Abstract: Apparatus and method for distributed authentication in a data storage system using block chain technology. In some embodiments, a requested transaction is generated to perform a selected security operation upon a data processing device in a computer network. The requested transaction is validated and propagated to a plurality of nodes. The nodes use a consensus mechanism to quasi-randomly select a particular node to generate a new block listing the requested transaction. The new block is validated, propagated among the plurality of nodes, and added to a block chain data structure. A processing node processes the requested transaction from the block chain data structure to authorize the selected security operation. Credits may be debited and credited between requesting nodes and the processing node for each transaction. Different types of credits may be used for different types of security operations.

Abstract: Apparatus and method for managing data objects in a distributed data storage system, such as a cloud computing environment. In some embodiments, a data object is encrypted using a user encryption key to generate ciphertext. A first hash function is applied to the ciphertext and an audit encryption key to generate a first hash value. An audit value is formed by combining the ciphertext and the first hash value, and the audit value is locally encrypted and stored to non-volatile memory (NVM) of each of a plurality of storage nodes. An audit process is performed to confirm each of the encrypted replicas store identical copies of the ciphertext. This is carried out by decrypting the ciphertext and applying a second hash function to the ciphertext and the audit encryption key by each storage node to form a plurality of second hash values which are then compared by an audit processor.

Abstract: Apparatus and method for data security using adaptive selection of intrusion traps in relation to workload. In some embodiments, a data storage device has a non-volatile memory (NVM). A device controller circuit services data transfer commands received from a host device to transfer data between the host device and the NVM. A security controller circuit monitors the received data transfer commands and enacts a change in security policy to implement one or more intrusion traps associated with the NVM in response to the received data transfer commands. The intrusion traps constitute memory locations that are configured to normally store user data, but are not normally accessed during the servicing of the currently received data transfer commands.

Abstract: Apparatus and method for managing data objects in a distributed data storage system, such as a cloud computing environment. In some embodiments, a data object is encrypted using a user encryption key to generate ciphertext. A first hash function is applied to the ciphertext and an audit encryption key to generate a first hash value. An audit value is formed by combining the ciphertext and the first hash value, and the audit value is locally encrypted and stored to non-volatile memory (NVM) of each of a plurality of storage nodes. An audit process is performed to confirm each of the encrypted replicas store identical copies of the ciphertext. This is carried out by decrypting the ciphertext and applying a second hash function to the ciphertext and the audit encryption key by each storage node to form a plurality of second hash values which are then compared by an audit processor.

Abstract: Apparatus and method for data security using adaptive selection of intrusion traps in relation to workload. In some embodiments, a data storage device has a non-volatile memory (NVM). A device controller circuit services data transfer commands received from a host device to transfer data between the host device and the NVM. A security controller circuit monitors the received data transfer commands and enacts a change in security policy to implement one or more intrusion traps associated with the NVM in response to the received data transfer commands. The intrusion traps constitute memory locations that are configured to normally store user data, but are not normally accessed during the servicing of the currently received data transfer commands.