1. Field of the Invention
The present invention relates to a digital data storage system with data dependent, rather than user dependent, storage security. More particularly, the invention concerns a data dependent storage facility implemented by a host-independent storage controller that selectively provides security for storage regions by initially storing access keys in association with the regions, where any host seeking access to the region must present the associated key.
2. Description of the Related Art
In many different working environments, there is a need to store great amounts of data. Consequently, mass data storage systems are more popular today than ever. Mass storage systems are implemented in magnetic tape drives, optical disks, magnetic xe2x80x9chardxe2x80x9d disk drives, and the like. One commercially available mass storage system is the RAMAC storage subsystem, manufactured and sold by International Business Machines Corp. (IBM).
To get the most out of their mass storage systems, system administrators often configure a common storage for access by multiple different users. The common storage is often coupled to individual user computers by a server machine implementing a local or wide area network. The common storage may be a single device, but more often comprises many different physical storage devices. Some examples of multi-user mass storage systems are: (1) corporate Intranet systems accessed by employee users, (2) telephone records accessible by telephone operators (users) located around the state, nation, or world, (3) banking records accessed by remote customers (users) operating automatic teller machines, and (4) engineering design specifications or models accessed by engineers (users) working together on a technical project. A variety of other arrangements are also known.
In these systems, security of common storage is one difficult challenge facing storage system engineers. Since the common storage is effectively coupled to all users (via intermediate server machines), it is often necessary to consider the user""s identity in deciding whether to provide (or deny) access to stored data. Some data may be suitable for all users to access, whereas other data may be only suitable for access by selected users. As an example, it may be desirable to provide all employees of the company access to the company""s telephone directory stored on a common storage facility, while making personnel files available only to those in the human resources department.
Many known data security mechanisms address the security problem by operating a central host or server as an access gate. This is feasible since the server alone is attached to the common storage, therefore constituting a natural gate. In this arrangement, all access requests are routed through this server, which accepts or rejects each request according to the identity of the requesting user and the content of the request. The server implements its security features by running a security software program. As one variation of this arrangement, there may be multiple servers coupled to the common storage, with each server running the same security program under the same operating system. For example, each server may comprise an IBM model S/390 product using the MVS operating system, where each server is coupled to a RAMAC storage subsystem.
Although these storage configurations have proven satisfactory in many cases, they are not completely satisfactory for some users. In particular, system expense can be high because of the need to purchase dedicated server machines. As an alternative, it can be more cost efficient to operate an existing host machine as the security gate, in addition to its existing functions in the system. However, this places a substantial burden on the host, making the host a bottleneck for user access of the common storage. In addition, the host""s security duties retard unrelated application programs running on the host.
To relieve security duties of a common host or server, some systems couple each user or host computer directly to a component of the common storage, such as a storage controller, and shift security duties to the hosts. Advantageously, this direct-connect arrangement eliminates the cost of a central server. To uphold a consistent, universal security plan, each host in this arrangement must be running the same security program; regardless of which machine is accessing the common storage, access of each dataset must be limited to the same set of users. This approach is useful when all hosts use the same operating system, and can easily run identical security programs.
However, this configuration is not practical when the user/host computers employ a variety of incompatible operating systems. This situation is especially likely today because there are many different makes of computer, with each being particularly suited to certain applications. For example, access to common storage may be sought by all of the following machines: a WINDOWS based personal computer, a SUN workstation, a UNIX based computer, and a MVS based mainframe computer. With incompatible user/host machines, this direct-connect environment is unworkable because of the difficulty in implementing the identical security programs on the diverse platforms.
In summary, even though the foregoing arrangements constitute significant advances and may even enjoy widespread commercial success today, there are not completely adequate for some applications due to some unsolved problems.
Broadly, the present invention concerns a storage system with storage security that is provided according to the storage region being accessed, rather than the user. The storage system of the invention selectively provides security for storage regions by initially storing an access key in association with the region, where that key must be presented by any host seeking access to the region.
The storage system includes a storage controller coupled to a digital data storage and one or more host computers. Initially, one of the hosts receives an allocate command from an application program, user, or other source. A reference access key of the allocate command is provided (generated) by the application requesting the storage allocation. The host allocates the requested storage and also issues a set-access-key demand to the controller. This command identifies the type of access protection (read, read/write), the storage region to be protected, and the reference access key to be used by the controller in gating access to the associated storage region. If the controller receives no set-access-key request for a given storage range, then the controller will not require any access key before accepting read or write operations involving that storage region.
Later, the controller may receive storage access requests from the hosts. Each request includes an identification of the requested storage region, an access type, and (if necessary) an input access key. In response, the controller retrieves any reference access key and access type information associated with the identified storage region. If the storage region is access-key protected and the requester provided a matching key, then the operation is allowed. If the keys don""t match (i.e., wrong key or no key provided), then the controller determines if the requested operation is protected; if not, the operation is allowed. If the operation is protected and the keys do not match, the operation is failed, and an error condition may be returned to the requesting host.
In one embodiment, the invention may be implemented to provide a method to provide security for storage regions by initially storing a security key in association with the region, where that key must be presented by any host seeking access to the region. In another embodiment, the invention may be implemented to provide an apparatus, such as a data storage system, providing storage security. In still another embodiment, the invention may be implemented to provide a signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital data processing apparatus to perform method steps for providing storage security.
The invention affords its users with certain distinct advantages. Advantageously, the invention provides data-dependent security implemented in a storage controller, enabling a variety of different host computers to have access to a common storage facility. With the invention, the hosts may run incompatible operating systems without sacrificing storage security. As another benefit, the invention is inexpensive because it implements data security measures using a storage controller rather than a separate server machine. Similarly, the invention does not burden the processing and input/output resources of existing host machines with security functions. The invention also provides a number of other advantages and benefits, which should be apparent from the following description of the invention.