Abstract: One embodiment is directed to a technique which secures data on a set of storage drives of a data storage system. The technique involves encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives. The technique further involves encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys which are different from each other. The technique further involves destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives.

Abstract: An installation image of a virtual storage appliance (VSA) is protected by initiating VSA installation from an archive image establishing a pre-installation operating state. The archive image includes an installation image with a lockbox storing a first key for accessing the installation image. The lockbox is encrypted using a second key derived from a stable system value (SSV), such as data for device partitioning, obtainable from an execution environment in the pre-installation operating state. During installation, the SSV is obtained and used in decrypting the lockbox to retrieve the first key and use the installation image to install the VSA. The VSA is installed in a manner establishing a post-installation operating in which the SSV is no longer obtainable from the execution environment, e.g., due to changing the device partition information. An SSV obtained from the partition information post-installation does not yield the key for decrypting the lockbox, protecting the installed image.

Abstract: The techniques presented herein provide for initializing and upgrading data encryption capability in a data storage system. The data storage system in initialized to encrypt data writes using a system wide encryption key. A request is received to upgrade the encryption functionality in the data storage system. A data slice is identified for encryption, wherein the data slice is stored in a RAID group in the data storage system. The data slice is pinned in a first cache memory of a first storage processor and persisted in a second cache memory of a second storage processor. The data slice encrypted and a write operation is initiated to write the encrypted data slice back to the RAID group. If the write operation was successful, the data slice is unpinned the first and second cache memory associated with the data slice is freed, else if the write operation was unsuccessful, the data slice is unpinned and the first and second cache memory associated with the data slice are flushed.

Abstract: The techniques presented herein provide for associating a data encryption lockbox backup with a data storage system. A first set of software system stable values (SSV) is derived from data storage system component values unique to the data storage system. A lockbox storing the first set of SSV and a set of encryption keys associated with a corresponding respective set of data storage system drives is created. Access to the lockbox requires providing a first minimum number of SSV that match corresponding SSV in the first set of SSV. A backup copy of the lockbox is created, wherein access to the backup copy requires providing a second minimum number of SSV that match corresponding SSV in the first set of SSV, wherein the minimum number of SSV is equal to a second match value. The backup copy of the lockbox is stored at a remote location.

Abstract: A technique supplies a high security password. The technique involves receiving, by processing circuitry, a series of randomly generated values from random number generator circuitry. The technique further involves deriving, by the processing circuitry, an initial character string from the series of randomly generated values, each character of the initial character string being an element of a first collection of characters which includes lowercase letters and numbers. The technique further involves providing, by the processing circuitry and as the high security password, a modified character string based on (i) the initial character string and (ii) inclusion of at least one element of a second collection of characters which is mutually exclusive of the first collection of characters.

Abstract: A method is used in mapping data storage and virtual machines. A logical volume from a data storage system is provided for use by a hypervisor. The hypervisor is queried through a web service to identify a virtual machine of the hypervisor. It is determined that the virtual machine is using the logical volume.

Abstract: Described are techniques for using a first secure communication connection between a first component and a second component to establish a second communication connection as another secure communication connection between the components. The first secure communication connection may be used to exchange fingerprints for digital certificates of the two components. The second communication may be used to exchange digital certificates of the two components. Each of the components may determine whether the received fingerprint of the other component matches a calculated fingerprint of the received certificate for the other component, and if so, the received certificate for the other component may be stored in a data store of said each component.

Abstract: Described are techniques for validating a resource. A hierarchy of objects is received. The hierarchy includes first and second objects at, respectively, first and second levels of the hierarchy. The second object is a child of the first object. The first object is a parent of the second object and represents a first resource embedding a second resource represented by the second object. Each of the objects in the hierarchy identifies a resource that is automatically retrieved in connection with rendering a webpage. A first server location providing the first resource is determined using the first object. A second server location providing the second resource is determined using the second object. In accordance with trusted location criteria, it is determined whether the first resource is allowed to embed the second resource.

Abstract: Described are techniques for performing data storage system management. The data storage system is divided into a plurality of virtual partitions. A plurality of policy sets are specified where each of the policy sets includes one or more policies. One of the plurality of policy sets is assigned to each of the plurality of virtual partitions. Each of the plurality of policy sets includes an access control policy that assigns a portion of data storage of the data storage system as a resource for exclusive use in one of the plurality of virtual partitions that is assigned said each policy set.

Abstract: Described is a technique for providing a host identifier for a host. A first portion associated with a characteristic of said host is received. A second portion including a non-deterministic component is received. The host identifier is formed using the first portion and the second portion. The host identifier is used to uniquely identify the host in a storage area network.

Abstract: A method of securely operating a computerized system includes forming a connection to a user-removable physical security device (PSD) which is uniquely paired with the computerized system and which stories cryptographically secured data required for performing a protected function on the computerized system. The PSD may be realized as a USB or similar peripheral device containing security-related data and potentially security processing capability as well. The protected function could be decrypting of encrypted data encryption keys used to encrypt/decrypt user data for example. A user who has an established association with the PSD (e.g. by some preceding registration process) is authenticated, resulting in activation of the PSD on the computerized system. Upon such activation of the PSD, the computerized system engages in a security operation using the cryptographically secured data from the PSD to enable the protected function to be performed under control of the user on the computerized system.

Abstract: A method for use in managing object access is disclosed. A request is received at a reference monitor, wherein the request comprises an object type, an action associated with the object, credentials associated with a user, and access information. Template information is received at the reference monitor, wherein the template information specifies allowable access for the object using qualifiers for the object. For the user, determining at a management request engine whether to allow the action associated with the object based on the request and the template. Also disclosed is a system for use in managing object access.

Abstract: Described is a technique for gathering information about a property. A request is received at a first node of a plurality of nodes. The request requests information in accordance with the property for a set of one or more objects defined in a portion of the plurality of nodes. The first node determines information about said property for objects of said set which are defined at said first node. Each of the other nodes determines information about said property for objects of said set which are defined at said each node. Information is communicated to the first node from the other nodes about said property for objects of said set which are defined at each of said other nodes. The first node performs processing to produce final information representing information received from said other nodes and information determined by said first node regarding said property.

Abstract: Described are techniques for performing data storage system management. The data storage system is divided into a plurality of virtual partitions. A plurality of policy sets are specified where each of the policy sets includes one or more policies. One of the plurality of policy sets is assigned to each of the plurality of virtual partitions. Each of the plurality of policy sets includes an access control policy that assigns a portion of data storage of the data storage system as a resource for exclusive use in one of the plurality of virtual partitions that is assigned said each policy set.

Abstract: A server device is configured to perform a method for providing object class information to a management device. The method includes mapping user names included as part of entries of a database associated with the server device to a corresponding Common Information Model (CIM) object manager operating system (OS) role. The method includes receiving a management request associated with the management device, the management request having management request credential information. The method includes authenticating the management request to an operating system associated with the server device based upon the management request credential information. The method includes following authentication, authorizing the management device to a corresponding CIM object manager OS role using the management request credential information.

Abstract: A method is used in managing indications in data storage systems. A threshold value is associated with a storage object. A client subscribes to a server for receiving an indication indicating a change in a property of the storage object. A determination is made as to whether a number of indications processed by the server exceeds the threshold value. A bulk status is associated with the indication based on the determination. The indication is send to the client. The client performs an action based on the bulk status associated with the indication.

Abstract: A method and system for use in managing secure communications with software environments is disclosed. In at least one embodiment, the method and system comprises maintaining, in a Java operating environment, a regulatory compliant communications facility that is accessible to a Flex operating environment. The Flex and Java operating environments are caused to use the regulatory compliant communications facility for network communications with a data storage system.

Abstract: A technique provides secure access to a set of credentials within a data storage system. The technique involves obtaining a unique identifier (e.g., a hostname which is unique to the system) and a set of stable values (e.g., machine-generated codes which are random to users of the system); and, in response to a storage request from a client application, storing a set of credentials of the client application within a data security mechanism of the data storage system. The set of credentials is in encrypted form when stored within the data security mechanism of the data storage system. The technique further involves configuring the data security mechanism of the data storage system to provide the set of credentials in non-encrypted form in response to new fingerprints matching a system fingerprint which is formed at least in part from the unique identifier and the set of stable values.

Abstract: Inter-process communication management allows a first data storage system management application to execute a second data storage system management application. For example, when a user directs a client device to execute a second application while executing a first application, the client device establishes an inter-process communication (IPC) channel between the two applications to allow for security and navigation commands to be passed from the first application to the second application. With such a configuration, the first application does not require the user to re-enter information, such as a target IP address, and encrypted password to execute the second application. In one arrangement, the IPC channel is configured to detect the termination of either the first or the second application. Once detected, the client device can safely terminate the IPC channel between the two applications and execute the remaining, non-terminated application as a standalone product.

Abstract: A method is used in controlling multi-step storage management operations. From a specification of a desired configuration of a data storage system, a description of a multi-step transaction for producing the desired configuration is derived. The description includes directions for reacting to results of an intermediate step within the multi-step transaction. Management operations are invoked based on the description.