Storage security using cryptographic splitting

US 8,392,682 B2
Filed: 12/17/2008
Issued: 03/05/2013
Est. Priority Date: 12/17/2008
Status: Active Grant

First Claim

Patent Images

1. A system for administrative management of a secure data storage network utilizing cryptographically splitting data as it is stored and retrieved from storage devices, the system comprising:

a secure storage appliance configured to host a plurality of volumes, each volume associated with a plurality of shares stored on a corresponding plurality of physical storage devices and having a plurality of volume management settings;

wherein each volume is accessible by a group of one or more users, each user assigned an administrative access level, the group of one or more users defines a separate community of interest;

wherein the volume management settings are editable by a first user from the group of one or more users associated with the volume and assigned an administrative access level sufficient to edit the volume management settings;

wherein the volume management settings are inaccessible by a second user from outside the group of one or more users associated with the volume and assigned an administrative access level at least equal to that of the first user;

wherein the cryptographically splitting data utilize a plurality of encryption keys to create a plurality of separate community of interest data sets in which the primary write requests and corresponding plurality of secondary write request are members of the community of interest associated with the one of the plurality of encryption keys used in the write requests.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for administrative management of a secure data storage network are disclosed. One system includes a secure storage appliance configured to host a plurality of volumes, each volume associated with a plurality of shares stored on a corresponding plurality of physical storage devices and having a plurality of volume management settings, wherein each volume is accessible by a group of one or more users, each user assigned an administrative access level, the volume management settings are editable by a first user from the group of one or more users associated with the volume and assigned an administrative access level sufficient to edit the volume management settings, and the volume management settings are inaccessible by a second user from outside the group of one or more users associated with the volume and assigned an administrative access level at least equal to that of the first user.

Citations

20 Claims

1. A system for administrative management of a secure data storage network utilizing cryptographically splitting data as it is stored and retrieved from storage devices, the system comprising:
- a secure storage appliance configured to host a plurality of volumes, each volume associated with a plurality of shares stored on a corresponding plurality of physical storage devices and having a plurality of volume management settings;
  
  wherein each volume is accessible by a group of one or more users, each user assigned an administrative access level, the group of one or more users defines a separate community of interest;
  
  wherein the volume management settings are editable by a first user from the group of one or more users associated with the volume and assigned an administrative access level sufficient to edit the volume management settings;
  
  wherein the volume management settings are inaccessible by a second user from outside the group of one or more users associated with the volume and assigned an administrative access level at least equal to that of the first user;
  
  wherein the cryptographically splitting data utilize a plurality of encryption keys to create a plurality of separate community of interest data sets in which the primary write requests and corresponding plurality of secondary write request are members of the community of interest associated with the one of the plurality of encryption keys used in the write requests.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the volume management settings are inaccessible by a third user from among the group of one or more users associated with the volume and assigned an administrative access level lower than that of the first user.
  - 3. The system of claim 1, wherein the administrative access level is selected from among a group of administrative access levels.
  - 4. The system of claim 1, wherein the volume management settings include user rights relating to the volume.
  - 5. The system of claim 1, wherein the volume management settings include an ability to create or destroy volumes.

6. A system for administrative management of a secure data storage network network utilizing cryptographically splitting data as it is stored and retrieved from storage devices, the system comprising:
- a secure storage appliance configured to host a plurality of volumes, each volume associated with a plurality of shares stored on a corresponding plurality of physical storage devices and having a plurality of volume management settings;
  
  a security group definition designating a plurality of security groups, each security group associated with a volume and assigned to a security administrator, wherein volume management settings of a volume associated with one of the plurality of security groups are editable by the security administrator associated with the security group, the security group of one or more users defines a separate community of interest;
  
  wherein the cryptographically splitting data utilize a plurality of encryption keys to create a plurality of separate community of interest data sets in which the primary write requests and corresponding plurality of secondary write request are members of the community of interest associated with the one of the plurality of encryption keys used in the write requests.
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6, wherein the security group definition is editable by a security group administrator different from the security administrator.
  - 8. The system of claim 6, wherein the security administrator is a domain administrator.
  - 9. The system of claim 6, wherein the secure storage appliance is located within a domain, and wherein the security group corresponds to the users able to access the domain.

10. A method of accessing administrative settings in a secure storage appliance network utilizing cryptographically splitting data as it is stored and retrieved from storage devices, the method comprising:
- receiving a request for administrative access to a volume managed by the secure storage appliance, the volume associated with a plurality of shares stored on a plurality of physical storage devices, the request including an identifier of an administrative user;
  
  checking an administrative access level to determine access rights of the administrative user;
  
  responding to the request for administrative access based on an outcome of checking the administrative access level; and
  
  generating a log record of the received request for administrative access;
  
  wherein the administrative user lacks access rights to a second volume different from the volume associated with a share stored on the plurality of physical storage devices;
  
  wherein the cryptographically splitting data utilize a plurality of encryption keys to create a plurality of separate community of interest data sets in which the primary write requests and corresponding plurality of secondary write request are members of the community of interest associated with the one of the plurality of encryption keys used in the write requests.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, wherein responding to the request for administrative access includes, upon determining that the administrative user has sufficient access rights to the volume, providing administrative access to the volume to the administrative user.
  - 12. The method of claim 10, wherein responding to the request for administrative access includes, upon determining that the administrative user lacks sufficient access rights to the volume, denying administrative access to the volume to the administrative user.
  - 13. The method of claim 10, wherein a second administrative user has an associated administrative access level sufficient to allow administrative access to the second volume to the second administrative user.
  - 14. The method of claim 10, further comprising allowing a security administrator to edit the access rights of the administrative user.
  - 15. The method of claim 10, wherein the security administrator lacks at least one of the access rights associated with the administrative user.
  - 16. The method of claim 10, further comprising allowing an audit administrator to view the log record.
  - 17. The method of claim 10, wherein the request for administrative access includes a request to perform an administrative function of the secure storage appliance.
  - 18. The method of claim 17, wherein the administrative access level defines administrative functions allowable to the administrative user.
  - 19. The method of claim 18, wherein the administrative functions include editing cryptographic settings, viewing audit logs, editing volume settings, editing user group settings, accessing encryption keys, and defining administrative access levels.
  - 20. The method of claim 10, wherein checking an administrative access level to determine access rights of the administrative user is based on the identifier of the administrative user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Dodgson, David, Neill, Joseph, Farina, Ralph, Chin, Edward, French, Albert, Summers, Scott, Johnson, Robert
Primary Examiner(s)
NGUYEN, HIEP T

Application Number

US12/336,564
Publication Number

US 20100153670A1
Time in Patent Office

1,539 Days
Field of Search

None
US Class Current

711/163
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 69/40   for recovering from a failu...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/0897   involving additional device...

Storage security using cryptographic splitting

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Storage security using cryptographic splitting

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links