Method and apparatus for providing discrete data storage security
First Claim
Patent Images
1. A data storage security system on a network, comprising:
- a data security system connected to the network including a first logical port, the data security system communicatively coupled with a data storage including a file, the file comprising a plurality of blocks;
a source computer connected to the network, the source computer including an address and a second logical port, wherein the source computer is operative to issue a block level request to access one or more blocks of the file, the block level request including the address of the source computer, an identifier for the second logical port of the source computer, and an identifier for the first logical port of the data security system;
a data storage security driver installed in the data security system, the data storage security driver operative to provide block level access control to the blocks of the file, including a policy for accessing the file, the policy including an address and an identifier for the second logical port of the source computer that is permitted to access the file and a direction of data flow between the data security system and the source computer, and wherein the data storage security driver is operative to approve the block level file access request by comparing the block level access request to the policy; and
a data storage security manager separate from the data security system and operative to define the policy in the data storage security driver, wherein the data storage security manager is designed to refuse an instruction to modify the policy if the source of the instruction is outside the data storage security manager, wherein the data storage security manager is operative to communicate with the data storage security driver using a specific communication protocol, the specific communication protocol including one or more of a specified port and a specified routing path, and wherein the data storage security driver is operative to update the policy following a communication from the data storage security manager including the specific communication protocol.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention is a system to secure data. The data security system includes data, a data security system enforcer, a local policy database, and a centralized policy manager. When a block level file access request is received, the data security system enforcer checks the local policy database to see if the file access request is authorized. If the file access request is authorized, then the file access request is performed. Intrusions may be determined based on the type and number of unauthorized file access requests. Forensic analysis may be performed on a database logging file access requests (both authorized and unauthorized).
48 Citations
12 Claims
-
1. A data storage security system on a network, comprising:
-
a data security system connected to the network including a first logical port, the data security system communicatively coupled with a data storage including a file, the file comprising a plurality of blocks; a source computer connected to the network, the source computer including an address and a second logical port, wherein the source computer is operative to issue a block level request to access one or more blocks of the file, the block level request including the address of the source computer, an identifier for the second logical port of the source computer, and an identifier for the first logical port of the data security system; a data storage security driver installed in the data security system, the data storage security driver operative to provide block level access control to the blocks of the file, including a policy for accessing the file, the policy including an address and an identifier for the second logical port of the source computer that is permitted to access the file and a direction of data flow between the data security system and the source computer, and wherein the data storage security driver is operative to approve the block level file access request by comparing the block level access request to the policy; and a data storage security manager separate from the data security system and operative to define the policy in the data storage security driver, wherein the data storage security manager is designed to refuse an instruction to modify the policy if the source of the instruction is outside the data storage security manager, wherein the data storage security manager is operative to communicate with the data storage security driver using a specific communication protocol, the specific communication protocol including one or more of a specified port and a specified routing path, and wherein the data storage security driver is operative to update the policy following a communication from the data storage security manager including the specific communication protocol. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for performing secure file operations, comprising:
-
receiving a block level file access request requesting access to blocks of a file; determining a source location for the file access request including determining an address and an identifier for a logical port of a source computer from which the file access request issued; determining a direction for a datum of the file access request to flow; determining a routing path through which the file access request is received; determining an identifier for a logical port on a data security system to which the file access request was directed; verifying that the file access request may be approved or refused based on the combination of the source location, the routing path, and the determined direction of data flow, wherein verifying that the file access request may be approved or refused includes comparing the file access request with a policy; and if the file access request is verified, performing the file access request, including accessing a block of the files; receiving a request to update the policy, the request including a communication protocol; verifying the communication protocol;
updating the policy if the communication protocol is verified; and
refusing to update the policy if the communication protocol is not verified. - View Dependent Claims (8, 9)
-
-
10. An article comprising a machine-accessible physical medium storing associated data that, when accessed, results in a machine:
-
receiving a block level file access request requesting access to blocks of a file; determining a source location for the file access request including determining an address and a logical port of a source computer from which the file access request issued; determining a routing path for the file access request; determining a direction for a datum of the file access request to flow; determining a logical port on a data security system to which the file access request was directed; verifying that the file access request may be performed or refused based on the combination of the source location, the routing path, and the determined direction of data flow, including comparing the file access request with a policy; and if the file access request is verified, performing the file access request, including accessing the blocks of the file; receiving a request to update the policy, the request including a communication protocol; verifying the communication protocol; updating the policy if the communication protocol is verified; and refusing to update the policy if the communication protocol is not verified. - View Dependent Claims (11, 12)
-
Specification