Method and apparatus for securing data storage while insuring control by logical roles

US 8,127,147 B2
Filed: 05/10/2005
Issued: 02/28/2012
Est. Priority Date: 05/10/2005
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

a host computer system comprisinga host processor;

a data storage device comprising;

a command interface configured to receive commands from the host computer system and a second computer communicatively coupled to the host computer system;

a data storage medium;

a data storage device controller coupled to the command interface and the data storage medium, the data storage device controller adapted to;

create a security partition on the data storage medium when an authorization to create the security partition is received from the second computer along a direct secure connection that bypasses a host operating system while the host processor is executing the host operating system; and

reject a request to create the security partition when the authorization is not received from the second computer.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage device with hardened security features has a storage medium, an interface, and a controller. The interface is adapted to communicatively couple the storage device to a host system. The controller is within the storage device and is adapted to read and to write information to and from the storage medium. The controller is adapted to require a security partition authorization from a manufacturer of the storage device before executing a security partition creation command received over the interface.

47 Citations

View as Search Results

16 Claims

1. A device comprising:
- a host computer system comprisinga host processor;
  
  a data storage device comprising;
  
  a command interface configured to receive commands from the host computer system and a second computer communicatively coupled to the host computer system;
  
  a data storage medium;
  
  a data storage device controller coupled to the command interface and the data storage medium, the data storage device controller adapted to;
  
  create a security partition on the data storage medium when an authorization to create the security partition is received from the second computer along a direct secure connection that bypasses a host operating system while the host processor is executing the host operating system; and
  
  reject a request to create the security partition when the authorization is not received from the second computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The device of claim 1 wherein the data storage device further comprises a cryptography chip configured to authenticate the authorization, the cryptography chip coupled to the data storage device controller to indicate to the data storage device controller whether the authorization is authentic.
  - 3. The device of claim 1 wherein the data storage device further comprises an existing security partition on the data storage medium and an authority table stored within the existing security partition, the authority table defining multiple permitted users that have privileges related to the existing security partition, wherein different users of the multiple permitted users may have different privileges related to the existing security partition.
  - 4. The device of claim 1 wherein the security partition further comprises an area of the data storage medium that is hidden from the operating system.
  - 5. The device of claim 1 wherein the data storage medium comprises multiple secure partitions, each of the multiple secure partitions for exclusive use by a specific authorized application.
  - 6. The device of claim 1 wherein the data storage medium further comprises a master security partition having at least one security key, wherein the data storage device controller is configured to compare the at least one security key to a second security key received from the second computer to verify the second computer is allowed to issue the authorization to create the security partition on the data storage medium.

7. A device comprising a data storage controller configured to:
- receive a request to create a security partition on a data storage medium from a client system;
  
  instruct the client system to request authorization to create the security partition from a second computer and connect to the second computer through a secure tunnel;
  
  create the security partition when an authorization to create the security partition is received from the second computer through the secure tunnel; and
  
  reject the request to create the security partition when the authorization is not received from the second computer.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The device of claim 7 wherein the second computer comprises an authorization server communicatively coupled to the client system via a network.
  - 9. The device of claim 8 wherein when the data storage controller creates the security partition the data storage controller initializes access controls to the security partition, the access controls including role-based access rights to the security partition.
  - 10. The device of claim 9 wherein the authorization comprises a command authorizing the data storage controller to instantiate the security partition.
  - 11. The data storage device of claim 7 further comprising a cryptography chip configured to indicate to the data storage controller whether the authorization is authentic by comparing a first security key stored in a secure area to a second security key received from the second computer.
  - 12. The data storage device of claim 7 wherein the data storage medium comprises multiple secure partitions, each of the multiple secure partitions for exclusive use by a specific authorized application, and each of the multiple security partitions comprises an area of the data storage medium that is hidden from an operating system of the host computer.

13. A server comprising:
- an interface to receive data and commands from a network;
  
  a controller coupled to the interface and configured to;
  
  receive an authorization request to create a security partition on an external data storage device that is external to the server, the authorization request identifying a specific application requesting creation of the security partition, wherein a security partition comprises an area of a data storage medium of the external data storage device that has a restricted access and is used exclusively by a specific authorized application;
  
  determine whether an application requesting the authorization request is trusted;
  
  determine whether to issue the authorization based on the comparison;
  
  issue the authorization by sending an authorization indicator to the external data storage device when the requesting application is trusted; and
  
  reject the authorization by sending a rejection indicator to the external data storage device when the requesting application is not trusted.
- View Dependent Claims (14, 15, 16)
- - 14. The server of claim 13 further comprising the controller configured to determine if the requested security partition already exists and, when the requesting application is trusted, authorize use of the security partition for the specific authorized application when the security partition already exists.
  - 15. The server of claim 13 further comprising the controller configured to establish a secure connection to send communications from the server, through the network and through a host computer of the data storage device, to the data storage device, to bypass an operating system of the host computer.
  - 16. The server of claim 13 further comprising the controller configured to receive the authorization request from a second server communicatively coupled to the interface, wherein the external data storage device is part of a host system that is also external to the second server, and the authorization request from the second server comprises an authorization request to create a security partition on the external data storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Thibadeau, Robert
Primary Examiner(s)
Cervetti, David García

Application Number

US11/125,491
Publication Number

US 20060259785A1
Time in Patent Office

2,485 Days
Field of Search

713/191, 713/193, 711/173, 726/1, 726/2, 726/27, 726/29
US Class Current

713/193
CPC Class Codes

G06F 21/80 in storage media based on m...

Method and apparatus for securing data storage while insuring control by logical roles

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing data storage while insuring control by logical roles

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links