein the storage system interface further includes encryption logic to encrypt the I/O communications before being sent to the internal switching fabric. 7. The storage network of claim 1 , wherein the predefined rules include one or more rules that allow as authorized only a specified subset of I/O operations for one or more specified storage-related entities. 8. The storage network of claim 7 , wherein the one or more specified storage-related entities for which the specified subset of I/O operations are authorized include at least one of: a user, an application, and a storage device. 9. The storage system network of claim 1 , wherein the read operation processing performed by the I/O processing logic of the storage system interface of the host system further includes: the I/O processing logic of the storage system interface of the host system determining, using the metadata stored on the host system regarding requested read data, whether the requested read data is cached in the cache of the data storage system; and responsive to the I/O processing logic of the storage system interface of the host system determining, using th