Method and system for securing network access to dynamically updateable data stored in a data storage system

US 7,870,239 B1
Filed: 03/29/2002
Issued: 01/11/2011
Est. Priority Date: 06/30/1998
Status: Expired due to Fees

First Claim

Patent Images

1. In a data storage network having a data storage system with memory and one or more data storage devices storing data arranged as one or more data volumes, the one or more data storage devices located at a first location, the data storage system comprising a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database and wherein the data storage system is in communication with a computer system also having memory, a method for using computer-executable logic for managing secure access to the data by a plurality of hosts, wherein the plurality of host are coupled to the data storage network by an Internet Protocol (IP) network and the data storage system accesses the data via a first path, and wherein the method includes:

allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;

in response to each receipt of a connection initiation request by a host of the plurality of hosts over the IP network, copying permissions associated with the hosts from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record copied from the secure database for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permissions for each of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;

for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table contains for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention is a system and method for managing data in a secure manner in a data storage environment that is in communication with a network including an internet-based network. The system includes logic for securely managing internet client'"'"'s access to data volumes stored on a data storage system, and may also include logic operating with a file server for providing dynamic access of data available to such clients in a secure fashion.

21 Citations

View as Search Results

25 Claims

1. In a data storage network having a data storage system with memory and one or more data storage devices storing data arranged as one or more data volumes, the one or more data storage devices located at a first location, the data storage system comprising a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database and wherein the data storage system is in communication with a computer system also having memory, a method for using computer-executable logic for managing secure access to the data by a plurality of hosts, wherein the plurality of host are coupled to the data storage network by an Internet Protocol (IP) network and the data storage system accesses the data via a first path, and wherein the method includes:
- allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;
  
  in response to each receipt of a connection initiation request by a host of the plurality of hosts over the IP network, copying permissions associated with the hosts from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record copied from the secure database for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permissions for each of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;
  
  for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table contains for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.
- View Dependent Claims (2, 3, 4, 5, 6, 22)
- - 2. The method of claim 1, wherein the plurality of hosts share read-write access to the file, with granted respective read locks and write locks on the file.
  - 3. The method of claim 1, wherein the computer system is a file server in communication with the data storage system, and the method further comprises:
    - (a) the file server receiving from a computer external to the data storage network, a request for accessing data related to the file;
      
      (b) in response to the request for accessing data, the file server returning to the computer external to the data storage network metadata of the file including information specifying a data storage location for the file; and
      
      (c) using the metadata of the file, the computer external to the data storage network producing at least one data access command for accessing the data storage location by forwarding the at least one data access command to a port of the plurality of ports of the data storage system over the IP network, whereby such the data access command is managed by determining, using the transient filter table, whether the computer external to the data storage network has the permissions which will allow the external computer such access.
  - 4. The method of claim 3, wherein a plurality of externally located computers share read-write access to the file, with granted respective read locks and write locks on the file.
  - 5. The method of claim 3, wherein the computer external to the data storage network writes data to the data storage location, if the permissions allow the computer external to the data storage to write the data to the data storage location, and modifies the metadata from the file server in accordance with the data storage location to which the data is written, and sends the modified metadata to the file server.
  - 6. The method of claim 5 wherein the computer external to the data storage network sends the modified metadata to the file server after the computer external to the data storage network writes the data to the data storage location.
  - 22. The method of claim 1 further including:
    - employing encrypted keys to authenticate that the connection initiation request from a host of the plurality of hosts actually corresponds to a request by said host of the plurality of hosts.

7. A system for managing access to data that can be dynamically updated for computers on an Internet Protocol (IP) network externally located to a data storage network, the system comprising:
- a data storage network including a data storage system with memory and one or more data storage devices storing data in one or more data volumes, the one or more data storage devices located at a first location and the data storage system accessing the data via a first path, and a computer system also having memory and a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database; and
  
  computer-executable program code stored in the memory of the computer system to perform;
  
  allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;
  
  in response to each receipt of a connection initiation request by a host over the IP network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host coupled to each port of a plurality of ports of the storage system, and wherein each record of a plurality of records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;
  
  for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.
- View Dependent Claims (8, 9, 10, 11, 12, 23)
- - 8. The system of claim 7, wherein a plurality of externally located computers share read-write access to the file, with granted respective read locks and write locks on the file.
  - 9. The system of claim 7, wherein the computer system is a file server in communication with the data storage system, and the system further comprises:
    - (a) the file server receiving from a computer external to the data storage network, a request for accessing data related to the file;
      
      (b) in response to the request for accessing data, the file server returning to the computer external to the data storage network metadata of the file including information specifying a data storage location for the file; and
      
      (c) using the metadata of the file, the computer external to the data storage network producing at least one data access command for accessing the data storage location and forwarding the at least one data access command via the IP network to a port of the plurality of ports of the data storage network, whereby such the data access command is managed by accessing the transient database using an identifier of the computer external to the data storage network and a port number associated with the port to determine whether the computer external to the data storage network has the permissions which will allow the external computer such access.
  - 10. The system of claim 9, wherein a plurality of externally located computers share read-write access to the file, with granted respective read locks and write locks on the file.
  - 11. The system of claim 9, wherein the computer external to the data storage network writes data to the data storage location, if the permissions allow the computer external to the data storage to write the data to the data storage location, and modifies the metadata from the file server in accordance with the data storage location to which the data is written, and sends the modified metadata to the file server.
  - 12. The system of claim 11, wherein the computer external to the data storage network sends the modified metadata to the file server after the computer external to the data storage network writes the data to the data storage location.
  - 23. The system of claim 7 further including:
    - employing encrypted keys to authenticate that the connection initiation request from a host of the plurality of hosts actually corresponds to a request by said host of the plurality of hosts.

13. A program product for managing access to data in a data storage network, wherein the data storage network includes a data storage system having memory, and a secure database secured from unauthorized access, hereinafter denominated as the secure database and one or more data storage devices storing data in one or more data volumes, wherein the data storage devices are located in a first location and the data on the data storage devices is accessed via a first path, wherein the secure database is located in a second location exclusive of the first location and the secure database is accessed via a second path, and a computer system also having memory, the program product comprising:
- computer-executable program code stored on a memory of the computer system to perform;
  
  allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;
  
  in response to receipt of a connection initiation request by a host over an Internet Protocol (IP) network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by a plurality of hosts, to a transient database using the second path, of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;
  
  for each request to access a file that is received at each port of the plurality of ports of the data storage system via the IP network, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 24)
- - 14. The program product of claim 13, wherein the IP network externally located to the data storage network operates in accordance with an internet protocol of the IP network.
  - 15. The program product of claim 14, wherein a plurality of externally located computers share read-write access to the file, with granted respective read locks and write locks on the file.
  - 16. The program product of claim 13, wherein the computer system is a file server in communication with the data storage system, and the program product further comprises:
    - (a) the file server receiving from a computer external to the data storage network, a request for accessing data related to the file;
      
      (b) in response to the request for accessing data, the file server returning to the computer external to the data storage network metadata of the file including information specifying a data storage location for the file; and
      
      (c) using the metadata of the file, the computer external to the data storage network producing at least one data access command for accessing the data storage location and forwarding the at least one data access command via the IP network to a port of the plurality of ports of the data storage system, whereby such the data access command is managed by accessing the transient database using an identifier of the computer external to the data storage network and a port number associated with the port to determine whether the computer external to the data storage network has the permissions which will allow the external computer such access.
  - 17. The system program of claim 16, wherein the IP network externally located to the data storage network operates in accordance with an internet protocol of the IP network.
  - 18. The program product of claim 17, wherein a plurality of externally located computers share read-write access to the file, with granted respective read locks and write locks on the file.
  - 19. The program product of claim 16, wherein the computer external to the data storage network writes data to the data storage location, if the permissions allow the computer external to the data storage to write the data to the data storage location, and modifies the metadata from the file server in accordance with the data storage location to which the data is written, and sends the modified metadata to the file server.
  - 20. The program product of claim 19, wherein the computer external to the data storage network sends the modified metadata to the file server after the computer external to the data storage network writes the data to the data storage location.
  - 24. The program product of claim 13 further comprising:
    - employing encrypted keys to authenticate that the connection initiation request from a host of the plurality of hosts actually corresponds to a request by said host of the plurality of hosts.

21. An apparatus for managing access to data that can be dynamically updated for computers on an Internet Protocol (IP) network externally located to a data storage network, wherein the data storage network includes a data storage system having memory and one or more data storage devices storing the data in one or more data volumes, wherein the data storage devices are located in a first location and the data on the data storage devices is accessed via a first path, a secure database secured from unauthorized access located in a second location exclusive of the first location, hereinafter denominated as the secure database, where the secure database is accessed via a second path, and the data storage network also includes a computer system that has memory, the apparatus comprising:
- a memory; and
  
  a processor to perform;
  
  allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;
  
  in response to receipt of a connection initiation request by a host over the IP network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by a plurality of hosts, to a transient database of the data storage system using the second path, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;
  
  for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.
- View Dependent Claims (25)
- - 25. The apparatus of claim 21 further including:
    - employing encrypted keys to authenticate that the connection initiation request from a host of the plurality of hosts actually corresponds to a request by said host of the plurality of hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Fitzgerald, John T., Kaufman, Mark, Vahalia, Uresh K., Lippitt, Mark C., McGillis, James M., Tzelnic, Percy, Ofer, Erez, Blumenau, Steven M., Vishlitzky, Natan
Primary Examiner(s)
Lee; Philip C

Application Number

US10/113,307
Time in Patent Office

3,210 Days
Field of Search

709/223, 709/201, 709/203, 709/217, 709/219, 709/245, 709/246, 709/225, 710/1, 710/3, 710/5, 711/100, 711/148, 711/152, 726/4, 707/200, 707/201, 707/10
US Class Current

709/223
CPC Class Codes

G06F 16/1774 Locking methods, e.g. locki...

Method and system for securing network access to dynamically updateable data stored in a data storage system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securing network access to dynamically updateable data stored in a data storage system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links