Distributed security architecture for storage area networks
First Claim
1. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:
- (a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
(b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
(c) a key management means for (i) obtaining a key and associated storage identity information from the security system after authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means, and (ii) providing the key to the encryption engine for encryption and decryption of data.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to a method of transferring data between a host computer server and a secure network storage system via a data transfer architecture. The secure network storage system has a plurality of storage devices for storage of the data. The method comprises (a) authenticating the host computer server with a security system associated with the secure network storage system; (b) obtaining a storage key from the security system after authentication; and (c) performing an encryption/decryption operation comprising at least one of (i) encrypting and storing data on the secure network storage system, and (ii) retrieving and decrypting data stored on the secure network storage system.
170 Citations
19 Claims
-
1. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:
-
(a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
(b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
(c) a key management means for (i) obtaining a key and associated storage identity information from the security system after authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means, and (ii) providing the key to the encryption engine for encryption and decryption of data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A security system for providing restricted access to data stored on a secure network storage system having a plurality of storage means, the security system comprising:
-
(a) data transfer means for communication with a host server computer and the secure network storage system;
(b) a host computer authentication means for authenticating a host computer;
(c) a key management means for issuing a storage key and associated storage identity information to the host computer following authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means;
(d) a key storage means for securely storing the storage key and the associated storage identity information. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A secure storage network system comprising
(a) a host computer server; -
(b) a storage system connected to the host computer server by a data transfer architecture for transfer of data therebetween, the storage system having a plurality of storage devices for storage of the data;
(c) a host-side encryption module installed on the host computer, and (d) a security system for providing restricted access to data stored on the storage system, wherein (e) the host-side encryption module has i) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
(ii) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
(iii) a key management means for obtaining a key from the security system after authentication, and providing the key to the encryption engine for encryption and decryption of data;
(f) the security system includes (i) data transfer means for communication with the host server computer and the secure network storage system;
(ii) a host computer authentication means for authenticating the host server computer;
(iii) a key management means for issuing a storage key to the host computer following authentication;
(iv) a key storage means for securely storing the storage key.
-
-
15. A computer program product for use on a host computer server, the computer program product comprising:
-
a recording medium;
means recorded on the medium for configuring the host computer server to provide (a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
(b) an authentication module for authenticating the host computer server with a secure source associated with the secure network storage system; and
(c) a key management means for (i) obtaining a key from the secure source after authentication, and (ii) providing the key to the encryption engine for encryption and decryption of data. - View Dependent Claims (16, 17)
-
-
18. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:
-
(a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
(b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
(c) a key management means for (i) obtaining a key from the security system after authentication, and (ii) providing the key to the encryption engine for encryption and decryption of data.
-
-
19. A method of transferring data between a host computer server and a secure network storage system via a data transfer architecture, the secure network storage system having a plurality of storage devices for storage of the data, the method comprising:
-
(a) authenticating the host computer server with a security system associated with the secure network storage system;
(b) obtaining a storage key from the security system after authentication, (c) performing an encryption/decryption operation comprising at least one of (i) encrypting and storing data on the secure network storage system, and (ii) retrieving and decrypting data stored on the secure network storage system.
-
Specification