Storage system with data-dependent security
First Claim
1. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
- the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein;
if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;
if the request includes a matching access key, the controller executing the storage access request;
if the request lacks a matching access key, the controller aborting the storage access request.
1 Assignment
0 Petitions
Accused Products
Abstract
A host-independent storage facility selectively provides data-dependent security by initially storing a security key in association with a storage region, where that key must be presented by any host seeking access to the region. The storage system includes a storage controller coupled to a digital data storage and one or more hosts. Initially, the controller receives a set-access-key command from one of the hosts, identifying a storage region, an operation parameter identifying prohibited types of storage operations, and a reference access key. The controller stores the access key and the operation parameter in a reference location associated with the identified storage region. Later, the controller may receive storage access requests from the hosts. Requests include an identification of a requested storage region, an access type, and an input access key. In response, the controller retrieves the reference access key and operation parameter associated with the requested storage region. If the requested access type is not prohibited by the operation parameter, the controller executes the storage access request. Also, if the requested access type is prohibited by the retrieved operation parameter, the controller nonetheless executes the storage access request if the input and reference access keys match.
127 Citations
17 Claims
-
1. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
-
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein;
if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;
if the request includes a matching access key, the controller executing the storage access request;
if the request lacks a matching access key, the controller aborting the storage access request.
-
-
2. A data security method for use in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage region each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
-
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited, executing the storage access request;
if the requested storage region is associated with a reference access key and the requested access type is prohibited, the controller determining whether the request includes an input access log matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
if the request includes a matching access key, the controller executing the requested storage access request.
-
-
3. A method for allocating space in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the method comprising:
-
a first one of the hosts receiving an allocation request the allocation including;
an identification of a requested storage region;
a reference access key; and
an operation parameter identifying prohibited types of storage operations involving the requested storage region;
the first host responding to the allocation request by allocating the requested storage region;
only if the operation parameter identifies one or more prohibited storage operations, the first host additionally issuing a set-access-key command to the controller; and
in response to the set-access-key command the controller storing the reference key and the operation parameter in a reference location in association with the allocated storage region. - View Dependent Claims (4, 5, 6)
the controller receiving a storage access request from one of the hosts, the request including an identification of the requested storage region, an access type, and an input access key;
in response to the storage access request, the controller retrieving the reference access key and operation parameter; and
only if the requested access type is not prohibited by the retrieved operation parameter or the input access key of the request matches the retrieved reference access key, the controller executing the storage access request, otherwise aborting the request.
-
-
7. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a data security method in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions associated with access keys, the storage also containing one or more storage regions without associated access keys, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
-
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller determining whether the request includes an input access key matching the associated reference access key;
if the request includes a matching access key, the controller executing the storage access request;
if the request lacks a matching access key, the controller aborting the storage access request.
-
-
8. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a data security method in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys, the method comprising:
-
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited, executing the storage access request;
if the requested storage region is associated with a reference access key and the requested access type is prohibited, the controller determining whether the request includes an input access log matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
if the request includes a matching access key, the controller executing the requested storage access request.
-
-
9. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform a method to allocate space in a storage system including a storage controller coupled to a digital data storage and one or more hosts, the method comprising:
-
a first one of the hosts receiving an allocation request including;
an identification of a requested storage region;
a reference access key; and
an operation parameter identifying prohibited types of storage operations involving the requested storage region;
the first host responding to the allocation request by allocating the requested storage region;
only if the operation parameter identifies one or more prohibited storage operations, the first host additionally directing the controller to store the reference access key and the operation parameter in a reference location in association with the allocated storage region. - View Dependent Claims (10, 11)
-
-
12. A data storage system accessible by one or more hosts, comprising:
-
a digital data storage containing one or more storage regions each associated with a reference access key, the storage also including one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys;
a storage controller, coupled to the storage and the hosts, the controller being programmed to selectively provide access to the storage by performing a method comprising;
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller determining whether the request included an input access key matching the associated reference access key;
if the request includes a matching access key, the controller executing tire storage access request;
if the request lacks a matching access key, the controller aborting the storage access request.
-
-
13. A data storage system accessible by one or more hosts, comprising:
-
a digital data storage containing one or more storage regions each associated with a reference access key, the storage also containing one or more storage regions without any associated reference access key, where the storage regions associated with reference access keys contain the associated reference access keys; and
a storage controller, coupled to the storage and the hosts, the controller being programmed to selectively provide access to the storage by performing a method comprising;
the controller receiving a storage access request from one of the hosts, the request including an identification of a requested storage region and an access type;
the controller determining whether the requested storage region is associated with a reference access key by reading at least some of the requested storage region to determine whether a reference access key is contained therein, and if the requested storage region is not associated with a reference access key, the controller executing the request;
if the requested storage region is associated with a reference access key, the controller retrieving an operation parameter associated with the requested storage region and identifying prohibited access types for the requested storage region, and if the requested access type is not prohibited by the operation parameter, executing the storage access request;
if the requested storage region is associated with a reference access key and the requested access type is prohibited by the operation parameter, the controller determining whether the request includes an input access key matching the reference access key, if the request lacks a matching access key, aborting the storage access request;
if the request includes a matching access key, the controller executing the requested storage access request.
-
-
14. A data storage system accessible by one or more hosts, comprising:
-
a digital data storage; and
one or more hosts coupled to the storage via a storage controller, each host being programmed to allocate space in the storage by;
the host receiving an allocation request including;
an identification of a requested storage region;
a reference access key; and
an operation parameter identifying prohibited types of storage operations involving the requested storage region;
in response to the allocation request, the host allocating the requested storage region;
only if the operation parameter identifies one or more prohibited storage operations, the host issuing a set-access-key command to the controller;
the storage controller, programmed to respond to the set-access-key by storing the reference access key and the operation parameter in a reference location in association with the allocated storage region. - View Dependent Claims (15, 16, 17)
the controller receiving a storage access request from one of the hosts, the request including an identification of the requested storage region, an access type, and an input access key;
in response to the storage access request, the controller retrieving the reference access key and operation parameter;
only if the requested access type is not prohibited by the retrieved operation parameter or the input access key of the request matches the retrieved reference access key, the controller executing the storage access request, otherwise aborting the request.
-
Specification