Abstract: Two-way secure channels are provided between multiple services across service groups, where the certification is performed by a certificate authority associated with one of the service groups. One method comprises a first service providing a first handshake communication with a first token to a second service, wherein the first service obtains the first token by authenticating with an identity and access management service having a first certificate signed by a certificate authority, wherein the first handshake communication succeeds when the second service has a second certificate signed by the certificate authority, and wherein the second service obtains a second token by authenticating with the identity and access management service. The first service receives a second handshake communication from the second service with the second token.

Abstract: Two-way secure channels are provided between two parties to a communication with certification being provided by one party. One method comprises providing, by a first entity that provides a certificate authority, a first signed certificate to a second entity, wherein the first signed certificate is signed by the certificate authority and wherein the second entity generates a first request to sign a second certificate generated by the second entity, wherein the first request is generated by the second entity using a first credential generated by the second entity; receiving, from the second entity, (i) the first request to sign the second certificate, and (ii) the first signed certificate; and providing, in response to the certificate authority verifying the first signed certificate, a second signed certificate, signed by the certificate authority, to the second entity; wherein one or more additional communications between the first entity and the second entity use the two-way channel.

Abstract: Two-way secure channels are provided between multiple services across service groups, where the certification is performed by a certificate authority associated with one of the service groups. One method comprises a first service providing a first handshake communication with a first token to a second service, wherein the first service obtains the first token by authenticating with an identity and access management service having a first certificate signed by a certificate authority, wherein the first handshake communication succeeds when the second service has a second certificate signed by the certificate authority, and wherein the second service obtains a second token by authenticating with the identity and access management service. The first service receives a second handshake communication from the second service with the second token.

Abstract: Two-way secure channels are provided between two parties to a communication with certification being provided by one party. One method comprises providing, by a first entity that provides a certificate authority, a first signed certificate to a second entity, wherein the first signed certificate is signed by the certificate authority and wherein the second entity generates a first request to sign a second certificate generated by the second entity, wherein the first request is generated by the second entity using a first credential generated by the second entity; receiving, from the second entity, (i) the first request to sign the second certificate, and (ii) the first signed certificate; and providing, in response to the certificate authority verifying the first signed certificate, a second signed certificate, signed by the certificate authority, to the second entity; wherein one or more additional communications between the first entity and the second entity use the two-way channel.

Abstract: Techniques are provided for approval and execution of restricted operations. One method comprises receiving a request to perform an operation from a user; providing a redirect request with a protected request to obtain approval from an approval system; receiving a protected request approval with the protected request that was generated by the approval system using a shared secret; comparing the received protected request to a regenerated request generated using information stored with the request; and initiating an execution of the operation in response to the comparing satisfying one or more approval criteria. The shared secret may be shared between an operation execution system and the approval system. The processing of the request, an approval result and/or the execution of the operation can be audited.

Abstract: Techniques are provided for approval and execution of restricted operations. One method comprises receiving a request to perform an operation from a user; providing a redirect request with a protected request to obtain approval from an approval system; receiving a protected request approval with the protected request that was generated by the approval system using a shared secret; comparing the received protected request to a regenerated request generated using information stored with the request; and initiating an execution of the operation in response to the comparing satisfying one or more approval criteria. The shared secret may be shared between a operation execution system and the approval system. The processing of the request, an approval result and/or the execution of the operation can be audited.

Abstract: According to an aspect of the presently disclosed subject matter, there is provided a system for managing data in a storage system, the system including a storage layer which provides storage resource, and a snapshot layer that includes: a volume-version data structure, a chunk-version data structure and a IO handler.

Abstract: According to an aspect of the presently disclosed subject matter, there is provided a system for managing data in a storage system, the system including a storage layer which provides storage resource, and a snapshot layer that includes: a volume-version data structure, a chunk-version data structure and a IO handler.

Abstract: A computer storage management system for managing a first plurality of data storage units, the system including: (a) an asynchronous parity computation manager which, responsive to a write operation in which an incoming data portion is to be written into an individual storage unit from among the storage units, deposits the incoming value in the individual storage unit and stores a copy of the data element in a pre-parity storage area, and wherein asynchronously with depositing the incoming value in the individual storage unit, the asynchronous parity computation manager is operative to compute parity data corresponding to the incoming data portion and to other data portions which are associated with the incoming data portion and to store the parity data; and (b) a post-loss data recovery manager operative to recover lost data including determining whether at least one parity value associated with at least one data portion within said lost data is not current and, for at least one non-current parity, using inf

Abstract: According to an aspect of the presently disclosed subject matter, there is provided a system for managing data in a storage system, the system including a storage layer which provides storage resource, and a snapshot layer that includes: a volume-version data structure, a chunk-version data structure and a IO handler.

Abstract: A method, comprising: during a normal operating mode of a first solid-state storage device, reserving a portion of an available physical storage space of the first solid-state storage device, giving rise to a reserved portion and a user data portion; setting a user data capacity of the first solid-state storage device according to a size of the user data portion; using substantially the entire available physical storage space for storing user data within the first solid-state storage device; and upon receiving at the first solid-state storage device an instruction to switch to a data protection mode, switching the first solid-state storage device to the data protection mode and allocating part of the reserved portion to the user data portion, giving rise to an extended user data portion, and using the added user data capacity for backing up data that is or was stored on the second solid-state storage device.

Abstract: A mass storage system including main and auxiliary storage subsystems and a controller Main storage provides physical storage space and includes non-solid-state storage devices (“NSSDs”) NSSDs provide physical locations, and main storage includes physical storage locations provided by NSSDs Controller is coupled to main storage and may be configured for mapping logical addresses to physical locations, giving rise to a logical storage space The auxiliary subsystem includes a solid-state data retention device (“SSDRD”) capable of permanently storing data and provides a physical location, giving rise to auxiliary space Controller is coupled to the auxiliary subsystem and may override a mapping of logical addresses to physical locations, with a mapping of logical address to physical locations within the auxiliary space, overriding physical storage locations Controller is adapted for loading a snapshot of the data currently stored in the overridden physical storage locations.

Abstract: A method, comprising: during a normal operating mode of a first solid-state storage device, reserving a portion of an available physical storage space of the first solid-state storage device, giving rise to a reserved portion and a user data portion; setting a user data capacity of the first solid-state storage device according to a size of the user data portion; using substantially the entire available physical storage space for storing user data within the first solid-state storage device; and upon receiving at the first solid-state storage device an instruction to switch to a data protection mode, switching the first solid-state storage device to the data protection mode and allocating part of the reserved portion to the user data portion, giving rise to an extended user data portion, and using the added user data capacity for backing up data that is or was stored on the second solid-state storage device.

Abstract: Provided is a method for copying data as stored in at least one source storage entity, including copying data from a source storage entity into a destination storage entity and catering to at least one I/O operation directed toward the source storage entity during copying, the copying including reading at least one chunk of data in a predetermined order; and reading, responsive to a request, at least one relevant chunk containing data related to at least one I/O operation out of the predetermined order.

Abstract: A mass storage system including main and auxiliary storage subsystems and a controller Main storage provides physical storage space and includes non-solid-state storage devices (“NSSDs”) NSSDs provide physical locations, and main storage includes physical storage locations provided by NSSDs Controller is coupled to main storage and may be configured for mapping logical addresses to physical locations, giving rise to a logical storage space The auxiliary subsystem includes a solid-state data retention device (“SSDRD”) capable of permanently storing data and provides a physical location, giving rise to auxiliary space Controller is coupled to the auxiliary subsystem and may override a mapping of logical addresses to physical locations, with a mapping of logical address to physical locations within the auxiliary space, overriding physical storage locations Controller is adapted for loading a snapshot of the data currently stored in the overridden physical storage locations.

Abstract: Systems and methods for input/output command management. In some cases of a write command received from a host, a maximum capacity limit relating to primary memory may be disregarded because data relating to the write command is written to backup memory prior to acknowledging the write command. In some of these cases, timeout is less likely than if the maximum capacity limit had been respected.

Abstract: Systems and methods for failure monitoring in a storage system. In some cases, a failed entity is detected based on an analysis of at least the indications obtained in return for input/output commands sent to multiple entities in the storage system. In some of these cases, it is also determined whether the failure is enduring or transient.

Abstract: Disclosed is a storage system which includes a primary storage space associated with a first plurality of VS devices, a temporary backup storage space associated with a second plurality of VS devices, a permanent backup storage space associated with a third plurality of NVS devices, a storage controller responsive to a write request including storing the data-element within the primary storage space and substantially immediately or concurrently storing recovery-enabling-data corresponding to the data-element within the temporary backup storage space, and asynchronously with the provisional redundant storage sequence, the controller is adapted to destage the recovery-enabling data to the permanent backup storage space, and one or more UPS units configured to provide backup power in case of power interruption to enable completion of destaging of recovery-enabling data for the entire data-set of the storage system.

Abstract: A computer storage management system for managing a first plurality of data storage units, the system including: (a) an asynchronous parity computation manager which, responsive to a write operation in which an incoming data portion is to be written into an individual storage unit from among the storage units, deposits the incoming value in the individual storage unit an stores a copy of the data element in a pre-parity storage area, and wherein asynchronously with depositing the incoming value in the individual storage unit, the asynchronous parity computation manager is operative to compute parity data corresponding to the incoming data portion and to other data portions which are associated with the incoming data portion and to store the parity data; and (b) a post-loss data recovery manager operative to recover lost data including determining whether at least one parity value associated with at least one data portion within said lost data is not current and, for at least one non-current parity, using info

Abstract: Access to a target system is secured by use of an encrypted passphrase that is supplied on-site at the target system by a user requesting access. The encrypted passphrase includes an access credential portion and a one-way encoded portion. The one-way encoded portion is an encoded version of at least some of the access credential portion. A validator at the target system receives and decrypts the encrypted passphrase and identifies the access credential portion and one-way encoded portion. The validator one-way encodes the identified access credential portion and compares the result to the identified one-way encoded portion from the decrypted passphrase. If the results do not match, the validator denies access to the user requesting access. The encoding and decrypting of the passphrase may be performed using keys generated from a secret key/seed related to the target system, unencrypted information such as time/date information, and a user PIN.