Secure disk access control
First Claim
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive, at a disk access security agent, a request from a security tool, the request relating to an event involving data records in a particular one of a plurality of storage devices, wherein each of the plurality of storage devices possesses local secure storage functionality and the disk access security agent has protected access to a common application programming interface (API) to interface with any one of the plurality of storage devices and invoke, through the common API, any one of a set of secure storage operations to be performed locally at the respective storage device, wherein the set of secure storage operations are defined through the common API;
use the common API to interface with secure storage functionality of the particular storage device to invoke a particular one of the set of secure storage operations at the particular storage device based at least in part on the request, wherein the set of secure storage operations comprises a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation,wherein the copy-on-write operation comprises identifying an attempted write operation of a particular one of the data records and, prior to allowing the attempted write operation, copying data of the one or more data records to a copy-on-write backup location, andwherein the save-attempted-write operation comprises disallowing an attempted write operation on a first record, causing the write operation to be instead performed on a save-attempted-write (SAW) record, and causing a response to be generated to a read-back request of the particular data record with a false data read incorporating contents of the written-to SAW record.
10 Assignments
0 Petitions
Accused Products
Abstract
A request is received from a security tool, the request relating to an event involving data records in a storage device. An application programming interface (API) is used to interface with secure storage functionality of the storage device, the secure storage functionality enabling a set of secure storage operations. A security operation is caused to be performed at the storage device involving the data records based at least in part on the request. In one aspect, the set of secure storage operations can include a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation.
20 Citations
16 Claims
-
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
-
receive, at a disk access security agent, a request from a security tool, the request relating to an event involving data records in a particular one of a plurality of storage devices, wherein each of the plurality of storage devices possesses local secure storage functionality and the disk access security agent has protected access to a common application programming interface (API) to interface with any one of the plurality of storage devices and invoke, through the common API, any one of a set of secure storage operations to be performed locally at the respective storage device, wherein the set of secure storage operations are defined through the common API; use the common API to interface with secure storage functionality of the particular storage device to invoke a particular one of the set of secure storage operations at the particular storage device based at least in part on the request, wherein the set of secure storage operations comprises a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation, wherein the copy-on-write operation comprises identifying an attempted write operation of a particular one of the data records and, prior to allowing the attempted write operation, copying data of the one or more data records to a copy-on-write backup location, and wherein the save-attempted-write operation comprises disallowing an attempted write operation on a first record, causing the write operation to be instead performed on a save-attempted-write (SAW) record, and causing a response to be generated to a read-back request of the particular data record with a false data read incorporating contents of the written-to SAW record. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
receiving, at a disk access security agent, a request from a security tool, the request relating to an event involving data records in a particular one of a plurality of storage devices, wherein each of the plurality of storage devices possesses local secure storage functionality and the disk access security agent has protected access to a common application programming interface (API) to interface with any one of the plurality of storage devices and invoke, through the common API, any one of a set of secure storage operations to be performed locally at the respective storage device, wherein the set of secure storage operations are defined through the common API; and using the common API to interface with secure storage functionality of the particular storage device to invoke a particular one of the set of secure storage operations at the particular storage device based at least in part on the request, wherein the set of secure storage operations comprises a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation, wherein the copy-on-write operation comprises identifying an attempted write operation of a particular one of the data records and, prior to allowing the attempted write operation, copying data of the one or more data records to a copy-on-write backup location, and wherein the save-attempted-write operation comprises disallowing an attempted write operation on a first record, causing the write operation to be instead performed on a save-attempted-write (SAW) record, and causing a response to be generated to a read-back request of the particular data record with a false data read incorporating contents of the written-to SAW record.
-
-
14. A system comprising:
-
a processor device; a secure storage-enabled storage device including logic to perform a set of secure storage operations at records of the storage device, wherein the set of secure storage operations comprises a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation; a common application programming interface (API) to interface with any one of the plurality of storage devices and define a set of secure storage operations; a disk access security agent, when executed by the processor device to; receive a request from a security tool, the request relating to an event involving data records in a particular one of a plurality of secure storage-enabled storage devices, wherein the disk access security agent has protected access to the common API; and use the common API to interface with secure storage functionality of the particular storage device to invoke a particular one of the set of secure storage operations at the particular storage device based at least in part on the request, wherein the copy-on-write operation comprises identifying an attempted write operation of a particular one of the data records and, prior to allowing the attempted write operation, copying data of the one or more data records to a copy-on-write backup location, and wherein the save-attempted-write operation comprises disallowing an attempted write operation on a first record, causing the write operation to be instead performed on a save-attempted-write (SAW) record, and causing a response to be generated to a read-back request of the particular data record with a false data read incorporating contents of the written-to SAW record. - View Dependent Claims (15, 16)
-
Specification