1. Field of the Invention
The invention relates to data storage and data storage management systems. Specifically, the invention relates to apparatus, systems, and methods for transparent end-to-end security of storage data in a client-server environment.
2. Description of the Related Art
Management and protection of data is of vital importance to business and government interests, for many reasons, including achieving a competitive advantage, compliance with local laws and regulations, and to allay privacy concerns to name a few.
Data has a life cycle that begins when the data is generated and ends when the data becomes obsolete and of no value. As data progresses along this life cycle spectrum, the data is afforded different levels of protection from unauthorized use. Generally, “live” data, data that is newly created or currently in use, is protected using conventional security techniques such as encryption and storage of data in physically secure facilities.
As data ages access frequency may decrease while its value may increase or decrease. Typically, such data is archived or backed up to accommodate new live data on primary storage devices such as memory and Direct Access Storage Devices (DASD). This migration path moves the data from primary storage devices to secondary storage such as removable media including tapes, optical storage, and the like.
Unfortunately, archived data which is generally data that is retained for a predetermined period of time, and backup data which is data stored to allow for data recovery in the event of system failure, are not afforded the same levels of security and protection from unauthorized use as live data. Factors accounting for this generally include the overhead required to provide protection such as encryption including generation and management of encryption keys, the lower priority of archive data and backup data, the shear size of the data involved in backup and archival, and the like. Instead, conventional security measures such as firewalls, safes, locked doors, and guarded and/or locked facilities are relied upon.
It is desirable that backup data and archive data be secure both in transit and once stored on a storage medium. In particular, it is desirable that the backup data and archive data be protected between a client and a server communicating over a network. One challenge faced in encrypting backup data and archive data is the issue of encryption key management. An entity may require access to backup data and archive data for many months or years into the future. The encryption keys must be carefully managed because loss of the keys through mismanagement or equipment failure can effectively render large quantities of backup data and archive data useless. Entrusting encryption key management to a user is highly error prone due to human memory limits and turn over in an entity. Managing keys using applications that originally produced or used the data adds significant overhead to the application, is inconsistent between applications, and may not be practical given the life of the backup data and archive data may extend beyond that of the application.
Current storage and backup systems that include encryption are inadequate. Such systems generally store the encryption keys with the encrypted data on the same storage device or medium. Unauthorized access to the storage device or medium results in loss of protection for the data. Other conventional systems use a single key associated with the storage device, volume, or media that operates to decrypt all files on the same storage device, volume, or media. Consequently, compromise of the key provides access to all the files. Certain conventional systems do not automatically handle migration of backup data and archive data from one storage device or media to another. Consequently, matching an encryption key with the proper encrypted file can be difficult or impossible. Still other conventional systems apply a single level of protection regardless of the type of backup data or archive data involved. Consequently, computing resources may be wasted protecting data that does not require this default level of protection.
From the foregoing discussion, it should be apparent that a need exists for an apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment. Beneficially, such an apparatus, system, and method would encrypt backup and archive data in transit and on storage and would encrypt the encryption key associated with the backup data and archive data in transit. In addition, the apparatus, system, and method would allow clients to generate keys of a suitable security level that are associated with individual files owned by a host of the client on a one-to-one basis rather than a one-to-many basis. Furthermore, the apparatus, system, and method would store encryption keys separate from the encrypted data and manage changes in the location of the keys and/or the encrypted data over the entire life of the encrypted data.