1. Technical Field
The present invention relates in general to the field of physical security of computer storage media, and more particularly to a method of and system for controlling access to an automated media library.
2. Description of the Related Art
Automated media libraries provide a convenient and efficient means of storing and accessing large amounts of data. The data are stored on movable media, such as magnetic tape cartridges. The movable media are stored in racks or slots in a cabinet. A robotic media handler moves the media back and forth between the racks are slots and one or more media drives in the cabinet. The media drives are connected to a network.
Media can be imported to or exported from the automated media library through an import/export station. The robotic media handler moves media back and forth between the library and the import export station. Additionally, doors are provided in the cabinet so that service or maintenance technicians can have access to the various mechanical and electrical components within the library cabinet.
Automated media libraries are typically located in rooms that provide various levels of physical access control. At smaller installations, the media library may be located in a normal office. At larger installations, media libraries may be located in special dedicated rooms. The special dedicated rooms are typically locked and require a badge or the like to enter the room. Some organizations require that people requesting access to a media library be accompanied by a guard or other security personnel.
Despite the security measures currently in place, there still is a possibility that persons having access to media libraries may take media without proper authority. For example, a person may have authority to enter a media library room for certain purposes. However, once in the room, the person may improperly take media from a library and the room.
Data theft is a serious issue. It poses a risk for the intellectual property of the company. Additionally, organizations are required by law to protect certain employee records. Financial, product, business plans, trade secrets, and other confidential data must be protected from falling into unauthorized hands.
The present invention provides a method of and a system for controlling access to an automated media library. The method receives a request for access to the library from an individual having an identity. Access may include importing media to the library, exporting media from the library, and opening a locked door to a cabinet containing the library. If the access includes the importing media, the method moves a robotic media handler to a locked import/export station. If the access includes exporting media, the method moves the requested media to the locked import/export station. If the access includes the opening the door, the method takes a first inventory of the media in the library. The method authenticates the identity of the individual and determines an access level associated with the individual. If the access level is insufficient for the requested access, the method denies the requested access and issues an alert. If the access level is sufficient for the requested access, the method determines if the requested access requires a second authentication. If a second authentication is required, the method prompts the individual to perform the second authentication. If the second authentication is verified, the method logs the access by the individual and grants the access. If the access is granted and the access is importing or exporting media, the method unlocks the import/export station. If the access is granted and the access is opening the door, the method unlocks the door. The method closes and locks the import/export station a predetermined length of time after unlocking the import/export station. The method locks the door a predetermined length of time after unlocking the door and takes a second inventory of the media. The method issues an alert if the second inventory differs from the first inventory.
The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further purposes and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, where:
Referring now to drawings, and first to
Media library 100 is housed in a cabinet 101. Cabinet 101 is accessible from the outside through a front door 103 and the back door 105. Front door 103 is normally secured by an electronically operated lock 107. Similarly, back door 105 is normally secured by an electronically operated lock 109.
Cabinet 101 houses the mechanical and electrical components of media library 100 as well as the media itself. Media library 100 includes a plurality of tape drives 111. Media library 100 also includes storage slots for tape cartridges, such as tape cartridge 113. A robot 115 is mounted for movement inside cabinet 101 to transport tape cartridges back and forth between the storage slots and the tape drives. Robot 115 may also include a barcode reader (not shown in
Embodiments of the present invention control access to the interior of cabinet 101 by authenticating the identity of persons seeking access. In the embodiment of
The embodiment of the access control system of
Controller 125 is in communication with an administrator computer 207. Communication between controller 125 and administrator computer 207 may be over a network. Administrator computer 207 may be located in an office or the like separated from automated media library 100. Administrator computer 207 is adapted to receive access log information and alerts from controller 125.
After determining the type of access requested, controller 125 loads the systems authentication policy, as indicated at block 319. The authentication policy provides access authority and authentication levels for various registered users. For example, some requesters (users), such as delivery or mailroom personnel, may have authority to import media to, but not to export media from, the library. Others, such as service or maintenance technicians, may have authority to open the doors of the library cabinet but not to remove media from the library. Also, requesters requesting certain actions may be required to provide higher levels of authentication. After loading the authentication policy, controller 125 performs authentication, as indicated generally at block 321, and described in detail with reference to
Controller 125 also starts a timer, as indicated at block 327. Then, controller 125 waits for import/export station 117 to be closed, as determined at block decision block 329, or the timer to time out, as determined at decision block 331. If the timer times out before station 117 is closed, controller 125 issues an alert, as indicated at block 333, and actuates lock 201 to lock import/export station 117, as indicated at block 335. Then controller 125 logs access completed, as indicated at block 337. The determination whether the import/export station is opened or closed may be done through sensors associated with the import/export station (not shown).
Referring to
After locking the door or doors, controller 125 actuates robot 115 and barcode reader 203 to perform a second inventory of the media library, as indicated at block 349. Then, controller 125 compares the starting inventory to the ending inventory, as indicated at block 351. If, as determined at decision block 353, starting inventory is not equal to the ending inventory, controller 125 issues an alert, as indicated at block 355, and logs access complete and the inventory difference, at block 357. If, as determined at decision block 353, the starting inventory equals the ending inventory, controller 125 logs access complete, at block 359, and processing ends.
Returning to decision block 403, if the first authentication key is verified, controller 125 compares the requested access to the access-security level from the authentication policy, as indicated at block 411. If, as determined at decision block 413, the requested access is not authorized to the requester, processing proceeds to
If, as determined at decision block 415, a second key is required, controller 125 prompts the requester to enter the second key, as indicated at block 417. The second key may be one or more biometric identifiers. If, as determined at decision block 419, the second key is verified, processing proceeds to
From the foregoing, it will be apparent to those skilled in the art that systems and methods according to the present invention are well adapted to overcome the shortcomings of the prior art. While the present invention has been described with reference to presently preferred embodiments, those skilled in the art, given the benefit of the foregoing description, will recognize alternative embodiments. Accordingly, the foregoing description is intended for purposes of illustration and not of limitation.