Abstract: A storage system access point receives a first access request from a client device, wherein the first access request specifies first data. The storage system access point attempts to execute the first access request. In response to successfully accessing the first data, a first message is transmitted to an external audit system indicating that information corresponding to the first access request is to be recorded by the external audit system. In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.

Abstract: A method of integrating a distributed ledger represented by a blockchain with a distributed storage network (DSN) begins by sending a proof of existence request to the DSN, the proof of existence request including an object name, an object version, a start time and an end time. The method continues by reading the object metadata for the sent object name. The method continues by checking a revision history from object metadata associated with the sent object name to ensure the object existed by the start time through the end time with no deletions and, if the object did not exist by the start time through the end time with no deletions, rejecting the proof of existence request and returning an error response. If the object did exist by the start time on through the end time with no deletions, the method continues by producing and returning an attestation comprising verification information related to the object.

Abstract: A storage system access point receives a first access request from a client device, wherein the first access request specifies first data. The storage system access point attempts to execute the first access request. In response to successfully accessing the first data, a first message is transmitted to an external audit system indicating that information corresponding to the first access request is to be recorded by the external audit system. In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.

Abstract: A method of integrating a distributed ledger represented by a blockchain with a distributed storage network (DSN) begins by sending a proof of existence request to the DSN, the proof of existence request including an object name, an object version, a start time and an end time. The method continues by reading the object metadata for the sent object name. The method continues by checking a revision history from object metadata associated with the sent object name to ensure the object existed by the start time through the end time with no deletions and, if the object did not exist by the start time through the end time with no deletions, rejecting the proof of existence request and returning an error response. If the object did exist by the start time on through the end time with no deletions, the method continues by producing and returning an attestation comprising verification information related to the object.

Abstract: A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master key with a secure error coding function to produce master key slices according to the first IDA configuration. The method continues by storing the master key slices in the DSN memory using the first IDA configuration. The method continues by, when storing data with a second IDA configuration having a security level lower than the first IDA configuration, retrieving the master key slices, decoding the master key slices to obtain the master key and encrypting the data using the master key.

Abstract: Machines, systems and methods for recovering data objects in a distributed data storage system, the method comprising storing one or more replicas of a first data object on one or more clusters in one or more data centers connected over a data communications network; recording health information about said one or more replicas, wherein the health information comprises data about availability of a replica to participate in a restoration process; calculating a query-priority for the first data object; querying, based on the calculated query-priority, the health information for the one or more replicas to determine which of the one or more replicas is available for restoration of the object data; calculating a restoration-priority for the first data object based on the health information for the one or more replicas; and restoring the first data object from the one or more of the available replicas, based on the calculated restoration-priority.

Abstract: Machines, systems and methods for recovering data objects in a distributed data storage system, the method comprising storing one or more replicas of a first data object on one or more clusters in one or more data centers connected over a data communications network; recording health information about said one or more replicas, wherein the health information comprises data about availability of a replica to participate in a restoration process; calculating a query-priority for the first data object; querying, based on the calculated query-priority, the health information for the one or more replicas to determine which of the one or more replicas is available for restoration of the object data; calculating a restoration-priority for the first data object based on the health information for the one or more replicas; and restoring the first data object from the one or more of the available replicas, based on the calculated restoration-priority.

Abstract: Machines, systems and methods for recovering data objects in a distributed data storage system, the method comprising storing one or more replicas of a first data object on one or more clusters in one or more data centers connected over a data communications network; recording health information about said one or more replicas, wherein the health information comprises data about availability of a replica to participate in a restoration process; calculating a query-priority for the first data object; querying, based on the calculated query-priority, the health information for the one or more replicas to determine which of the one or more replicas is available for restoration of the object data; calculating a restoration-priority for the first data object based on the health information for the one or more replicas; and restoring the first data object from the one or more of the available replicas, based on the calculated restoration-priority.

Abstract: Machines, systems and methods for recovering data objects in a distributed data storage system, the method comprising storing one or more replicas of a first data object on one or more clusters in one or more data centers connected over a data communications network; recording health information about said one or more replicas, wherein the health information comprises data about availability of a replica to participate in a restoration process; calculating a query-priority for the first data object; querying, based on the calculated query-priority, the health information for the one or more replicas to determine which of the one or more replicas is available for restoration of the object data; calculating a restoration-priority for the first data object based on the health information for the one or more replicas; and restoring the first data object from the one or more of the available replicas, based on the calculated restoration-priority.

Abstract: A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master key with a secure error coding function to produce master key slices according to the first IDA configuration. The method continues by storing the master key slices in the DSN memory using the first IDA configuration. The method continues by, when storing data with a second IDA configuration having a security level lower than the first IDA configuration, retrieving the master key slices, decoding the master key slices to obtain the master key and encrypting the data using the master key.

Abstract: A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master key with a secure error coding function to produce master key slices according to the first IDA configuration. The method continues by storing the master key slices in the DSN memory using the first IDA configuration. The method continues by, when storing data with a second IDA configuration having a security level lower than the first IDA configuration, retrieving the master key slices, decoding the master key slices to obtain the master key and encrypting the data using the master key.

Abstract: A method for storage systems improvement includes collecting information that indicates one or more failure correlations for disks in a storage system. The disks are then separated into a plurality of virtual failure domains based on the indicated one or more failure correlations. The method then determines that all data objects of a set of redundant data objects are included in a first virtual failure domain. Responsive to determining that all data objects of the set of redundant data objects are included in the first virtual failure domain, the method then migrates at least one data object of the set of redundant data objects from a first disk in the first virtual failure domain to a second disk in a second virtual failure domain.

Abstract: A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master key with a secure error coding function to produce master key slices according to the first IDA configuration. The method continues by storing the master key slices in the DSN memory using the first IDA configuration. The method continues by, when storing data with a second IDA configuration having a security level lower than the first IDA configuration, retrieving the master key slices, decoding the master key slices to obtain the master key and encrypting the data using the master key.

Abstract: Aspects of the present invention include a method, system and computer program product for performing data deduplication for eventually consistent distributed data storage (DDS) system. The method includes receiving data content from one or more clients by a DDS system, wherein the one or more clients do not coordinate transmitting of the data content. The method also includes calculating a hash for the data content by the distributed data storage system, writing the data content to an object used for data deduplication, wherein a name of the object is based on the hash and determining whether the data content is present in the distributed data storage system based on the name of an object previously stored on the DDS system. The method further includes keeping track of a number of references to the data content and delaying deletion of the data content for a predetermined period of time.

Abstract: Embodiments include evaluating durability and availability of a distributed storage system. Aspects include receiving a configuration of the distributed storage system, identifying a failure model for each component of the distributed storage system. Aspects also include generating a series of failure events for each component of the distributed storage system based on the failure model and calculating a recovery time for each failed component based on a network recovery bandwidth, a disk recovery bandwidth, a total capacity of simultaneous failed storage devices and a resiliency scheme used by the in the distributed storage system. Aspects further include collecting data regarding the series of failures and the recovery times, calculating an observed distribution of component failures from the collected data and calculating the availability and durability of the distributed storage system based on the observed distribution of component failures and using probabilistic durability and availability models.

Abstract: A method for storage systems improvement includes collecting information that indicates one or more failure correlations for disks in a storage system. The disks are then separated into a plurality of virtual failure domains based on the indicated one or more failure correlations. The method then determines that all data objects of a set of redundant data objects are included in a first virtual failure domain. Responsive to determining that all data objects of the set of redundant data objects are included in the first virtual failure domain, the method then migrates at least one data object of the set of redundant data objects from a first disk in the first virtual failure domain to a second disk in a second virtual failure domain.

Abstract: Embodiments include evaluating durability and availability of a distributed storage system. Aspects include receiving a configuration of the distributed storage system, identifying a failure model for each component of the distributed storage system. Aspects also include generating a series of failure events for each component of the distributed storage system based on the failure model and calculating a recovery time for each failed component based on a network recovery bandwidth, a disk recovery bandwidth, a total capacity of simultaneous failed storage devices and a resiliency scheme used by the in the distributed storage system. Aspects further include collecting data regarding the series of failures and the recovery times, calculating an observed distribution of component failures from the collected data and calculating the availability and durability of the distributed storage system based on the observed distribution of component failures and using probabilistic durability and availability models.

Abstract: Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Abstract: Embodiments relate to digital data retention management. An aspect includes calculating a retention date associated with a data object in a storage system. Another aspect includes generating a cryptographic checksum for metadata relating to said data object, the metadata comprising the retention date. Another aspect includes storing said metadata and said cryptographic checksum. Another aspect includes, based on receiving a request to perform a deletion transaction on said data object for deleting said data object from the storage system: verifying metadata validity by checking the cryptographic checksum for the metadata associated with said data object to detect possible tampering of the metadata; verifying retention expiration by determining that a current date is past the retention date comprised in said metadata; and based on successful verification of metadata validity and retention expiration, authorizing deletion of said data object by the storage system.

Abstract: A storage appliance system is disclosed which may include at least one application server for locally executing an application, and one or more storage servers in communication with the application server for I/O transmission therebetween. Also disclosed are an application server, a method, and a computer program product.