News Column

Patent Issued for Identifying and Enforcing Strict File Confidentiality in the Presence of System and Storage Administrators in a NAS System

July 15, 2014

By a News Reporter-Staff News Editor at Information Technology Newsweekly -- EMC Corporation (Hopkinton, MA) has been issued patent number 8769271, according to news reporting originating out of Alexandria, Virginia, by VerticalNews editors.

The patent's inventors are Osmond, Roger F (Littleton, MA); Goren, Gil (Ashland, MA).

This patent was filed on April 10, 2012 and was published online on July 1, 2014.

From the background information supplied by the inventors, news correspondents obtained the following quote: "Protection of confidential information may be more difficult than ever before because of the proliferation of networked computing devices. Comprehensive protection of information stored in computer-readable form should include identity management, authorization/authentication, data integrity assurance, proper logging/auditing, i.e., to ensure chain of custody, and a guarantee of confidentiality. Data encryption is part of most protection regimes. Data encryption can be employed for data in-flight and for data at rest. Data in-flight encryption is especially valuable for data that leaves the relatively safer and more secure 'behind the firewall' environment. Data in-flight has received significant attention, and there are many commercially available products. Data at rest has received less attention. Recently, there have been some highly publicized incidents in which data at-rest in the form of backups on tapes have been lost or otherwise compromised. This publicity has lead to increased demand for devices that can encrypt data at rest on tape. However, the threat to data at rest may actually be greater when it is stored on disk than on tape. This is because the on-disk data is more current, and therefore more valuable. Further, the data on-disk is more likely to be accessible via a network, and a greater number of individuals are likely to have access to the data, whether rightfully or not.

"One vulnerability of known encryption schemes is the 'super user problem.' In order to maintain a network and storage system, network administrators and storage administrators are typically provided with unrestricted access to files. Further complicating matters, file servers typically provide a means by which remote users with administrator privileges, a.k.a. 'super users,' are granted the equivalent of local administrator access. Since the remote administrator is granted local administrator privileges, that remote administrator can have full and unencumbered access to metadata and data, regardless of defined file or directory ownership and permissions. UNIX and Linux systems have a mechanism by which to treat remote 'root' users as if they were local. This capability is also common to dedicated NAS servers. This mechanism also makes it possible for administrators to subvert or circumvent permissions and other access controls. Such access is a significant compromise to confidentiality. However, it is also necessary for the super-users to perform legitimate administrative functions on networked resources, perhaps remotely, so the super user cannot simply be eliminated."

Supplementing the background information on this patent, VerticalNews reporters also obtained the inventors' summary information for this patent: "In accordance with one embodiment of the invention, data storage apparatus available to at least one requestor via a network, comprises: a file server capable of communication with the client via the network; physical storage; and an encryption device in communication with both the file server and the physical storage; wherein first and second logical paths are established between the file server and the physical storage, by way of the encryption device, the first path being employed for a first type of requestor and the second path being employed for a second type of requestor, and wherein the encryption device is operative to provide decrypted data to the file server via the first path, and to provide encrypted data to the file server via the second path.

"In accordance with another embodiment of the invention, a method for managing data storage available to at least one requestor via a network, comprises the steps of: in response to a request from a first type of requestor, providing decrypted data to the requestor via a first logical path; and in response to a request from a second type of requestor, providing encrypted data to the requestor via a second logical path.

"One advantage of the invention is preserving data confidentiality with regard to super users while retaining the capability to perform legitimate administrative functions. In particular, by providing an administrator with access to unencrypted metadata and only encrypted data for a confidential record, most legitimate administrative functions can be performed without compromising the confidentiality of the data. Another advantage is a file server that supports encryption without need for knowledge of the encryption keys, and without foregoing services typically restricted by use of encryption."

For the URL and additional information on this patent, see: Osmond, Roger F; Goren, Gil. Identifying and Enforcing Strict File Confidentiality in the Presence of System and Storage Administrators in a NAS System. U.S. Patent Number 8769271, filed April 10, 2012, and published online on July 1, 2014. Patent URL:

Keywords for this news article include: EMC Corporation, Information Technology, Information and Data Storage, Information and Data Encoding and Encryption.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Information Technology Newsweekly

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters