System and method for storage operation access security

US 8,655,914 B2
Filed: 03/30/2007
Issued: 02/18/2014
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of securing storage operations in a data management system, comprising:

receiving a request to perform a storage operation that includes creating a secondary copy of data from a source location,wherein the created secondary copy of the data is stored at an external remote storage location that is remote from the source location, andwherein the secondary copy stored at the external remote storage location is not actively being used by a live data server; and

executing a storage access control system to provide a security infrastructure to selectively limit access to the secondary copy of data, wherein executing the storage access control system includes;

querying a file system at the source location for preexisting access control information,wherein the access control information is associated with the source location, andwherein the preexisting access control information is used by at least a portion of the file system at the source location to perform file system operations,wherein the preexisting access control information defines access rights of individual users and groups of users to the data from the source location; and

applying the access control information to the secondary copy at the external remote storage location,wherein applying the access control information only includes referencing the access control information by the storage access control system or only incorporating the access control information into the storage access control system,wherein the applying of the access control information to the secondary copy at the external remote storage location comprises permitting, prohibiting, or modifying at least part of the requested storage operation, andwherein the applying of the access control information to the secondary copy at the external remote storage location further comprises storing metadata describing the access control information in a content index that controls access for the individual users and groups of users to secondary copies of data stored at the remote storage location that are not actively being used by a live data server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

Citations

27 Claims

1. A computer-implemented method of securing storage operations in a data management system, comprising:
- receiving a request to perform a storage operation that includes creating a secondary copy of data from a source location,wherein the created secondary copy of the data is stored at an external remote storage location that is remote from the source location, andwherein the secondary copy stored at the external remote storage location is not actively being used by a live data server; and
  
  executing a storage access control system to provide a security infrastructure to selectively limit access to the secondary copy of data, wherein executing the storage access control system includes;
  
  querying a file system at the source location for preexisting access control information,wherein the access control information is associated with the source location, andwherein the preexisting access control information is used by at least a portion of the file system at the source location to perform file system operations,wherein the preexisting access control information defines access rights of individual users and groups of users to the data from the source location; and
  
  applying the access control information to the secondary copy at the external remote storage location,wherein applying the access control information only includes referencing the access control information by the storage access control system or only incorporating the access control information into the storage access control system,wherein the applying of the access control information to the secondary copy at the external remote storage location comprises permitting, prohibiting, or modifying at least part of the requested storage operation, andwherein the applying of the access control information to the secondary copy at the external remote storage location further comprises storing metadata describing the access control information in a content index that controls access for the individual users and groups of users to secondary copies of data stored at the remote storage location that are not actively being used by a live data server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the storage operation comprises a backup of the data from the source location to the external remote storage location.
  - 3. The method of claim 1 wherein the storage operation comprises making a snapshot copy of the data.
  - 4. The method of claim 1 wherein the source location data comprises a file system object.
  - 5. The method of claim 1 wherein the source location data comprises an application data object.
  - 6. The method of claim 1 wherein the external remote storage location comprises a storage device for storing secondary copies of data.
  - 7. The method of claim 1 wherein applying the access control information to the secondary copy at the external remote storage location further comprises storing the access control information with the secondary copy of the data at the external remote storage location.
  - 8. The method of claim 1 wherein applying the access control information to the secondary copy at the external remote storage location further comprises encrypting the data based on the access control information.
  - 9. The method of claim 1, further comprising:
    - retrieving user email addresses for use by the storage access control system; and
      
      sending an email message to one or more of the user email addresses if the storage operation fails.
  - 10. The method of claim 1, further comprising:
    - receiving criteria from a user for a two-pass search of the external remote storage location;
      
      performing a first pass search of portions of the external remote storage location that have already been accessed by the user; and
      
      performing a second pass search of results of the course search to determine which of the results the user is authorized to receive.
  - 11. The method of claim 1, further comprising:
    - searching one or more portions of the external remote storage location based on search criteria received from a user; and
      
      displaying a no access indicator on search results the user is not authorized to access,wherein the search results are generated in response to the searching the one or more portions of the external remote storage location.

12. A non-transitory computer-readable medium storing instruction that, when executed by at least one data processing device, performs a method of securing storage operations in a data management system, comprising:
- receiving a request to perform a storage operation that includes creating a secondary copy of data from a source location,wherein the created secondary copy of the data is stored at an external remote storage location that is remote from the source location, andwherein the secondary copy stored at the external remote storage location is not actively being used by a live data server;
  
  querying a file system, by a storage access control system, at the source location for preexisting access control information,wherein the access control information is associated with the source location, andwherein the preexisting access control information is used by at least a portion of the file system at the source location to perform file system operations,wherein the preexisting access control information defines access rights of individual users and groups of users to the data from the source location; and
  
  applying settings of the storage access control system to the secondary copy by applying the access control information to the secondary copy at the external remote storage location,wherein applying the access control information only includes referencing the access control information by the storage access control system or only incorporating the access control information into the storage access control system,wherein the applying of the access control information to the secondary copy at the external remote storage location comprises permitting, prohibiting, or modifying at least part of the requested storage operation, andwherein the applying of the access control information to the secondary copy at the external remote storage location further comprises storing metadata describing the access control information in a content index that controls access to secondary copies of data stored at the remote storage location that are not actively being used by a live data server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer-readable medium of claim 12 wherein the storage operation comprises a backup of the data from the source location to the external remote storage location.
  - 14. The computer-readable medium of claim 12 wherein the storage operation comprises making a snapshot copy of the data.
  - 15. The computer-readable medium of claim 12 wherein the source location data comprises a file system object.
  - 16. The computer-readable medium of claim 12 wherein the source location data comprises an application data object.
  - 17. The computer-readable medium of claim 12 wherein the external remote storage location comprises a storage device for storing secondary copies of data.
  - 18. The computer-readable medium of claim 12 wherein applying the access control information to the secondary copy at the external remote storage location further comprises storing the access control information with the secondary copy of the data at the external remote storage location.
  - 19. The computer-readable medium of claim 12 wherein applying the access control information to the secondary copy at the external remote storage location further comprises encrypting the data based on the access control information.

20. A system for securing storage operations in a data management system, the system comprising:
- means for receiving a request to perform a storage operation that includes creating a secondary copy of data from a source location,wherein the created secondary copy of the data is stored at an external remote storage location that is remote from the source location, andwherein the secondary copy stored at the external remote storage location is not actively being used by a live data server;
  
  means for querying, by a storage access control system, a file system at the source location for preexisting access control information,wherein the access control information is associated with the source location, andwherein the preexisting access control information is used by at least a portion of the file system at the source location to perform file system operations,wherein the preexisting access control information defines access rights of individual users and groups of users to the data from the source location; and
  
  means for applying settings of the storage access control system to the secondary copy by applying the access control information to the secondary copy at the external remote storage location,wherein applying the access control information only includes referencing the access control information by the storage access control system or only incorporating the access control information into the storage access control system,wherein the applying of the access control information to the secondary copy at the external remote storage location comprises permitting, prohibiting, or modifying at least part of the requested storage operation, andwherein the applying of the access control information to the secondary copy at the external remote storage location further comprises storing metadata describing the access control information in a content index that controls access to secondary copies of data stored at the remote storage location that are not actively being used by a live data server.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20 wherein the storage operation comprises a backup of the data from the source location to the external remote storage location.
  - 22. The system of claim 20 wherein the storage operation comprises making a snapshot copy of the data.
  - 23. The system of claim 20 wherein the source location data comprises a file system object.
  - 24. The system of claim 20 wherein the source location data comprises an application data object.
  - 25. The system of claim 20 wherein the external remote storage location comprises a storage device for storing secondary copies of data.
  - 26. The system of claim 20 wherein applying the access control information to the secondary copy at the external remote storage location further comprises storing the access control information with the secondary copy of the data at the external remote storage location.
  - 27. The system of claim 20 wherein applying the access control information to the secondary copy at the external remote storage location further comprises encrypting the data based on the access control information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Prahlad, Anand, Kavuri, Srinivas, Varadharajan, Prakash
Primary Examiner(s)
DWIVEDI, MAHESH H

Application Number

US11/694,784
Publication Number

US 20080091747A1
Time in Patent Office

2,517 Days
Field of Search

None
US Class Current

707/781
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

System and method for storage operation access security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for storage operation access security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links