Patent Grant
10489251
A remote backup service is a service that provides a system for backup, storage, and recover of computer files. A cloud backup service provides a remote backup service through a cloud infrastructure. Some cloud backup services allow automated recovery as well as automated backup.
Certain examples are described in the following detailed description and in reference to the drawings, in which:
Many cloud services providing data storage, backup, archiving, and disaster recovery are automated and provide control panel interfaces to allow users to manage their services. Many of these service depend on credentials such as security keys for security and authentication. If these credentials are compromised, an unauthorized party may gain access to the cloud services control panel and may compromise or destroy the user's data as well as their backups or archives.
Aspects of the disclosed technology provide temporal isolation of data storage backups associated with a remote backup service. A backup copy of data may be kept on an offline storage system that is inaccessible outside a firewall and that cannot be managed using a cloud services control panel. Recovery of the data from the offline storage may require authentication and approval over a hardened security channel, which may include manual verification of credentials. During the recovery process, a copy of the backup may be transferred from the offline storage to a storage that is accessible from outside the firewall. The copy of the backup may then be transferred to the system using the backup for recovery.
The first storage system 107 may comprise any storage medium. For example, the storage system 107 may be a disk based storage, flash based storage, or other type of storage. In some implementations, the first storage system 107 may be collocated with the server 102. For example, the storage system 107 may a storage volume of the server 102. In other implementations, the storage system 107 may be connected to the server 102 via a network connection. For example, the first storage system 107 may be a network attached storage (NAS) or may be a part of a storage area network (SAN).
In the illustrated example, the server 102 has read and write privileges to the first storage system 107. The server 102 uses the storage system 107 to store data. For example, if the server 102 executes a backup application, the data may be a backup of other application data. As another example, if the server 102 executes a client application, the data may be the application data, such as a copy of a virtual machine image.
The illustrated example further includes a backup server 112. The backup server 112 is connected 105 to the first storage system 107 with read only privileges. For example, the backup server 112 may be on a local area network (LAN) behind a firewall 108 that enforces the privileges. As another example, the first storage system 107 or other network appliance may enforce the read only privileges. The backup server 112 is configured to retrieve a backup of user data on the first storage system 107. For example, the backup server 112 may create a backup of user data stored on the storage system 107. As another example, the backup server 112 may obtain a copy of a backup stored on the first storage system 107.
In this example, the backup server 112 has read and write privileges 111 to a second storage system 114. For example, the second storage system 114 may be a NAS or volume on a SAN that is accessible on the local network by the backup server. As another example, the second storage system 114 may be a local storage volume of backup server 112. For example, backup server 112 and the second storage system 114 may be components of the same physical or virtual machine. In the illustrated implementations, the second storage system 114 is connected to the LAN and inaccessible outside the network. For example, the firewall 108 may prevent access to the second storage system 114 by devices outside the local network.
In this implementation, the backup server 112 stores the backup retrieved from the first storage system 107 on the second storage system 114. In some implementations, the backup server 112 maintains the backup on the second storage system 114 for at least a predefined quarantine period, during which the backup is not allowed to be deleted from the second storage system 114.
In the illustrated example, the backup server 112 also has read and write privileges 110 to a third storage system 113. In some implementations, the third storage system 113 may be a NAS or volume on a SAN that is accessible on the local network by the backup server. In other implementations, the third storage system 113 may a storage volume of the backup server 112. For example, in one implementation, the second storage system 114, and third storage system 113 may both be storage volumes on a system bus of the backup server 112.
The third storage system 113 is also accessible by the server 102. For example, the server 102 may be granted read only privileges 106 to the third storage system 113. In this example, if instructed by a control system 109, the backup server 112 retrieves a copy of the backup from the second storage system 114 and writes it onto the third storage system 113. The server 102 may then retrieve the backup from the third storage system 113 and restore it to the first storage system 107.
In the illustrated example, the control system 109 issues the instruction to retrieve the backup to the backup server 112 after authenticating a custodian 101 of the backup data. For example, the custodian 101 may be a system administrator or other designated party that has authorization to request data retrieval. The authentication may occur over a security hardened channel 104. The security hardened channel may be an out-of-band communication channel different from the network connections 103, 105, 106 used to connect to the backup server 112 and third storage 113. For example, a multi-factor authentication process may be employed to verify a requesting party is authorized to request a backup restoration. For example, a requesting party may send a request for restoration, and a system administrator of the control system 109 may call the authorized party using a previously designated phone number. The system administrator may then manually authenticate the authorized party using further authentication procedures. As another example, upon request by the requesting party, a system administrator may call multiple known numbers to speak to a set of authorized security officers. The system administrator may then use the control system 109 to instruct retrieval if the entire set of authorized security offers, or a threshold number of officers, agree to the recovery.
In this implementation, even if a backup or data stored on the first storage 107 is compromised, an adversary may be prevented from compromising the copy of the backup because of the quarantine period. Additionally, the adversary may be prevented from obtaining a copy of the backup data from the second storage 114 because of the control system 109 and firewall 108.
The example method may include block 201. Block 201 may include obtaining a backup from a first storage system. The first storage system may be accessible outside a local area network (LAN). For example, the first storage system may be located outside a firewall. As an example, the first storage system may be located at a customer's premises or on a public or private cloud infrastructure. In some implementations, the first storage system may be a storage as described with respect to storage 107 of
In some implementations, the first storage system may be read-only accessible by a backup system obtaining the backup from the first storage system. For example, a firewall, such as firewall 108 of
The example method may also include block 202. Block 202 may include storing the backup on a second storage system. The second storage system may be inaccessible outside the LAN. For example, second storage system may as described with respect to storage system 114 of
The example method may include block 203. Block 203 may include authenticating an authorized backup user. In some implementations, the authorized backup user may be authenticated using a channel other than a network connection to the LAN. For example, the authorized backup user may be a data custodian 101 and the channel may be a security hardened channel 104 as described with respect to
The example method may also include block 204. Block 204 may include copying the backup from the second storage system to a third storage system. The third storage system may be accessible outside the LAN. For example, the third storage system may be a storage system as described with respect to storage system 113 of
The example control system 301 may include an authenticator 302. The authenticator 302 may obtain verification of an identification of a user authorized for backup recovery over an out-of-band channel. For example, the control system 301 may provide a user interface to allow a system administrator to provide the identification verification. Additionally, the authenticator 302 may provide authentication information used by the system administrator to authenticate the authorized user. In another example, the authenticator 302 may obtain verification of the identification by performing an automatic authentication procedure. For example, the authenticator 302 may perform multi-factor authentication using one or more communication channels. For example, the authenticator 302 may send a text message containing an authorization code to a previously designated telephone number. The authenticator 302 may then present an interface, such as a web form, on a network channel to allow the authorized user to enter the authorization code.
The example control system 301 may also include a backup instructor 303. Upon authorizing the user for backup recovery, the control system 301 may use the instructor 303 to instruct a backup system to allow recovery of a backup. The instruction may be to copy the backup from a first storage system inaccessible outside a local area network (LAN) to a second storage system accessible outside the local area network. For example, the backup system may be a backup server 112, the first storage system may be a storage system 114, and the second storage system may be a storage system 113 as described with respect to
In the illustrated implementation, the system includes a backup system 309. The backup system 309 may be connected to the backup instructor 303 of the control system 301. For example, the backup system 309 may be a backup server 112 as described with respect to
The system of
The system of
The non-transitory computer readable medium 504 may store a first set of instructions 505. The instructions 505 may be executable by a processor 503 to obtain a backup of data from a first storage system via a network interface 502. In this implementation, the first storage system is accessible outside a local network. For example, the first storage system may be a storage 107 as described with respect to
The medium 505 may store a second set of instructions 506. The instructions 506 may be executable by the processor 503 to store the backup on a second storage system, the second storage system inaccessible outside the local network. For example, the processor 503 may execute the instructions 506 to use the interface 502 to store the backup on a storage system such as storage system 114 of
The medium 505 may store a third set of instructions 507. The instructions may be executable by the processor 503 to receive a restore command from an authentication system. For example, the authentication system may be a control system 109 as described with respect to
The medium 505 may store a fourth set of instructions 508. the instructions 508 may be executable by the processor 503 to store the backup on a third storage system accessible outside the local network. For example, the instructions 508 may be executable to store the backup on the third system in response to receiving the restore command. In some implementations, the third system may be as described with respect to the storage 113 of
In the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some or all of these details. Other implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US2014/066128 | 11/18/2014 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2016/080963 | 5/26/2016 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 7330997 | Odom | Feb 2008 | B1 |
| 7447850 | Del Rosso et al. | Nov 2008 | B1 |
| 7792789 | Prahlad | Sep 2010 | B2 |
| 8195153 | Frencel | Jun 2012 | B1 |
| 8689294 | Thakur et al. | Apr 2014 | B1 |
| 20030018657 | Monday | Jan 2003 | A1 |
| 20050010733 | Mimatsu | Jan 2005 | A1 |
| 20050052548 | Delaney | Mar 2005 | A1 |
| 20060230264 | Catherman | Oct 2006 | A1 |
| 20060230439 | Smith et al. | Oct 2006 | A1 |
| 20070069030 | Sauerwein, Jr. | Mar 2007 | A1 |
| 20070186106 | Ting et al. | Aug 2007 | A1 |
| 20080154989 | Arman | Jun 2008 | A1 |
| 20080244732 | Coninck | Oct 2008 | A1 |
| 20090150510 | Kovacs | Jun 2009 | A1 |
| 20110082991 | Leman | Apr 2011 | A1 |
| 20110289561 | Ivanov | Nov 2011 | A1 |
| 20130191341 | Alexander | Jul 2013 | A1 |
| 20140101212 | Maze | Apr 2014 | A1 |
| 20150067036 | Nambiar | Mar 2015 | A1 |
| 20160132684 | Barbas | May 2016 | A1 |
| 20170206034 | Fetik | Jul 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| 1020050041898 | May 2005 | KR |
| Entry |
|---|
| Cathy J. Fitzpatrick, “Some Thoughts on Making Backups,” Sep. 7, 2013, pp. 1-3, Available at: <cathyjf.com/articles/some-thoughts-on-making-backups>. |
| International Search Report and Written Opinion, International Application No. PCT/US2014/066128, dated Aug. 13, 2015, pp. 1-10, KIPO. |
| Niko Vrdoljak, “Backup Your Windows Phone Isolated Storage Data to Skydrive Using Live Connect API,” Blog, Sep. 15, 2011, pp. 1-18, Available at: <nikovrdoljak.wordpress.com/2011/09/15/backup-your-windows-phone-isolated-storage-data-to-skydrive-using-live-connect-api/>. |
| Roger Meyer, “Secure Authentication on the Internet,” Apr. 4, 2007, pp. 1-34, SANS Institute. |
| Number | Date | Country | |
|---|---|---|---|
| 20170220425 A1 | Aug 2017 | US |
