Secure network file access control system

US 6,678,828 B1
Filed: 07/22/2002
Issued: 01/13/2004
Est. Priority Date: 07/22/2002
Status: Expired due to Term

First Claim

Patent Images

1. A network storage architecture supporting the secure access and transfer of data between a client computer system and a network data store, said network storage architecture comprising:

a) an agent provided on a client computer system, wherein said client computer system supports execution of an application program including the issuance of a first file data request with respect to a predetermined network file, wherein said agent develops authentication data with respect to said application;

b) a network data store providing for the storage of said predetermined network file; and

c) a network appliance coupleable through a first network to said client computer system to receive said first file data request and through a second network to said network data store to provide a second read request, wherein said network appliance interoperates with said agent to receive and validate said authentication data to enable the generation of a second file data request corresponding to said first file data request, and wherein said network appliance is operative to transmit said second file data request to said network data store.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Reexamination

Accused Products

Abstract

A secure network file access appliance supports the secure access and transfer of data between the file system of a client computer system and a network data store. An agent provided on the client computer system and monitored by the secure network file access appliance ensures authentication of the client computer system with respect to file system requests issued to the network data store. The secure network file access appliance is provided in the network infrastructure between the client computer system and network data store to apply qualifying access policies and selectively pass through to file system requests. The secure network file access appliance maintains an encryption key store and associates encryption keys with corresponding filesystem files to encrypt and decrypt file data as transferred to and read from the network data store through the secure network file access appliance.

425 Citations

30 Claims

1. A network storage architecture supporting the secure access and transfer of data between a client computer system and a network data store, said network storage architecture comprising:
- a) an agent provided on a client computer system, wherein said client computer system supports execution of an application program including the issuance of a first file data request with respect to a predetermined network file, wherein said agent develops authentication data with respect to said application;
  
  b) a network data store providing for the storage of said predetermined network file; and
  
  c) a network appliance coupleable through a first network to said client computer system to receive said first file data request and through a second network to said network data store to provide a second read request, wherein said network appliance interoperates with said agent to receive and validate said authentication data to enable the generation of a second file data request corresponding to said first file data request, and wherein said network appliance is operative to transmit said second file data request to said network data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network storage architecture of claim 1 wherein said authentication data defines a session with respect to the execution of said application program and wherein said authentication data is provided to said network appliance with said first file data request.
  - 3. The network storage architecture of claim 2 wherein said authentication data includes a process identifier corresponding to said application program as executed on said client computer system.
  - 4. The network storage architecture of claim 3 wherein said authentication data includes a verified user identifier.
  - 5. The network storage architecture of claim 2 wherein said network appliance includes an encryption unit and wherein said network appliance provides for the encryption of file data transferred in connection with said second file data request.
  - 6. The network storage architecture of claim 5 wherein said network appliance provides for the storage of meta-data, including an encryption key identifier, in correspondence with said predetermined network file and wherein said network appliance provides for the retrieval of said meta-data selectively in connection with said first file data request.
  - 7. The network storage architecture of claim 6 wherein said network appliance includes an encryption key store and wherein said encryption key identifier selects an encryption key provided to said encryption unit in connection with said second file data request.
  - 8. The network storage architecture of claim 7 wherein said authentication data includes a process identifier, corresponding to said application program as executed on said client computer system, a verified user identifier, and a group identifier, wherein said network appliance further includes an access policy store which stores a plurality of predetermined access policies, and wherein said network appliance is operative to qualify said file data request against said plurality of predetermined access policies stored by said access policy store with respect to said process identifier, verified user identifier, and group identifier.
  - 9. The network storage architecture of claim 8 wherein said first file data request is further qualified against said plurality of predetermined access policies in combination with an identification of said network data store.

10. A network storage security appliance coupleable in a network infrastructure between a client computer system and a network storage system to authenticate and secure file system requests and data transferred thereinbetween, said network storage security appliance comprising:
- a) an authentication controller coupleable to communicate with an agent on a predetermined client computer system, said authentication controller being operative to receive and validate authentication data collected by said agent with respect to a predetermined application loaded for execution by said client computer system and wherein said predetermined application provides first file system requests directed to said network storage security appliance with respect to first file data; and
  
  b) a protocol processor coupled to said authentication controller and responsive to said first file system requests to provide second file system requests to a network storage system, said protocol processor providing for a secure data protocol conversion between said first file data and a second file data transferred in connection with said second file system requests, wherein the secure data protocol of said second file data being transparent to said network storage system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network storage security appliance of claim 10 wherein said authentication controller is operative to selectively enable the operation of said protocol processor with respect to said second file system requests.
  - 12. The network storage security appliance of claim 11 wherein said secure data protocol provides for the digital signing of said first file data.
  - 13. The network storage security appliance of claim 11 wherein said secure data protocol provides for the encryption of said first file data.
  - 14. The network storage security appliance of claim 13 wherein said protocol processor includes an encryption key store providing for the storage of a plurality of encryption keys, and wherein said protocol processor is operative to autonomously associate a predetermined encryption key with said first file data.
  - 15. The network storage security appliance of claim 14 wherein meta-data is associated with said second file data and wherein said protocol processor is responsive to said meta-data to select said predetermined encryption key from said encryption key store with respect to said second file data.
  - 16. The network storage security appliance of claim 15 wherein said meta-data is stored by said network storage system in correspondence with said second file data.
  - 17. The network storage security appliance of claim 16 wherein an individual instance of said meta-data is stored with respect to said second file data.
  - 18. The network storage security appliance of claim 17 wherein said individual instance of said meta-data is stored as part of said second file data.

19. A method of securing file data on a network storage device accessible to clients through a network, said method comprising the steps of:
- a) establishing a network portal through which network file accesses are routed between a predetermined client system and a network file data store;
  
  b) authenticating, supported by said network portal, network access by an application executed on said predetermined client system with respect to said network file data store;
  
  c) filtering, by said network portal, first network file requests provided by said predetermined client with respect to a predetermined network data file stored by said network file data store, said filtering step including evaluating authentication data provided with said first network file requests as a qualifying basis for providing second network file requests to said network file data store; and
  
  d) processing, by said network portal, first network file data identified by said first network file requests to secure said first network file data as second network file data for transport between said predetermined client and said network file data store.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The method of claim 19 wherein said processing step includes the autonomous digital signing of said second network file data as a plurality of logical blocks, wherein the digital signing of said second network file data is transparent to the storage of said second network file data by said network file data store.
  - 21. The method of claim 19 wherein said processing step includes the autonomous encrypting and decrypting of said second network file data as a plurality of logical blocks, wherein the encryption of said second network file data is transparent to the storage of said second network file data by said network file data store.
  - 22. The method of claim 19 wherein said authentication data includes network and IP layer control information and wherein said filtering step includes verifying said first network file requests based on said network and IP layer control information.
  - 23. The method of claim 22 wherein said processing step includes the autonomous encrypting and decrypting of said second network file data, including retrieval of an encryption key identifier stored in association with said predetermined network data file, the encryption of said second network file data being transparent to the storage of said second network file data by said network file data store, said processing step further providing for the retrieval of an encryption key corresponding to said encryption key identifier to enable encryption and decryption of said second network file data.
  - 24. The method of claim 23 wherein said encryption key is stored by said network portal.
  - 25. The method of claim 21 further comprising the step of selectively storing encryption key identifiers with network data files transparently with respect to said network store and wherein said step of processing includes associating said encryption key identifier with said encryption key to enable the autonomous encrypting and decrypting of said predetermined network data file.

26. A network file access appliance providing secure remote file-based access to an external data store, said network file access appliance comprising:
- a) first and second network interfaces coupleable respectively to a client network and an external data storage network; and
  
  b) a network data processor coupled between said first and second network interfaces, said network data processor terminating a first network file access transaction across said first network interface and initiating a second network file access transaction across said second network interface, said network data processor including an authentication controller, responsive to access authentication data provided with said first network file access transaction, operative to validate said first network file access transaction with respect to a predetermined application program, and a protocol processor, responsive to said authentication controller, operative to convert the presentation of network file data between a first form transported in said first network file access transaction and a secure second form transported in said second network file access transaction.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The network file access appliance of claim 26 wherein said authentication controller, responsive to authentication data provided with respect to said predetermined application program, is operative to establish a session context for validation of said first network file access transaction.
  - 28. The network file access appliance of claim 27 wherein said access authentication data includes a source IP and a file system mount point.
  - 29. The network file access appliance of claim 28 wherein said protocol processor includes a block encryption unit and wherein said protocol processor is operative to encrypt blocks of network file data transferred to said external data storage network and decrypt blocks of network file data received from said external data storage network.
  - 30. The network file access appliance of claim 29 wherein said first network file access transaction includes a target network file specification, wherein said network data processor includes a policy parser operative to associate predetermined target file encryption parameters with said first network file access transaction based on said target network file specification, and wherein said network data processor is responsive to said target file encryption parameters in encrypting blocks of network file data transferred to said external data storage network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Thales E-Security Incorporated
Original Assignee
Vormetric, Inc. (Thales SA)
Inventors
Lo, Mingchen, Zhang, Pu Paul, Pham, Duc, Nguyen, Tien Le
Primary Examiner(s)
HUA, LY

Application Number

US10/201,406
Time in Patent Office

540 Days
Field of Search

713/201, 713/200, 713/153, 713/161, 713/168, 713/166, 713/171, 380/33, 380/247, 380/251, 380/255, 380/269, 380/270, 380/277, 380/287, 709/202, 709/218, 709/219, 709/229
US Class Current

726/2
CPC Class Codes

G06F 3/0622   in relation to access

G06F 3/0643   Management of files

G06F 3/067   Distributed or networked st...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/1097   for distributed storage of ...

Secure network file access control system

First Claim

3 Assignments

0 Petitions

Reexamination

Accused Products

Abstract

425 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network file access control system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

425 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links