SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A GATEKEEPER

US 20140331337A1
Filed: 05/02/2013
Published: 11/06/2014
Est. Priority Date: 05/02/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for controlling access to data stored on shared storage, servicing a plurality of tenants, the method comprising:

receiving a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, andproviding access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Machines, systems and methods for controlling access to data stored on shared storage, servicing a plurality of tenants, the method comprising receiving a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, and providing access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.

52 Citations

View as Search Results

20 Claims

1. A method for controlling access to data stored on shared storage, servicing a plurality of tenants, the method comprising:
- receiving a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, andproviding access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein a first tenant indicator is associated with a first key for retrieving the first data item pursuant to the request, wherein the first tenant indicator is correlated with the first tenant to uniquely identify the first tenant.
  - 3. The method of claim 2, wherein a first signature is associated with the first key or value, wherein in response to receiving the request for accessing the first data item, the first signature is processed to determine integrity of the first key or value, or an associated data item.

4. A method of maintaining data isolation in a multi-tenant data storage system, the method comprising:
- receiving a first request submitted by a first user associated with a first tenant in a multi-tenant data storage system;
  
  assigning a first request processor to service the first request, wherein a first process ID is assigned to the first request processor, so that the first process ID is correlated with the first tenant;
  
  submitting a first data access request, received by a gatekeeper, to access first data stored on one or more data storage mediums, in response to the first request; and
  
  providing the first request processor, by way of the gatekeeper, with access to the first data, in response to determining that the first data is associated with the first tenant based on a correlation between the first process ID and the first tenant.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The method of claim 4, wherein a gatekeeper determines an association between the first request and the first tenant based on a first tenant ID associated with the process ID of the first request processor.
  - 6. The method of claim 5, wherein the first tenant ID is transmitted in a header portion of a data packet that is transmitted by the client as part of the first request, wherein the first tenant ID is used to set the first process ID assigned to the first request processor.
  - 7. The method of claim 6, wherein the gatekeeper intercepts the first data access request submitted by the first request processor attempting to service the first request.
  - 8. The method of claim 7, wherein the gatekeeper is configured to provide controlled access to tenant data stored on one or more data storage mediums without a data access authorization mechanism, in response to receiving data access requests from one or more request processors.
  - 9. The method of claim 7, wherein the first data access request is submitted to the gatekeeper by way of the first request processor.
  - 10. The method of claim 9, wherein the gatekeeper verifies that the first request is associated with the first tenant, before providing the first request processor with access to the first data.
  - 11. The method of claim 10, wherein the gatekeeper verifies that the first request is associated with the first tenant by correlating a operating system (OS) user ID used by the request processor with the first tenant ID associated with the first request.
  - 12. The method of claim 11, wherein the gatekeeper limits the first request processor'"'"'s access to data associated with the first tenant.
  - 13. The method of claim 4, wherein the gatekeeper uses a first key associated with a first data item to retrieve the first data item from the one or more data storage mediums, in response to the first request processor servicing the first request, wherein the first key is marked with a unique tenant ID associated with the first tenant.

14. A system for controlling access to data stored on shared storage, servicing a plurality of tenants, the system comprising:
- a logic unit for receiving a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, anda logic unit for providing access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.
- View Dependent Claims (15, 16)
- - 15. The system of claim 14, wherein a first tenant indicator is associated with a first key for retrieving the first data item pursuant to the request, wherein the first tenant indicator is correlated with the first tenant to uniquely identify the first tenant.
  - 16. The system of claim 15, wherein a first signature is associated with the first key or value, wherein in response to receiving the request for accessing the first data item, the first signature is processed to determine integrity of the first key or value, or an associated data item.

17. A system of maintaining data isolation in a multi-tenant data storage system, the method comprising:
- a logic unit for receiving a first request submitted by a first user associated with a first tenant in a multi-tenant data storage system;
  
  a logic unit for assigning a first request processor to service the first request, wherein a first process ID is assigned to the first request processor, so that the first process ID is correlated with the first tenant;
  
  a logic unit for submitting a first data access request, received by a gatekeeper, to access first data stored on one or more data storage mediums, in response to the first request; and
  
  a logic unit for providing the first request processor, by way of the gatekeeper, with access to the first data, in response to determining that the first data is associated with the first tenant based on a correlation between the first process ID and the first tenant.

18. A computer program product comprising logic code embedded on a data storage medium for controlling access to data stored on shared storage, servicing a plurality of tenants, wherein execution of the logic code on a computer causes the computer to:
- receive a request from a first process to access a first data item associated with a first tenant in a multi-tenant data storage system, andprovide access to the data item through a gatekeeper, in response to determining that the first process is associated with the first tenant.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18, wherein a first tenant indicator is associated with a first key for retrieving the first data item pursuant to the request, wherein the first tenant indicator is correlated with the first tenant to uniquely identify the first tenant.
  - 20. The computer program product of claim 19, wherein a first signature is associated with the first key or value, wherein in response to receiving the request for accessing the first data item, the first signature is processed to determine integrity of the first key or value, or an associated data item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Factor, Michael E., Hadas, David, Kolodner, Elliot K., Kurmus, Anil, Shulman-Peleg, Alexandra, Sorniotti, Alessandro

Application Number

US13/875,300
Publication Number

US 20140331337A1
Time in Patent Office

Days
Field of Search
US Class Current

726/30
CPC Class Codes

G06F 21/62 Protecting access to data v...

SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A GATEKEEPER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE ISOLATION OF TENANT RESOURCES IN A MULTI-TENANT STORAGE SYSTEM USING A GATEKEEPER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links