Abstract: Methods and systems for securing unstructured data are provided. One method includes generating, by a processor, a schema from unstructured data, the schema including one or more relationships between named entities of the unstructured data; identifying, by the processor, a plurality of semantic relationships between the named entities; determining, by the processor, a sensitive relationship from the plurality of semantic relationships; and anonymizing, by the processor, sensitive data associated with the sensitive relationship by replacing, a first portion of the sensitive data with generalized information.

Abstract: Systems and methods are provided for bringing a volume of a consistency group (CG) into an in-synchronization (InSync) state while other volumes of the CG remain in the InSync state. According to an example, in order to support recovery from disruptive events in a manner that ensures a zero recovery point objective (RPO) guarantee and insulates an application making use of the CG from adverse impacts, responsive to a triggering event, a Fast Resync process may first be attempted to promptly bring an affected volume back into an in-synchronization (InSync) state from an out of synchronization (OOS) state while allowing other members of the CG to remain in the InSync state. Should the Fast resync process be unsuccessful in bringing the volume back into the InSync state within a predetermined or configurable time threshold, then a second type of resynchronization process may be employed at the CG level.

Abstract: Systems and methods for performing a fast resynchronization of a mirrored aggregate of a distributed storage system using disk-level cloning are provided. According to one embodiment, responsive to a failure of a disk of a plex of the mirrored aggregate utilized by a high-availability (HA) pair of nodes of a distributed storage system, disk-level clones of the disks of the healthy plex may be created external to the distributed storage system and attached to the degraded HA partner node. After detection of the cloned disks by the degraded HA partner node, mirror protection may be efficiently re-established by assimilating the cloned disks within the failed plex and then resynchronizing the mirrored aggregate by performing a level-1 resync of the failed plex with the healthy plex based on a base file system snapshot of the healthy plex. In this manner, a more time-consuming level-0 resync may be avoided.

Abstract: A distributed storage management system comprising nodes that form a cluster, a distributed block layer that spans the nodes in the cluster, and file system instances deployed on the nodes. Each file system instance comprises a data management subsystem and a storage management subsystem disaggregated from the data management subsystem. The storage management subsystem comprises a node block store that forms a portion of the distributed block layer and a storage manager that manages a key-value store and virtualized storage supporting the node block store. A file system volume hosted by the data management subsystem maps to a logical block device hosted by the virtualized storage in the storage management subsystem. The key-value store includes, for a data block of the logical block device, a key that comprises a block identifier for the logical block device and a value that comprises the data block.

Abstract: In various examples, data storage is managed using a distributed storage management system that is resilient. Data blocks of a logical block device may be distributed across multiple nodes in a cluster. The logical block device may correspond to a file system volume associated with a file system instance deployed on a selected node within a distributed block layer of a distributed file system. Each data block may have a location in the cluster identified by a block identifier associated with each data block. Each data block may be replicated on at least one other node in the cluster. A metadata object corresponding to a logical block device that maps to the file system volume may be replicated on at least another node in the cluster. Each data block and the metadata object may be hosted on virtualized storage that is protected using redundant array independent disks (RAID).

Abstract: Methods, non-transitory machine readable media, and computing devices that facilitate cache rewarming in a failover domain are disclosed. With this technology, a tag is inserted into a local tagstore. The tag includes a location of data in a cache hosted by a failover computing device and is retrieved from a snapshot of a remote tagstore for the cache. An invalidation log for an aggregate received from the failover computing device is replayed subsequent to mounting a filesystem that is associated with the aggregate and comprises the data. The data is retrieved from the cache following determination of the location from the tag in the local tagstore in order to service a received storage operation associated with the data. Takeover nodes do not have to wait for a cache to repopulate organically, and can leverage the contents of a cache of a failover node to thereby improve performance following takeover events.

Abstract: Techniques are provided for metadata management for enabling automated switchover in accordance with a configuration of storage solution that expresses a preference for either maintaining availability (e.g., a non-zero RPO mode) of the storage solution or avoiding data loss (e.g., a zero RPO mode). In one example, responsive to detecting a switchover trigger event, a node of a local cluster of a cross-site storage solution determines whether performance of an automated switchover from a failed cluster to a surviving cluster of the cross-site storage solution is enabled. Responsive to an affirmative determination, the node selectively proceeds with the automated switchover based on the configuration.

Abstract: Recovery support techniques for storage virtualization environments are described. In one embodiment, for example, a method may be performed that comprises defining, by processing circuitry, a storage container comprising one or more logical storage volumes of a logical storage array of a storage system, associating the storage container with a virtual volume (vvol) datastore, identifying metadata for a vvol of the vvol datastore, and writing the metadata for the vvol to the storage system. Other embodiments are described and claimed.

Abstract: To replicate a source LUN to a different storage system platform, a first storage system transmits a request to replicate a LUN along with attributes for the LUN to a second storage system. The second storage system maps the attributes to attributes used and understood by the platform of the second storage system. The second storage system then creates a destination LUN based on the mapped attributes. Since the destination LUN is created with similar attributes as the source LUN, the destination LUN can store the replicated data of the source LUN while still being accessed and recognized as a LUN by the second storage system. The second storage system also stores any proprietary attributes received from the first storage system so that the proprietary attributes can be supplied to the first storage system to recover the source LUN after a data loss event.

Abstract: Systems and methods for enhancing container security are provided. In one example, exposure of a containerize application to potential security vulnerabilities is reduced by identifying dynamically loaded symbols by the application via performance of static and/or dynamic symbol analysis to identify dynamically loaded symbols that are potentially and/or actually used, respectively, and that correspond to functions contained within shared libraries. Based on a shared library's usage of functions within a standard library and a known mapping between functions of the standard library and system calls, those system calls potentially and actually accessed by the application may be identified and a security policy may be generated and configured for enforcement by a kernel security module to limit system call usage accordingly. Additionally, removal of files or functions of libraries that are deemed unnecessary for proper execution of the applications may be performed to reduce the footprint of the application.

Abstract: Systems and methods for enhancing container security are provided by reducing the attack surface. In one example, the exposure of containers to potential security vulnerabilities is reduced by identifying dynamically loaded symbols by an application via performance of static symbol analysis by examining a section of an executable to identify dynamically loaded symbols corresponding to functions contained within shared libraries. Based on a given shared library's usage of functions within standard libraries and a known mapping between functions of standard libraries and system calls, those system calls potentially accessed by the application may be identified and a security policy may be generated and configured for enforcement by a kernel security module to limit system call usage accordingly. Thereafter, the security policy enforced by the kernel security module may be refined based on performance of dynamic symbol analysis to identify system calls that are actually called by the application during runtime.

Abstract: Systems and methods for reducing the provisioned storage capacity of a disk or aggregate of disks of a storage appliance while the storage appliance continues to serve clients are provided. According to one embodiment, the size of the aggregate may be reduced by shrinking the file system of the storage appliance and removing a selected disk from the aggregate. When an identified shrink region includes the entire addressable PVBN space of the selected disk, the file system may be shrunk by relocating valid data from the selected disk elsewhere within the aggregate. After the valid data is relocated, the selected disk may be removed from the aggregate, thereby reducing the provisioned storage capacity of the aggregate by the size of the selected disk.

Abstract: Systems and methods that make use of cluster-level redundancy within a distributed storage management system to address various node-level error scenarios are provided. Rather than using a generalized one-size-fits-all approach to reduce complexity, an approach tailored to the node-level error scenario at issue may be performed to avoid doing more than necessary. According to one embodiment, after identifying a missing branch of a tree implemented by a KV store of a first node of a cluster of a distributed storage management system, a branch resynchronization process may be performed, including, for each block ID in the range of block IDs of the missing branch (i) reading a data block corresponding to the block ID from a second node of the cluster that maintains redundant information relating to the block ID; and (ii) restoring the block ID within the KV store by writing the data block to the first node.

Abstract: Systems and methods for enhancing application security are provided. In one example, exposure of an application to potential security vulnerabilities is reduced by identifying dynamically loaded symbols by the application via performance of static and/or dynamic symbol analysis to identify dynamically loaded symbols that are potentially and/or actually used, respectively, and that correspond to functions contained within shared libraries. Based on a shared library's usage of functions within a standard library and a known mapping between functions of the standard library and system calls, those system calls potentially and actually accessed by the application may be identified and a security policy may be generated and configured for enforcement by a kernel security module to limit system call usage accordingly. Additionally, removal of files or functions of libraries that are deemed unnecessary for proper execution of the applications may be performed to reduce the footprint of the application.

Abstract: Systems and methods for enhancing container security are provided by reducing the attack surface. In one example, the exposure of containers to potential security vulnerabilities is reduced by identifying dynamically loaded symbols by an application via performance of static analysis (which may be referred to herein as static symbol analysis). Static symbol analysis may include examining one or more sections of an executable to identify dynamically loaded symbols corresponding to functions contained within shared libraries (e.g., shared object files and dynamic libraries). Based on a given shared library's usage of functions within standard libraries (e.g., the standard C library) and a known mapping between functions of standard libraries and kernel system calls, those kernel system calls potentially accessed by the application may be identified and a security policy may be generated and configured for enforcement by a kernel security module to limit kernel system call usage accordingly.

Abstract: Systems and methods for reducing the provisioned storage capacity of a disk or aggregate of disks of a storage appliance while the storage appliance continues to serve clients are provided. According to one embodiment, the size of the aggregate may be reduced by shrinking the file system of the storage appliance and removing a selected disk from the aggregate. When an identified shrink region is less than the entire addressable PVBN space of the selected disk, the file system may be shrunk by relocating valid data from the shrink region of the selected disk to one or more regions outside of the shrink region, mirroring data of the selected disk from outside of the shrink region to a smaller disk added to the aggregate, and then removing the selected disk after the mirrors are in sync, thereby reducing the provisioned storage capacity of the aggregate by the difference in size between the selected disk and the smaller disk.

Abstract: Systems and methods for enhancing API security by identifying anomalous activities in a cloud environment are provided. In one embodiment, the lack of awareness of an external API with respect to how calls to the external API may affect a cluster of a container orchestration platform is addressed. For instance, the views of the external and internal APIs may be combined to achieve better API security by correlating external API calls with undesirable behavior or other anomalies arising in the internal API. Responsive to identifying such undesirable behavior, information (e.g., a host, a source IP, a user, a specific payload) associated with the offending external API call may be added to a network security feature (e.g., a deny list, an IPS, or a WAF) utilized by the external API to facilitate performance of enhanced filtering of subsequent external API calls by the external API on behalf of the internal API.

Abstract: A system is described. The system includes a processing resource and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to detect an unrecognized Internet Protocol Security (IPsec) packet associated with an IP address at a first node within a cluster, retrieve one or more selector fields from the IPsec packet, query of a security policy database to determine whether a destination IP address included in the one or more retrieved selector fields matches one or more matching outbound IPsec policies associated with a destination IP address, determine whether a matching outbound IPsec policy includes an IPsec policy associated with the destination address entry and establish the first IPsec SA communication session between the first node and the client based on the outbound IPsec policy.

Abstract: Multi-site distributed storage systems and computer-implemented methods are described for improving a resumption time for processing of input/output (I/O) operations during an automatic unplanned failover (AUFO). A first storage cluster includes a first set of consistency groups (CGs) and a second storage cluster includes a second mirrored set of CGs. A computer-implemented method includes prefetching, with a user space of the second storage cluster, configuration information from a replicated database prior to starting the AUFO workflow, sending the configuration information to a kernel space of the second storage cluster on a per CG level while queuing the AUFO workflow, and determining if any in progress workflows conflict with the AUFO workflow.

Abstract: Techniques are provided for implementing data requests associated with objects of an object store. A data connector component may be instantiated as a container for processing data requests associated with backup data stored within objects of an object store. The data connector component may evaluate the object store to identify snapshots stored as the backup data within the objects of the object store according to an object format. The data connector component may provide a client device with access to backup data of the snapshots.