SECURE DATA REPLICATION

US 20180107727A1
Filed: 11/22/2017
Published: 04/19/2018
Est. Priority Date: 04/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing an access policy for a storage resource within first storage hosted by a first computing device, wherein the access policy defines an authentication mechanism, an authorization mechanism, and an access control mechanism;

establishing a replication relationship between the first computing device and a second computing device for replicating data between the first storage and second storage hosted by the second computing device;

attaching the access policy to the replication relationship;

receiving a data replication request targeting the first storage; and

utilizing the authentication mechanism, the authorization mechanism, and the access control mechanism of the access policy to determine whether to implemented the data replication request.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more techniques and/or computing devices are provided for secure data replication. For example, a first storage controller may host first storage within which storage resources (e.g., files, logical unit numbers (LUNs), volumes, etc.) are stored. The first storage controller may establish an access policy with a001 second storage controller to which data is to be replicated from the first storage. The access policy may define an authentication mechanism for the first storage controller to authenticate the second storage controller, an authorization mechanism specifying a type of access that the second storage controller has for a storage resource, and an access control mechanism specifying how the second storage controller'"'"'s access to data of the storage resource is to be controlled. In this way, data replication requests may be authenticated and authorized so that data may be provided, according to the access control mechanism, in a secure manner.

1 Citation

20 Claims

1. A method comprising:
- establishing an access policy for a storage resource within first storage hosted by a first computing device, wherein the access policy defines an authentication mechanism, an authorization mechanism, and an access control mechanism;
  
  establishing a replication relationship between the first computing device and a second computing device for replicating data between the first storage and second storage hosted by the second computing device;
  
  attaching the access policy to the replication relationship;
  
  receiving a data replication request targeting the first storage; and
  
  utilizing the authentication mechanism, the authorization mechanism, and the access control mechanism of the access policy to determine whether to implemented the data replication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the first computing device is hosted within a cloud computing environment.
  - 3. The method of claim 1, comprising:
    - negotiating the authentication mechanism between the first computing device and the second computing device.
  - 4. The method of claim 1, comprising:
    - specifying, within the authorization mechanism, that the second computing device has a first type of access to the storage resource.
  - 5. The method of claim 4, wherein the first storage comprises a second storage resource, and the method comprising:
    - specifying, within the authorization mechanism, that the second computing device has a second type of access to the second storage resource.
  - 6. The method of claim 5, wherein the type of access to the storage resource is different than the second type of access to the second storage resource.
  - 7. The method of claim 1, comprising:
    - negotiating, for inclusion within the access control mechanism, an encryption key for the first computing device to use for encrypting requested data of the storage resource for sending to the second computing device in response to data replication requests from the second computing device.
  - 8. The method of claim 1, comprising:
    - attaching the access policy as a shared access policy to a second replication relationship between the first computing device and a third computing device, the shared access policy associating the authentication mechanism, the authorization mechanism, and the access control mechanism with the third computing device.
  - 9. The method of claim 1, comprising:
    - establishing a second access policy for the storage resource, wherein the establishing comprises;
      
      defining, within the second access policy, a second authentication mechanism for authenticating a third computing device as having a trusted relationship with the first computing device;
      
      defining, within the second access policy, a second authorization mechanism specifying a type of access that the third computing device has for the storage resource; and
      
      defining, within the second access policy, an access control mechanism specifying access to data of the storage resource by the third computing device is to be controlled.
  - 10. The method of claim 9, wherein the type of access to the storage resource is different than a second type of access to the storage resource provided to the second computing device.
  - 11. The method of claim 9, wherein the authentication mechanism is different than a second authentication mechanism provided to the second computing device.
  - 12. The method of claim 9, wherein the access control mechanism is different than a second access control mechanism provided to the second computing device.
  - 13. The method of claim 1, comprising:
    - unilaterally modifying, by the first computing device without consent of the second computing device, the access policy.
  - 14. The method of claim 1, wherein the access policy is defined between a first storage virtual machine of the first computing device and a second virtual machine of the second computing device.

15. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising machine executable code which when executed by at least one machine, causes the machine to:
- establish an access policy for a storage resource within first storage hosted by a first computing device, wherein the access policy defines an authentication mechanism, an authorization mechanism, and an access control mechanism;
  
  establish a replication relationship between the first computing device and a second computing device for replicating data between the first storage and second storage hosted by the second computing device;
  
  attach the access policy to the replication relationship;
  
  receive a data replication request targeting the first storage; and
  
  utilize the authentication mechanism, the authorization mechanism, and the access control mechanism of the access policy to determine whether to implemented the data replication request.
- View Dependent Claims (16, 17)
- - 16. The non-transitory machine readable medium of claim 15, wherein the machine executable code causes the machine to:
    - receive data, of a snapshot of the storage resource, from the first computing device in response to the first computing device authenticating the second computing device and authorizing snapshot replication access to the data of the storage resource based upon the data replication request.
  - 17. The non-transitory machine readable medium of claim 15, wherein the machine executable code causes the machine to:
    - receive an access denial response from the first computing device in response to the first computing device authenticating the second computing device and not authorizing a type of access to the data of the storage resource requested by the data replication request.

18. A computing device comprising:
- a memory containing machine readable medium comprising machine executable code having stored thereon instructions for performing a method; and
  
  a processor coupled to the memory, the processor configured to execute the machine executable code to cause the processor to;
  
  establish an access policy for a storage resource within first storage hosted by a first computing device, wherein the access policy defines an authentication mechanism, an authorization mechanism, and an access control mechanism;
  
  establish a replication relationship between the first computing device and a second computing device for replicating data between the first storage and second storage hosted by the second computing device;
  
  attach the access policy to the replication relationship;
  
  receive a data replication request targeting the first storage; and
  
  utilize the authentication mechanism, the authorization mechanism, and the access control mechanism of the access policy to determine whether to implemented the data replication request.
- View Dependent Claims (19, 20)
- - 19. The computing device of claim 18, wherein the access policy is a default access policy.
  - 20. The computing device of claim 18, wherein the access to the data comprises a baseline transfer of the storage resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Deshmukh, Vijay M., Patnaik, Pranab, Joshi, Uday Madhav, Komatsu, Kiyoshi James

Granted Patent

US 10,360,237 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/275   Synchronous replication

G06F 21/604   Tools and structures for ma...

G06F 21/6236   between heterogeneous systems

G06F 3/062   Securing storage systems

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

SECURE DATA REPLICATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

1 Citation

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE DATA REPLICATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links