The invention involves a method of protecting data, stored in the memory device of a computer system, connected to the SCSI interface, against unauthorised access, and equipment for carrying out this method.
The protection of data saved in the computer system against unauthorised change or deletion is among the important safeguards in the proposal and implementation of a strategy for protecting information systems. The problem of protection is currently solved partly by means of an operating system partly by use of memory devices of the WORM type (Write Once Read Many, for example recordable CD-ROM) and partly by use of media having the possibility of mechanical blocking of recording (for example, diskettes, tapes, MOD etc.) Normal operating systems protect data by assigning authorisations for recording, readout and execution for each file. These authorisations are assigned only to the owner, group of owners or individual users of the computer system which, given the thousands of files that these systems contain, makes the effective safe dispensing of authorisations extremely difficult. Moreover, an authorisation is valid only for the normal user of a computer system. There is always exists a group of people who, individually or as a team, can have unrestricted access to all the files, and at any given moment may or may not have accreditation by their organisation or the file owner. The system administrators make up this team having unrestricted rights to all the files. However, each owner also has unrestricted access to his own files, which in the case of a database set, for example, can have far-reaching consequences.
Use of memory devices of the WORM type noticeably restricts the possibilities for modification or effacing of individual memories by a systems administrator. Aside for the disadvantages in terms of limited capacity and transmission speed, it is obvious that the system does not guarantee the accuracy of the data and is unsuitable for storing data for the medium term, because during each modification it is necessary to create and change the whole medium.
Use of media with mechanical blocking capacity is complicated by their low capacity (for example diskettes), speed of access to data (for example DAT-type tapes), or by the speed of recording (for example MOD). Also, none of these media guarantees accuracy of the data.
The solution of the above problems must therefore proceed from the following assumptions. Protected data must be reliably protected against change and erasing. Only a small and strictly defined group of users can have the right to record (erase) protected data. It is necessary to ensure reliable and dependable identification of users and an effective method of clear verification of authorised users.
It is not easy to identify in the patent literature, the nearest technical solutions dealing with the given problem. In Czech utility model No. 831, for example, a mechanism is describe for protecting computers against infiltration of unwanted programs and against unacceptable damaging of data. A technical solution is described here which employs the internal bus of the personal computer for communication between the electrical circuit and the software portion. The electrical circuit described comprises a memory circuit, connected across a comparator to a driver. Protection against infiltration of unwanted programs consists here of the fact that a sequence of bytes is transmitted by the program along the internal bus of the computer; these bytes are deposited in the memory circuit and by means of the comparator an evaluation occurs in the electrical circuit of the identity of the bytes transmitted and, depending upon the results, recording onto the hard disk may or may not occur. The arrangement described is limited in its scope to the personal computer, equipped with the appropriate internal bus and is therefore strictly dependent upon the specific type of computer.
The above objectives of the invention are attained by the method of protecting data, stored in the memory devices of a computer system connected to a SCSI interface, against unauthorised access. The basis of the invention lies in the fact that communication between the computer system and the memory device at the SCSI interface is screened and, depending upon the authorisation of a request, access by the computer system to the memory device is either permitted or refused. Authorisation of a request is by means of identification of an authorised user, access by the computer system to the memory device is in the form of the blocking of any kind of operation with the memory device, or permission to access for memory device readout only, or for readout and recording of data in the memory device, or only for recording of data in the memory device as the case may be. Equipment for carrying out the above method of data protection comprises a memory device connected by the SCSI bus to a host computer system. Between this memory device and the host computer system thee is integrated into the SCSI bus an additional control unit with authorisation block.
The advantage is the clear verification of authorised users, assignment of the right to adjust the control units to a strictly defined individual or a team of authorised users. In contrast to existing protection of data, here it is a question of safe protection of data by hardware means, which cannot be circumvented by any software methods. Identification of authorised users can be made on the basis of very precise prior specifications, for example a combination of any earlier requests (the users alone can chose the degree of security of data protection). At the same time the users can be divided into various groups with authorisation for data readout only or also for recording, and can block all operations as the case may be.
The memory device can consist of a hard disk, a disk subsystem, optical disk, tape unit, re-writable compact disk or electronic memory device. The additional control unit can consist of an electronic control unit, comprising microprocessors or SCSI control units with control software as the case may be. The authorisation block can consist of a lock with mechanical key with contacts, a connector with storage memory device of the EEPROM, EPROM or ROM type, a connector for inserting touch-memory, a chip card or magnetic card scanner, or a user identification scanner as the case may be. The equipment for carrying out the method of protection with a memory device connected by the SCSI bus to the host computer system can comprise, in an alternative embodiment, an additional control unit directly connected to the memory device and connected at the same time to the SCSI bus. On the basis of output from the authorisation block, the electronic unit in the additional control unit directly controls the memory device across the specific interface of the memory device (the disk can be equipped by the manufacturer with a supplementary electronic control, for example blocking of recording or access) and also screens and actuates any control signals from the SCSI. In another embodiment of the invention, the data portion of the SCSI bus can be connected directly to the memory device, while the command portion of the SCSI bus is interrupted by the insertion of an additional control unit, connected to the memory device. As long as the data portion of the SCSI bus between the host computer system and the memory device is not interrupted, the flow of data to the memory device is not slowed down and only the command portion of the SCSI bus is controlled.