1. The Field of the Invention
The present invention relates to data storage and backup solutions for archiving data. More particularly, embodiments of the invention relate to software, hardware, systems, and methods for restricting user access to single-instance storage through user-specific hash authentication.
2. The Relevant Technology
The need for reliable backup and archiving of information is well known. Businesses are devoting large amounts of time and money toward information system (IS) resources that are devoted to providing backup and archive of information resident in computers and servers within their organizations that produce and rely upon digital information. The customers of the data storage industry are more frequently demanding that not only is their data properly backed up but also that such data protection be done in a cost effective manner with a reduced cost per bit for stored data sets.
To address these demands, Content Addressed Storage (CAS) has been developed to provide a more cost effective approach to data backup and archiving. Generally, CAS applications involve a storage technique for content that is in its final form, i.e., fixed content, or that is not changed frequently. CAS assigns an identifier to the data so that it can be accessed no matter where it is located. For example, a hash value may be assigned to each portion or subset of a data set that is to be data protected or backed up. Presently, CAS applications are provided in distributed or networked storage systems designed for CAS, and storage applications use CAS programming interface (API) or the like to store and locate CAS-based files in the distributed system or network.
The usage of CAS enables data protection systems to store, online, multi-year archives of backup data by removing storage of redundant data because complete copies of data sets do not have to be stored as long as that content is stored and available. The use of CAS removes the challenges of maintaining a centralized backup index and also provides a high level of data integrity. CAS-based backup and archive applications have also improved the usage network and data storage resources with better distribution of data throughout a multi-node data storage system.
CAS-based backup and archive applications are also desirable because multi-year or other large backup archives can be stored easily since only a single instance of any particular data object (i.e., content) is stored regardless of how many times the object or content is discovered with the data set being protected or backed up. With CAS, the storage address for any data element or content is generated by an analysis of the contents of the data set itself. Since an exclusive storage address is generated for each unique data element (which is matched with a unique identifier) and the storage address points to the location for the data element, CAS-based architectures have found favor in the storage industry because they reduce the volume of data stored as each unique data object is stored only once within the data storage system.
While providing higher efficiency data storage, current CAS-based data storage systems are often susceptible to unauthorized data access. This can be a significant problem, for example, for an entity or organization that handles and backs up confidential, sensitive, and other data for which intra-organization restricted access is desired. In this scenario, access control lists and/or other means are often implemented to allow only certain users to access the data on production servers implementing conventional storage techniques. However, when data is backed up to a CAS system, it is converted to a hash file system format for which conventional access control means are ineffective.
In particular, because CAS uses hash values or other unique identifiers to access data, a user can access the data a hash value is assigned to by using the hash value to request the data from the CAS system. On the one hand, this permits users to locally store hash values corresponding to data backed up by the users and request backed up data at any time using a locally stored hash value. However, this also permits malicious users to access data they have not backed up and that they may be unauthorized to access if they can obtain the corresponding hash values first. For instance, a first user restricted from accessing sensitive data on a production server could nevertheless access a version of the sensitive data backed up by a second user by hacking the second user's computer and obtaining hash values corresponding to the sensitive data.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described herein may be practiced.