Storage system with data-dependent security

US 6,336,187 B1
Filed: 06/12/1998
Issued: 01/01/2002
Est. Priority Date: 06/12/1998
Status: Expired due to Term

First Claim

Patent Images

1. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:

the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;

the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein;

if the requested storage region is not associated with a reference access key, the controller executing the request;

if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;

if the request includes a matching access key, the controller executing the storage access request;

if the request lacks a matching access key, the controller aborting the storage access request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host-independent storage facility selectively provides data-dependent security by initially storing a security key in association with a storage region, where that key must be presented by any host seeking access to the region. The storage system includes a storage controller coupled to a digital data storage and one or more hosts. Initially, the controller receives a set-access-key command from one of the hosts, identifying a storage region, an operation parameter identifying prohibited types of storage operations, and a reference access key. The controller stores the access key and the operation parameter in a reference location associated with the identified storage region. Later, the controller may receive storage access requests from the hosts. Requests include an identification of a requested storage region, an access type, and an input access key. In response, the controller retrieves the reference access key and operation parameter associated with the requested storage region. If the requested access type is not prohibited by the operation parameter, the controller executes the storage access request. Also, if the requested access type is prohibited by the retrieved operation parameter, the controller nonetheless executes the storage access request if the input and reference access keys match.

127 Citations

17 Claims

1. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
- the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein;
  
  if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;
  
  if the request includes a matching access key, the controller executing the storage access request;
  
  if the request lacks a matching access key, the controller aborting the storage access request.

2. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage region each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
- the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited, executing the storage access request;
  
  if the requested storage region is associated with a reference access key and the requested access type is prohibited, the controller determining whether the request includes an input access log matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
  
  if the request includes a matching access key, the controller executing the requested storage access request.

3. A method for allocating space in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the method comprising:
- a first one of the hosts receiving an allocation request the allocation including;
  
  an identification of a requested storage region;
  
  a reference access key; and
  
  an operation parameter identifying prohibited types of storage operations involving the requested storage region;
  
  the first host responding to the allocation request by allocating the requested storage region;
  
  only if the operation parameter identifies one or more prohibited storage operations, the first host additionally issuing a set-access-key command to the controller; and
  
  in response to the set-access-key command the controller storing the reference key and the operation parameter in a reference location in association with the allocated storage region.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3, the reference location being in the allocated storage region.
  - 5. The method of claim 3, the reference location being a storage use map stored outside the requested storage region and containing all allocated storage regions'"'"' operation parameters and reference access keys.
  - 6. The method of claim 3, the method further comprising:

7. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a data security method in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions associated with access keys, the storage also containing one or more storage regions without associated access keys, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
- the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;
  
  if the request includes a matching access key, the controller executing the storage access request;
  
  if the request lacks a matching access key, the controller aborting the storage access request.

8. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a data security method in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
- the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited, executing the storage access request;
  
  if the requested storage region is associated with a reference access key and the requested access type is prohibited, the controller determining whether the request includes an input access log matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
  
  if the request includes a matching access key, the controller executing the requested storage access request.

9. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a method to allocate space in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the method comprising:
- a first one of the hosts receiving an allocation request including;
  
  an identification of a requested storage region;
  
  a reference access key; and
  
  an operation parameter identifying prohibited types of storage operations involving the requested storage region;
  
  the first host responding to the allocation request by allocating the requested storage region;
  
  only if the operation parameter identifies one or more prohibited storage operations, the first host additionally directing the controller to store the reference access key and the operation parameter in a reference location in association with the allocated storage region.
- View Dependent Claims (10, 11)
- - 10. The medium of claim 9, the reference location being in the allocated storage region.
  - 11. The medium of claim 9, the reference location being a storage use map stored outside the requested storage region and containing all allocated storage regions'"'"' operation parameters and reference access keys.

12. A data storage system accessible by one or more hosts, comprising:
- a digital data storage containing one or more storage regions each associated with a reference access key, the storage also including one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys;
  
  a storage controller, coupled to the storage and the hosts, the controller being programmed to selectively provide access to the storage by performing a method comprising;
  
  the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller determining whether the request included an input access key matching the associated reference access key;
  
  if the request includes a matching access key, the controller executing tire storage access request;
  
  if the request lacks a matching access key, the controller aborting the storage access request.

13. A data storage system accessible by one or more hosts, comprising:
- a digital data storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys; and
  
  a storage controller, coupled to the storage and the hosts, the controller being programmed to selectively provide access to the storage by performing a method comprising;
  
  the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
  
  the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
  
  if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited by the operation parameter, executing the storage access request;
  
  if the requested storage region is associated with a reference access key and the requested access type is prohibited by the operation parameter, the controller determining whether the request includes an input access key matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
  
  if the request includes a matching access key, the controller executing the requested storage access request.

14. A data storage system accessible by one or more hosts, comprising:
- a digital data storage; and
  
  one or more hosts coupled to the storage via a storage controller, each host being programmed to allocate space in the storage by;
  
  the host receiving an allocation request including;
  
  an identification of a requested storage region;
  
  a reference access key; and
  
  an operation parameter identifying prohibited types of storage operations involving the requested storage region;
  
  in response to the allocation request, the host allocating the requested storage region;
  
  only if the operation parameter identifies one or more prohibited storage operations, the host issuing a set-access-key command to the controller;
  
  the storage controller, programmed to respond to the set-access-key by storing the reference access key and the operation parameter in a reference location in association with the allocated storage region.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, the reference location being in the requested storage region.
  - 16. The system of claim 14, the reference location being a storage use map stored outside the requested storage region.
  - 17. The system of claim 14, the controller being further programmed to process storage access requests by:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sovik, Mark Anthony, Kern, Robert Frederic
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/096,962
Time in Patent Office

1,299 Days
Field of Search

713/161, 713/168, 713/200, 713/165, 713/166, 713/193, 705/54, 707/9, 711/164
US Class Current

713/161
CPC Class Codes

G06F 21/1077 Recurrent authorisation

Storage system with data-dependent security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Storage system with data-dependent security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links