Protection storage using data de-duplication methods are widely used by enterprises for disk backup, archiving, and disaster recovery. Purpose-built backup appliances (PBBAs) are disk-based devices that utilize disk arrays that are used as targets for backup data and replicated backup data. In the context of backup and storage applications, a PBBA is a single storage device that is configured to serve multiple customers, with each customer using the same storage appliance for their protection storage requirements. A storage system that supports this type of multi-tenancy must satisfy security and isolation requirements to ensure that each customer's dataset is secured and isolated from the other customers on the storage appliance. These security and isolation requirements generally apply to data and control access operations on the storage appliance. For example, a customer must not be able to read or write to datasets that belong to another customer, or an administrator of one customer must not be able to perform system configuration, monitoring, etc., of the datasets that belong to another customer. Thus, although the customers may share the same storage appliance for backup, restore, or replicating their datasets, none of the customers can be aware of the presence of other customers in the storage appliance. The implementation of appropriate security and isolation requirements in such a storage system creates a Secure Multi-Tenancy (SMT) environment.
Protection storage systems are typically run by special operating systems that provide scalable, high-speed protection storage for backup, archive, and disaster recovery applications. One such operating system is the Data Domain Operating System (DDOS) provided by EMC® Corporation of Hopkinton, Mass., though other protection storage operating systems are also available. This type of operating system runs on data transfer and data storage machines, such as Data Domain Restorer (DDR) appliances. Generally, DDOS and similar operating systems presently do not natively support an SMT construct. That is, there is no inbuilt mechanism inside the DDOS that completely meets the security and isolation requirements that arise out of deploying multiple tenants on the same DDR. Thus, although the advent of SMT has led to the use of appliances, such as Data Domain Appliances for cloud deployments and “as-a-service” models, the security and isolation enhancements designed for such use cases created by new security information handling and management have not been adequately addressed at the operating system (e.g., DDOS) level.
Specific issues associated with present methods of handling security related information updates for related but distributed components, such as appliances in a set of PBBA systems or a cluster of PBBA systems include: (1) caching security information, (2) locking security information, and (3) chain propagation of updates for security information.
With regard to caching, each participant in a DDOS usually builds its own cache to store relations and associations pertaining to the security implementations. This may often introduce cache consistency problems in the overall network, since the objects involved are distributed entities in the DDOS. If one object's value/information changes, then caches maintained by other individual components may have to be invalidated and updated. In the case of a failed update or notification, correctness is compromised and such compromises may be very expensive and dangerous from a security perspective.
With regard to locking, security information updates may change information or value for one or more objects among a set of related objects. As mentioned above, such objects may be distributed in the DDOS across different entities, but they are related with regards to security considerations. Thus, there can be a security consideration dependency among this set of related objects. These objects are typically distributed across multiple DDOS components, which are all constituent entities participant in the underlying security mechanism to support SMT. Thus, multiple processes and threads are involved and any serialization/locking requirement imposed on all these entities may introduce prohibitive performance penalty and render the design and implementation infeasible. In general, the expense and expanse of the contention and its repercussions are unacceptable from the DDOS' perspective.
With regard to chain propagation of updates, the security related objects that experience a change or update in information or value are in a dependency or association relationship, as stated above. If a design is implemented such that other objects in the dependency relation need to be updated or notified of such a change, and there is a cascading of such an information or update flow, there will generally be a chain propagation requirement for such information changes and updates. Such a chain propagation requirement has the following problems: (1) the dependency on the chain of propagations requiring to be completed may introduce a delay in updating information in a memory or storage device that may be involved in making a security related decision, and such a delay may lead to a wrong security related decision being taken, thus compromising the security and isolation related requirements SMT; (2) such chain propagations impose a chain of correctness requirement, so that if an operation fails or introduces an error, the correctness requirement along the chain is not met; and (3) such chain propagations involve extra processing, which, if not reduced or eliminated can make the system much less efficient.
What is needed, therefore, is a protection storage operating system or implementation of DDOS that eliminates caching, locking and chain propagation of updates with regards to handling distributed but related security information elements.