Recently, the software industry sees trends to create applications (such as applications for enterprises) with “software-as-a-service” components that are distributed over a network. Looking at the architecture, human users operate computers (client computers) that are connected through the network to data storage devices. Looking at the content, the devices store data, such as application software archives, images, property definitions, configuration data, transaction data, log records and so on. Looking at the technical implementation, the devices are hard-disks or other physical devices that are directly attached to the network. Such a network configuration allows bypassing of auxiliary computers (e.g., storage servers) that otherwise may be required. Within the devices, data is arranged in volumes and files.
High numbers are typical: Enterprises or organizations might have 10,000 or more human users; the number of client computers might exceed the number of users; there might be 100,000 or more storage devices. Data volumes are measured in counters such as terabytes, exabytes, or petabytes. Large files require distribution over multiple physical devices. Scalability matters.
Security of data exchange between the clients and the devices is of paramount importance. For example, it needs to be ensured that data can only be accessed by authorized users. Security has the aspect of using cryptographic techniques to encrypt and decrypt data. However, such techniques cause an inherent cryptographic overhead. For example, clients and devices may need to perform cryptographic computation. Cryptographic techniques typically use symmetric or asymmetric keys, or combinations thereof. In such cases, keys need to be generated, distributed, stored, renewed and eventually revoked.
Security is in conflict with the above mentioned high numbers. Just to take cryptographic keys as an example: key generation is potentially linked to the number of files or volumes, so a large number of files or volumes might require a large number of keys. Further, key distribution is potentially linked to the number of clients and storage devices, so large number of clients or devices might require a large number of keys, as well.
As networks are dynamically changing by clients and devices being added or removed, the cycle from generating keys to revoking keys is being repeated. Some devices might even become compromised or corrupted by intruders, and that also affects the key cycles.
There is an ongoing need for improvement that mitigates some or all of the mentioned disadvantages.