Method and apparatus for providing discrete data storage security

US 7,343,488 B2
Filed: 09/30/2002
Issued: 03/11/2008
Est. Priority Date: 09/30/2002
Status: Active Grant

First Claim

Patent Images

1. A data storage security system on a network, comprising:

a data security system connected to the network including a first logical port, the data security system communicatively coupled with a data storage including a file, the file comprising a plurality of blocks;

a source computer connected to the network, the source computer including an address and a second logical port, wherein the source computer is operative to issue a block level request to access one or more blocks of the file, the block level request including the address of the source computer, an identifier for the second logical port of the source computer, and an identifier for the first logical port of the data security system;

a data storage security driver installed in the data security system, the data storage security driver operative to provide block level access control to the blocks of the file, including a policy for accessing the file, the policy including an address and an identifier for the second logical port of the source computer that is permitted to access the file and a direction of data flow between the data security system and the source computer, and wherein the data storage security driver is operative to approve the block level file access request by comparing the block level access request to the policy; and

a data storage security manager separate from the data security system and operative to define the policy in the data storage security driver, wherein the data storage security manager is designed to refuse an instruction to modify the policy if the source of the instruction is outside the data storage security manager, wherein the data storage security manager is operative to communicate with the data storage security driver using a specific communication protocol, the specific communication protocol including one or more of a specified port and a specified routing path, and wherein the data storage security driver is operative to update the policy following a communication from the data storage security manager including the specific communication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a system to secure data. The data security system includes data, a data security system enforcer, a local policy database, and a centralized policy manager. When a block level file access request is received, the data security system enforcer checks the local policy database to see if the file access request is authorized. If the file access request is authorized, then the file access request is performed. Intrusions may be determined based on the type and number of unauthorized file access requests. Forensic analysis may be performed on a database logging file access requests (both authorized and unauthorized).

48 Citations

View as Search Results

12 Claims

1. A data storage security system on a network, comprising:
- a data security system connected to the network including a first logical port, the data security system communicatively coupled with a data storage including a file, the file comprising a plurality of blocks;
  
  a source computer connected to the network, the source computer including an address and a second logical port, wherein the source computer is operative to issue a block level request to access one or more blocks of the file, the block level request including the address of the source computer, an identifier for the second logical port of the source computer, and an identifier for the first logical port of the data security system;
  
  a data storage security driver installed in the data security system, the data storage security driver operative to provide block level access control to the blocks of the file, including a policy for accessing the file, the policy including an address and an identifier for the second logical port of the source computer that is permitted to access the file and a direction of data flow between the data security system and the source computer, and wherein the data storage security driver is operative to approve the block level file access request by comparing the block level access request to the policy; and
  
  a data storage security manager separate from the data security system and operative to define the policy in the data storage security driver, wherein the data storage security manager is designed to refuse an instruction to modify the policy if the source of the instruction is outside the data storage security manager, wherein the data storage security manager is operative to communicate with the data storage security driver using a specific communication protocol, the specific communication protocol including one or more of a specified port and a specified routing path, and wherein the data storage security driver is operative to update the policy following a communication from the data storage security manager including the specific communication protocol.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A data storage security system according to claim 1, wherein the request further includes a direction of data flow between the data security system and the source computer.
  - 3. A data storage security system according to claim 1, wherein the policy further includes an identifier for the first logical port on the data security system through which the request may be directed.
  - 4. A data storage security system according to claim 1, wherein the policy further includes that the file may be written to.
  - 5. A data storage security system according to claim 1 wherein the policy further specifies that the file may be read.
  - 6. The data storage security system of claim 1, further comprising:
    - a second source computer connected to the network, the second source computer including an address and a third logical port; and
      
      a second source computer connected to access one or more blocks of the file issued by the second source computer, the second block level request including the address of the second source computer, an identifier for the third logical port of the source computer, and an identifier for the first logical port of the data security system.

7. A method for performing secure file operations, comprising:
- receiving a block level file access request requesting access to blocks of a file;
  
  determining a source location for the file access request including determining an address and an identifier for a logical port of a source computer from which the file access request issued;
  
  determining a direction for a datum of the file access request to flow;
  
  determining a routing path through which the file access request is received;
  
  determining an identifier for a logical port on a data security system to which the file access request was directed;
  
  verifying that the file access request may be approved or refused based on the combination of the source location, the routing path, and the determined direction of data flow, wherein verifying that the file access request may be approved or refused includes comparing the file access request with a policy; and
  
  if the file access request is verified, performing the file access request, including accessing a block of the files;
  
  receiving a request to update the policy, the request including a communication protocol;
  
  verifying the communication protocol;
  
  updating the policy if the communication protocol is verified; and
  
  refusing to update the policy if the communication protocol is not verified.
- View Dependent Claims (8, 9)
- - 8. A method according to claim 7, wherein receiving a block level file access request includes receiving a block level file read request.
  - 9. A method according to claim 7, wherein receiving a block level file access request includes receiving a block level file write request.

10. An article comprising a machine-accessible physical medium storing associated data that, when accessed, results in a machine:
- receiving a block level file access request requesting access to blocks of a file;
  
  determining a source location for the file access request including determining an address and a logical port of a source computer from which the file access request issued;
  
  determining a routing path for the file access request;
  
  determining a direction for a datum of the file access request to flow;
  
  determining a logical port on a data security system to which the file access request was directed;
  
  verifying that the file access request may be performed or refused based on the combination of the source location, the routing path, and the determined direction of data flow, including comparing the file access request with a policy; and
  
  if the file access request is verified, performing the file access request, including accessing the blocks of the file;
  
  receiving a request to update the policy, the request including a communication protocol;
  
  verifying the communication protocol;
  
  updating the policy if the communication protocol is verified; and
  
  refusing to update the policy if the communication protocol is not verified.
- View Dependent Claims (11, 12)
- - 11. An article according to claim 10, wherein the associated data for receiving a block level file access request includes associated data for receiving a block level file read request.
  - 12. An article according to claim 10, wherein the associated data for receiving a block level file access request associated data for includes receiving a block level file write request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Xiaomi Mobile Software Co., Ltd. (Xiaomi Corp.)
Original Assignee
Intel Corporation
Inventors
Yadav, Satyendra
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/261,825
Publication Number

US 20040064713A1
Time in Patent Office

1,989 Days
Field of Search

713/200, 713/193, 713/165, 713/153, 726/2, 726/21, 726/23
US Class Current

713/165
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0236   Filtering by address, proto...

Method and apparatus for providing discrete data storage security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing discrete data storage security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links