Method and system for securing network access to dynamically updateable data stored in a data storage system
First Claim
1. In a data storage network having a data storage system with memory and one or more data storage devices storing data arranged as one or more data volumes, the one or more data storage devices located at a first location, the data storage system comprising a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database and wherein the data storage system is in communication with a computer system also having memory, a method for using computer-executable logic for managing secure access to the data by a plurality of hosts, wherein the plurality of host are coupled to the data storage network by an Internet Protocol (IP) network and the data storage system accesses the data via a first path, and wherein the method includes:
- allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices;
in response to each receipt of a connection initiation request by a host of the plurality of hosts over the IP network, copying permissions associated with the hosts from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record copied from the secure database for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permissions for each of the plurality of hosts that accesses the data storage system through the port of the plurality of ports;
for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table contains for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes.
9 Assignments
0 Petitions
Accused Products
Abstract
This invention is a system and method for managing data in a secure manner in a data storage environment that is in communication with a network including an internet-based network. The system includes logic for securely managing internet client'"'"'s access to data volumes stored on a data storage system, and may also include logic operating with a file server for providing dynamic access of data available to such clients in a secure fashion.
21 Citations
25 Claims
-
1. In a data storage network having a data storage system with memory and one or more data storage devices storing data arranged as one or more data volumes, the one or more data storage devices located at a first location, the data storage system comprising a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database and wherein the data storage system is in communication with a computer system also having memory, a method for using computer-executable logic for managing secure access to the data by a plurality of hosts, wherein the plurality of host are coupled to the data storage network by an Internet Protocol (IP) network and the data storage system accesses the data via a first path, and wherein the method includes:
-
allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices; in response to each receipt of a connection initiation request by a host of the plurality of hosts over the IP network, copying permissions associated with the hosts from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record copied from the secure database for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permissions for each of the plurality of hosts that accesses the data storage system through the port of the plurality of ports; for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table contains for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes. - View Dependent Claims (2, 3, 4, 5, 6, 22)
-
-
7. A system for managing access to data that can be dynamically updated for computers on an Internet Protocol (IP) network externally located to a data storage network, the system comprising:
-
a data storage network including a data storage system with memory and one or more data storage devices storing data in one or more data volumes, the one or more data storage devices located at a first location and the data storage system accessing the data via a first path, and a computer system also having memory and a secure database secured from unauthorized access located at a second location exclusive of the first location, hereinafter denominated as the secure database; and computer-executable program code stored in the memory of the computer system to perform; allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices; in response to each receipt of a connection initiation request by a host over the IP network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by the hosts, via a second path to a transient database of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host coupled to each port of a plurality of ports of the storage system, and wherein each record of a plurality of records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports; for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes. - View Dependent Claims (8, 9, 10, 11, 12, 23)
-
-
13. A program product for managing access to data in a data storage network, wherein the data storage network includes a data storage system having memory, and a secure database secured from unauthorized access, hereinafter denominated as the secure database and one or more data storage devices storing data in one or more data volumes, wherein the data storage devices are located in a first location and the data on the data storage devices is accessed via a first path, wherein the secure database is located in a second location exclusive of the first location and the secure database is accessed via a second path, and a computer system also having memory, the program product comprising:
-
computer-executable program code stored on a memory of the computer system to perform; allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices; in response to receipt of a connection initiation request by a host over an Internet Protocol (IP) network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by a plurality of hosts, to a transient database using the second path, of the data storage system, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports; for each request to access a file that is received at each port of the plurality of ports of the data storage system via the IP network, accessing the transient filter table to determine whether the host of the plurality of hosts that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 24)
-
-
21. An apparatus for managing access to data that can be dynamically updated for computers on an Internet Protocol (IP) network externally located to a data storage network, wherein the data storage network includes a data storage system having memory and one or more data storage devices storing the data in one or more data volumes, wherein the data storage devices are located in a first location and the data on the data storage devices is accessed via a first path, a secure database secured from unauthorized access located in a second location exclusive of the first location, hereinafter denominated as the secure database, where the secure database is accessed via a second path, and the data storage network also includes a computer system that has memory, the apparatus comprising:
-
a memory; and a processor to perform; allocating permissions for controlling accesses to the one or more data volumes stored on the one or more data storage devices; in response to receipt of a connection initiation request by a host over the IP network, copying permissions associated with the host from the secure database, wherein being secured from unauthorized access includes being secured from access by a plurality of hosts, to a transient database of the data storage system using the second path, wherein the transient database comprises a transient filter table, wherein the transient filter table comprises a record for each host of the plurality of hosts coupled to each port of a plurality of ports of the storage system, and wherein each of the records stores the permission for each host of the plurality of hosts that accesses the data storage system through the port of the plurality of ports; for each request to access a file that is received via the IP network at each port of the plurality of ports of the data storage system, accessing the transient filter table to determine whether the host that initiated the respective request to access the file has the permission to access the one or more data volumes associated with the file, wherein the transient filter table stores, for each host of the plurality of hosts for each port of the plurality of ports, a bitmap identifying the host permissions for each of the one or more data volumes. - View Dependent Claims (25)
-
Specification