Systems and methods for security management of multi-client based distributed storage

US 9,871,816 B2
Filed: 04/21/2016
Issued: 01/16/2018
Est. Priority Date: 04/26/2015
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a security risk level of data objects stored in a distributed system, comprising:

estimating a current security risk level of at least one storage unit of each of a plurality of network nodes based on real time monitoring;

distributing a plurality of data objects among the at least one storage units of the plurality of network nodes according to the current security risk level such that a minimal security requirement of each data object is complied with;

detecting a change in the current security risk level of the at least one storage unit;

creating a new copy of at least one of the plurality of data objects stored on the at least one storage unit associated with the change in the current security risk level by reconstructing the new copy from redundancy data stored on at least one other node, for storage on a different network node such that the minimal security requirement of each data object of the plurality of data objects is maintained;

wherein existing data segments on the at least one storage unit associated with the change in the current security risk level are not used to create the new copy; and

wherein other segments related to other data objects of the plurality of data objects satisfying the change in the current security risk level are maintained on the at least one storage unit associated with the change in the current security risk level.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a method of maintaining a security risk level of data objects stored in a distributed system, comprising: estimating a current security risk level of at least one storage unit of each of a plurality of network nodes based on real time monitoring; distributing a plurality of data objects among the at least one storage units of the plurality of network nodes according to the current security risk level such that a minimal security requirement of each data object is complied with; detecting a change in the current security risk level of the at least one storage unit; and creating a new copy of at least one of the data objects for storage on a different network node such that the minimal security requirement of each data object is maintained.

Citations

33 Claims

1. A method of maintaining a security risk level of data objects stored in a distributed system, comprising:
- estimating a current security risk level of at least one storage unit of each of a plurality of network nodes based on real time monitoring;
  
  distributing a plurality of data objects among the at least one storage units of the plurality of network nodes according to the current security risk level such that a minimal security requirement of each data object is complied with;
  
  detecting a change in the current security risk level of the at least one storage unit;
  
  creating a new copy of at least one of the plurality of data objects stored on the at least one storage unit associated with the change in the current security risk level by reconstructing the new copy from redundancy data stored on at least one other node, for storage on a different network node such that the minimal security requirement of each data object of the plurality of data objects is maintained;
  
  wherein existing data segments on the at least one storage unit associated with the change in the current security risk level are not used to create the new copy; and
  
  wherein other segments related to other data objects of the plurality of data objects satisfying the change in the current security risk level are maintained on the at least one storage unit associated with the change in the current security risk level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein creating a new copy comprises creating the new copy of at least one data segment of the data object, wherein a plurality of data segments stored on different network nodes are used to reconstruct the data object.
  - 3. The method of claim 1, wherein creating a new copy comprises creating the new copy of a set of data segments sufficient to reconstruct the data object, wherein each member of the set is stored on a different network node.
  - 4. The method of claim 1, wherein the detecting is performed in real-time.
  - 5. The method of claim 1, wherein detecting is performed at time periods independent from at least one of:
    - data object storage operations and data object retrieval operations.
  - 6. The method of claim 1, wherein detecting comprises receiving network messages transmitted from each network node to at least one management unit, the network messages including a member of a group consisting of:
    - data for calculating a real-time security score, a calculated new security score, and the change in the security score.
  - 7. The method of claim 1, wherein the security risk level is a security score calculated from at least one of:
    - a current security risk score and a data integrity score.
  - 8. The method of claim 1, wherein the security risk level is a security score calculated from at least one security parameter selected from the group consisting of:
    - a risk of access by an unauthorized entity to stored objects, risk of compromising integrity of the stored objects, risk of compromising allowed access, and risk of infection by malware.
  - 9. The method of claim 8, wherein the security risk level represents a real-time probability of occurrence of an event defined by the at least one security parameter.
  - 10. The method of claim 1, wherein the security risk level is a security score calculated based on instructions issued by a remote unit to the network node to perform a security test locally that attempts to breach security of the respective storage units, and gathers the outcome of the test.
  - 11. The ethod of claim 1, further comprising adding metadata to each data object or part thereof, wherein the change in the security risk level is identified according to calculated changes in an integrity test performed on each data object using the added metadata.
  - 12. The method of claim 11, wherein the metadata includes at least ane member of a group consisting of:
    - random bytes and locations within the data. object, algebraic signatures, checksum values and hash values.
  - 13. The method of claim 1, wherein redistributing data objects comprises reconstructing at least one data object stored on the storage unit using data stored on other storage units, and storing the at least one reconstructed data object on a different storage unit.
  - 15. The method of claim 1, further comprising:
    - estimating the security risk level for the new network node; and
      
      adding the new network node to the distributed system when a minimal predefined system risk requirement is maintained by the new network node.
  - 16. The method of claim 15, further comprising processing the network node to increase the security risk level of the network node to the minimal predefined system requirement.
  - 17. The method of claim 1, further comprising:
    - receiving a new data object for storage within the distributed system, the data object associated with a security requirement representing a desired minimum security risk;
      
      dividing the new data object a plurality of data segments;
      
      designating each data segment for storage within a different storage unit such that the desired minimal security requirement of each data segment is maintained.
  - 18. The method of claim 1, further comprising:
    - identifying a storage unit having the change in the current security above a predefined system risk requirement; and
      
      redistributing all data objects stored on the identified storage unit, to storage on different storage units such that the minimal security requirement of each data object is maintained relative to the predefined system risk requirement.
  - 19. The method of claim 18, further comprising:
    - removing the identified storage unit from the distributed system.
  - 20. The method of claim 1, further comprising:
    - encrypting the data object to meet the minimum security requirement and maintaining other data objects in a non-encrypted state according to the minimum security requirement.
  - 21. The method of claim 1, further comprising:
    - providing a decryption key for decryption of encrypted data objects after confirmation of the minimum security requirement.
  - 22. The method of claim 1, further comprising increasing the security risk level of the storage unit by encrypting data objects stored thereon.
  - 23. The method of claim 1, wherein data objects are at least one of:
    - initially stored and redistributed to storage on different network nodes according to a predefined security profile.
  - 24. The method of claim 23, wherein the predefined security profile includes at least one member selected from the group consisting of:
    - designated contacts of a user providing the data object, a designated organization associated with the user, and a network service provider.
  - 25. The method of claim 1, further comprising:
    - analyzing changes in the security risk level to predict a future security risk level, and performing the creating the new copy before the minimal security risk level is reached.
  - 26. The method of claim 1, further comprising:
    - analyzing changes in the security risk level indicative of a risk event in the storage unit, quarantining the storage unit, reconstructing data objects stored on the storage unit from redundant data stored on other storage units, and redistributing the reconstructed data objects.

14. The method of claim i, wherein the security risk level is a security score calculated from at least one security parameter member selected from the group consisting of:
- history of detected security vulnerabilities, anti-malware software version installed on the network node, presence of a firewall, and physical location of the network node.

27. A system of storing data objects in distributed storage while maintaining a security requirement, comprising:
- a plurality of network nodes, each including at least one processor and at least one storage unit;
  
  wherein each storage unit is associated with a current security risk level estimated based on real time monitoring;
  
  wherein a plurality of data objects are distributed among the at least one storage units of the plurality of network nodes according to the current security risk level such that a minimal security requirement of each data object is complied with; and
  
  at least one management unit in communication with the plurality of network nodes, the at least one management unit including a code implementable by a processor of the at least one management unit to;
  
  detect a change in the current security of at least one of the plurality of network nodes and create a new'"'"' copy of at least one of the plurality of data objects stored on the at least one storage unit associated with the change in the current security risk level by reconstructing the new copy from redundancy data stored on at least one other node, for storage on a different network node such that the minimal security requirement of each data object of the plurality of data objects is maintained;
  
  wherein existing data segments on the at least one storage unit associated with the change in the current security risk level are not used to create the new copy; and
  
  wherein other segments related to other data objects of the plurality of data objects satisfying the change in the current security risk level are maintained on the at least one storage unit associated with the change in the current security risk level.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The system of claim 27, wherein the data objects are members selected from the group consisting of:
    - images, documents, databases, videos, operating system files, and medical records.
  - 29. The system of claim 27, wherein the data objects include code designed for distributed processing by local execution by the at least one processor of the respective node.
  - 30. The system of claim 27, further comprising an agent module for local installation at each network node, the agent module including a code implementable by a processor of the agent module to locally gather data to estimate the security risk level of the respective at least one storage unit, and transmit the gathered data to the management unit.
  - 31. The system of claim 27 , further comprising a client module in communication with the management unit, the client module including a code implementable by a processor of the client module to store a data object within the distributed system and retrieve the stored data object from the distributed system.
  - 32. The system of claim 31, wherein the client module is an application programming interface (API) that provides a high abstraction level of storing and accessing data objects locally at respective network nodes or client computers.

33. A computer program product for maintaining a security requirement of data objects stored in a distributed system comprising a readable storage medium storing program code thereon for use by a management unit, the program code comprising:
- instructions for estimating a current security risk level of at least one storage unit of each of a plurality of network nodes based on real time monitoring;
  
  instructions for distributing a plurality of data objects among the at least one storage units of the plurality of network nodes according to the current security risk level such that a minimal security requirement of each data object is complied with;
  
  instructions for detecting a change in the current security risk level of the at least one storage unit;
  
  instructions for creating a new copy of at least one of the plurality of data objects stored on the at least one storage unit associated with the change in the current security risk level by reconstructing the new copy from redundancy data stored on at least one other node, for storage on a different network node such that the minimal security requirement of each data object of the plurality of data objects is maintained;
  
  wherein existing data segments on the at least one storage unit associated with the change in the current security risk level are not used to create the new copy; and
  
  wherein other segments related to other data objects of the plurality of data objects satisfying the change in the current security risk level are maintained on the at least one storage unit associated with the change in the current security risk level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Y.G. Noobaa Ltd. (International Business Machines Corporation)
Inventors
Tamir, Eran, Margalit, Guy, Dimnik, Yuval
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US15/318,676
Publication Number

US 20170155676A1
Time in Patent Office

635 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 11/2094   Redundant storage or storag...

G06F 11/3034   where the computing system ...

G06F 21/50   Monitoring users, programs ...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2201/86   Event-based monitoring

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 67/1095   Replication or mirroring of...

Systems and methods for security management of multi-client based distributed storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for security management of multi-client based distributed storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links