Secure high performance multi-level security database systems and methods

US 8,682,845 B2
Filed: 07/02/2009
Issued: 03/25/2014
Est. Priority Date: 07/09/2008
Status: Active Grant

First Claim

Patent Images

1. A system for sharing data over one or more networks, the system comprising:

a storage area network configured to communicate with the one or more networks;

a first component configured to route data to and from the storage area network via a first storage network connection;

a second component configured to route data to and from the storage area network via a second storage network connection;

a gateway component configured to control the routing of data between the first and second components and the storage area network; and

a metadata controller configured to separate metadata from the data, store the metadata in a first database, and store the data without metadata in a second database, whereinthe metadata includes the data location of and is required to access the data without metadata stored in the second database,the metadata controller is located behind the gateway component,the gateway component includes a security component that directly controls and authorizes access to the metadata controller and the metadata,requests for data are made by a client through the gateway component via a first channel network connection, andtransfers of data are made directly from the storage area network to the client through a second channel and without passing through the gateway component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one or more embodiments of the present disclosure, systems and methods described herein provide for transferring data over one or more networks. A storage area network is adapted to communicate with the one or more networks. A first component is adapted to route data to and from the storage area network. A second component is adapted to route data to and from the storage area network. A gateway component is adapted to control the routing of data between the first and second components and the storage area network. The storage area network is adapted to separate metadata from the data and store the metadata in a secure server positioned behind the gateway component.

Citations

24 Claims

1. A system for sharing data over one or more networks, the system comprising:
- a storage area network configured to communicate with the one or more networks;
  
  a first component configured to route data to and from the storage area network via a first storage network connection;
  
  a second component configured to route data to and from the storage area network via a second storage network connection;
  
  a gateway component configured to control the routing of data between the first and second components and the storage area network; and
  
  a metadata controller configured to separate metadata from the data, store the metadata in a first database, and store the data without metadata in a second database, whereinthe metadata includes the data location of and is required to access the data without metadata stored in the second database,the metadata controller is located behind the gateway component,the gateway component includes a security component that directly controls and authorizes access to the metadata controller and the metadata,requests for data are made by a client through the gateway component via a first channel network connection, andtransfers of data are made directly from the storage area network to the client through a second channel and without passing through the gateway component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the metadata controller is configured to encrypt and store the metadata in the first database separate from the second database, and wherein the first database comprises a metadata database.
  - 3. The system of claim 1, wherein the metadata controller is configured to encrypt and store the data without the metadata in the second database separate from the first database.
  - 4. The system of claim 1, wherein the first and second databases comprise RAID storage devices.
  - 5. The system of claim 1, wherein the gateway security component controls one or more authorizations and decryption keys for accessing at least the data in the storage area network.
  - 6. The system of claim 1, wherein the gateway security component controls access to at least the data in the storage area network from different security domains.
  - 7. The system of claim 1, wherein at least one of the first and second storage network connections to the storage area network comprises a Fiber Channel network connection.
  - 8. The system of claim 1, wherein the data comprises multi-level security data, and wherein the storage area network is configured to store the multi-level security data in the second database separate from the first database.
  - 9. The system of claim 1, wherein the metadata controller comprises a metadata server configured to control the routing of data between the first and second components, the first and second databases, and the storage area network.
  - 10. The system of claim 1, wherein the metadata controller comprises a plurality of metadata host-bus adapters, each configured to communicate with the first and second databases separately of the others.
  - 11. The system of claim 1, wherein the first component comprises a network server configured to communicate with the storage area network to route data to and from the storage area network via the first storage network connection.
  - 12. The system of claim 1, wherein the second component comprises a second server configured to communicate with the storage are network to route data to and from the storage area network via the second storage network connection.
  - 13. The system of claim 1, further comprising a channel switching mechanism configured to route data between the metadata controller and one or more of the first component, the second component, the first database, and the second database.
  - 14. The system of claim 13, wherein the channel switching mechanism comprises one or more shared storage network ports that are configured to be controlled by the metadata controller, and wherein the use of the shared storage network ports are monitored by the metadata controller.
  - 15. The system of claim 14, wherein the shared storage network ports are enabled by the metadata controller for use, and wherein the shared storage network ports are disabled by the metadata controller when not in use.

16. A method for sharing data over one or more networks, the method comprising:
- establishing a storage area network to facilitate communication with the one or more networks;
  
  routing data to and from a first component over the storage area network via a first storage network connection;
  
  routing data to and from a second component over the storage area network via a second storage network connection;
  
  controlling the routing of data between the first and second components and the storage area network with a gateway component; and
  
  using a metadata controller to;
  
  separate metadata from the data;
  
  store the metadata in a first database; and
  
  store the data without metadata in a second database, whereinthe metadata includes the data location of and is required to access the data without metadata stored in the second database,the metadata controller is located behind the gateway component,the gateway component includes a security component that directly controls and authorizes access to the metadata controller and the metadata,requests for data are made by a client through the gateway component via a first channel network connection, andtransfers of data are made directly from the storage area network to the client through a second channel and without passing through the gateway component.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, further comprising encrypting and storing the metadata in the first database separate from the second database, and wherein the first database comprises a metadata database.
  - 18. The method of claim 16, further comprising encrypting and storing the data without the metadata in the second database separate from the first database.
  - 19. The method of claim 16, further comprising controlling one or more authorizations and decryption keys for accessing at least the data in the storage area network using the gateway security component.
  - 20. The method of claim 16, further comprising controlling access to at least the data in the storage area network from different security domains using the gateway security component.
  - 21. The method of claim 16, further comprising controlling a channel switching mechanism to route data between the first component, the second component, the first database, and the second database.
  - 22. The method of claim 21, further comprising:
    - controlling one or more shared storage network ports of the channel switching mechanism; and
      
      monitoring the use of the one or more shared storage network ports of the channel switching mechanism.
  - 23. The method of claim 22, further comprising:
    - enabling the shared storage network ports for use; and
      
      disabling the shared storage network ports when not in use.

24. A non-transitory machine-readable medium comprising a plurality of machine-readable instructions which, when executed by one or more processors of a server, are configured to cause the server to perform a method comprising:
- establishing a storage area network to facilitate communication with the one or more networks;
  
  routing data to and from a first component over the storage area network via a first storage network connection;
  
  routing data to and from a second component over the storage area network via a second storage network connection;
  
  controlling the routing of data between the first and second components and the storage area network with a gateway component; and
  
  using a metadata controller to;
  
  separate metadata from the data;
  
  store the metadata in a first database; and
  
  store the data without metadata in a second database, whereinthe metadata includes the data location of and is required to access the data without metadata stored in the second database,the metadata controller is located behind the gateway component,the gateway component includes a security component that directly controls and authorizes access to the metadata controller and the metadata,requests for data are made by a client through the gateway component via a first channel network connection, andtransfers of data are made directly from the storage area network to the client through a second channel and without passing through the gateway component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Bettger, David D, Rodriguez, Ismael, Stone, Kevin A, Kuehn, Dennis L, Peters, Marc A., Wagner, David H
Primary Examiner(s)
Alam, Hosain
Assistant Examiner(s)
Tang, Jieying

Application Number

US12/497,408
Publication Number

US 20100011007A1
Time in Patent Office

1,727 Days
Field of Search

707/999.01, 707/609, 707/827, 709/223, 709/224, 711/114, 711/163
US Class Current

707/609
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 67/1097 for distributed storage of ...

Secure high performance multi-level security database systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Secure high performance multi-level security database systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links