Abstract: Disclosed herein are methods, systems, and processes to improve the duplication of data between disparate deduplication systems. Source fingerprints are generated for data blocks using a source fingerprint algorithm at a source deduplication system. The source fingerprints and previously-generated source fingerprints are used to determine whether the data blocks are new or modified. If the data blocks are new or modified, target fingerprints are generated for the data blocks using a target fingerprint algorithm associated with a target deduplication system. The target fingerprints are sent to the target deduplication system.

Abstract: Disclosed herein are methods, systems, and processes to improve the duplication of data between disparate deduplication systems. Source fingerprints are generated for data blocks using a source fingerprint algorithm at a source deduplication system. The source fingerprints and previously-generated source fingerprints are used to determine whether the data blocks are new or modified. If the data blocks are new or modified, target fingerprints are generated for the data blocks using a target fingerprint algorithm associated with a target deduplication system. The target fingerprints are sent to the target deduplication system.

Abstract: Disclosed herein are methods, systems, and processes to improve the duplication of data between disparate deduplication systems. Source fingerprints are generated for data blocks using a source fingerprint algorithm at a source deduplication system. The source fingerprints and previously-generated source fingerprints are used to determine whether the data blocks are new or modified. If the data blocks are new or modified, target fingerprints are generated for the data blocks using a target fingerprint algorithm associated with a target deduplication system. The target fingerprints are sent to the target deduplication system.

Abstract: Disclosed herein are methods, systems, and processes to improve the duplication of data between disparate deduplication systems. Source fingerprints are generated for data blocks using a source fingerprint algorithm at a source deduplication system. The source fingerprints and previously-generated source fingerprints are used to determine whether the data blocks are new or modified. If the data blocks are new or modified, target fingerprints are generated for the data blocks using a target fingerprint algorithm associated with a target deduplication system. The target fingerprints are sent to the target deduplication system.

Abstract: Various systems and methods to display information regarding duplication operations and to configure duplication operations. For example, information regarding policies that can be included in a duplication operation is presented via a display. The display receives selection of one or more of the policies. In response to the selection, the display updates to reflect how much of a bucket has been allocated and how much is available, where the bucket specifies an amount of time and is calculated as a function of a duplication window duration.

Abstract: A computer-implemented method for preventing failures of nodes in clusters may include (1) identifying a node that is part of a cluster of nodes and that communicates, via a heartbeat sent at a regular interval to the cluster, that the node is functional and connected to the cluster, (2) calculating a current workload for the node based on a utilization of computing resources on the node, (3) determining, based on the current workload, that the node is functional and connected but is in an excessive load condition and a failure to send the heartbeat within the regular interval is due to the excessive load condition, and (4) setting a new interval for the heartbeat of the node that is longer than the regular interval in response to determining that the node cannot send the heartbeat at the regular interval. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Various systems and methods for seeding a storage device. For example, a method involves accessing a policy that identifies a number of clients. The method then involves selecting a most recent backup image for each of the clients and copying the most recent backup images from a source storage device to a target storage device. Once a most recent backup image has been copied from the source storage device to the target storage device for each of the clients, the method switches a destination value in the policy from the source storage device to the target storage device.

Abstract: Various systems and methods for configuring a duplication operation. For example, a method involves specifying a duplication window, a source storage device, and a target storage device. When a duplication operation is executed, data is copied from the source storage device to the target storage device during the duplication window. The method also involves calculating a predicted duplication rate, where the predicted duplication rate is an estimate of a rate at which data can be copied from the source storage device to the target storage device.

Abstract: A method and apparatus for remediating backup data to control access to sensitive data is described. In one embodiment, the method for facilitating sensitive data remediation from backup images without a separate data store includes examining the backup images to identify sensitive data and modifying remediation information associated with the sensitive data, wherein the remediation information restricts access to the sensitive data to at least one corresponding access group.

Abstract: A system and method is disclosed for implementing an enterprise rights management (ERM) system that enables effective data deduplication of ERM-protected data. An ERM-aware application may segment data, such as a file, into one or more data segments. The chosen segmentation boundaries may depend on data already stored on a target storage system and/or on a segmentation scheme used by a target deduplication system. An ERM-aware application may derive a respective convergent encryption key for each data segment, the convergent encryption key being dependent on the contents of the data segment, and encrypt the data segment using that key. The ERM-aware application may include the respective convergent decryption keys (which may be identical to the respective convergent encryption keys) in a publishing license of the ERM-protected file.

Abstract: A system and method for efficient transfer of encrypted data over a low-bandwidth network. A backup server and a client computer are coupled to one another via a first network. The backup server is coupled to a remote data storage via another network, such as the Internet, also referred to as a cloud. The backup server encrypts received data for backup from the client computer. Cryptography segment and sub-segment sizes may be chosen that are aligned on a byte boundary with one another and with selected backup segment and sub-segment sizes used by backup software on the remote data storage. A selected cryptography algorithm has a property of allowing a given protected sub-segment with the cryptography sub-segment size to be decrypted by initially decrypting an immediate prior protected sub-segment that has the same cryptography sub-segment size. Therefore, the size of data transmitted via the cloud may be smaller than the cryptography segment size.

Abstract: Various systems and methods for configuring a duplication operation. For example, a method involves specifying a duplication window, a source storage device, and a target storage device. When a duplication operation is executed, data is copied from the source storage device to the target storage device during the duplication window. The method also involves calculating a predicted duplication rate, where the predicted duplication rate is an estimate of a rate at which data can be copied from the source storage device to the target storage device.

Abstract: Various systems and methods to display information regarding duplication operations and to configure duplication operations. For example, information regarding policies that can be included in a duplication operation is presented via a display. The display receives selection of one or more of the policies. In response to the selection, the display updates to reflect how much of a bucket has been allocated and how much is available, where the bucket specifies an amount of time and is calculated as a function of a duplication window duration.

Abstract: A system and method is disclosed for implementing a data loss prevention (DLP) system configured to protect sensitive data in conjunction with corresponding content indexing (CI) metadata. In response to detecting a data loss risk, such as to data at rest (e.g., stored on a file system) and/or to data in motion (e.g., data being transmitted across a network) the system may perform any number of data loss prevention actions, including sequestering the data. The system may utilize an interface to a content indexing system in order to discover CI metadata associated with the data and sequester the CI metadata associated with the data. One or more common sequestration rules may be applied to the sequestration of the data and of the metadata. For example, the data and metadata may be encrypted using the same key and/or sequestered in the same location.

Abstract: The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.

Abstract: Various techniques for coordinating the resource allocation and management capabilities of a backup application with the power saving features provided by a storage array are disclosed. One method involves accessing power management information associated with a logical storage unit (LSU) and image property information that indicates a future pattern of access to a backup image. The method also involves selecting the LSU, based upon both the power management information and the image property information, and then causing the backup image to be written to the LSU. Another method, performed by a backup module, involves receiving power management information associated with a storage array, selecting a logical storage unit (LSU) implemented on the storage array, based upon the power management information, and performing a backup storage management operation on the LSU, in response to selecting the LSU.

Abstract: Techniques for controlling data backup operations are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for data backup. The method may include receiving a minimum write speed for a plurality of tape drives. The method may further include controlling data writes for the plurality of tape drives such that data may be attempted to be written to each tape drive at or above the minimum write speed for each tape drive.

Abstract: The traditional data retention attribute is used to intelligently select appropriate data encryption keys. Key life cycles are calibrated with data retention periods, such that encryption keys and the corresponding data are both available at the same time. A data management system passes a data retention period to a key management system as part of a request for a key. The key management system uses the received data retention period as a factor in selecting a key, such that the key life cycle is calibrated to the data retention period. The data management system then utilizes the key in encryption operations concerning corresponding data.

Abstract: Various methods and systems for selectively protecting against chosen plaintext attacks when encrypting data for storage on an untrusted storage system are disclosed. One method involves generating an encryption key for use in encrypting data and generating an identifier for the data. Generation of the encryption key is based upon a hash of the data to be encrypted, and generation of the identifier is based upon the data to be encrypted and/or the encryption key. The method also involves detecting whether an encrypted copy of the data is already stored by a storage system, based upon the identifier. The method also detects whether a higher level of security has been specified for the data and, if so, modifies the data to be encrypted or the encryption key, based upon a client-specific value, prior to generating the identifier.

Abstract: A system and method is disclosed for implementing a data loss prevention (DLP) system capable of detecting transmission attempts involving encrypted data. In response to detecting that the data is encrypted, such a DLP system may perform any number of configurable DLP actions, such as blocking the data transmission attempt and/or sequestering the data. The DLP system may determine that the data is encrypted, based at least in part, on a value of a compressibility measure of the data, such as a compression ratio. The DLP system may leverage other operating system and/or file system capabilities, such as file extensions, magic numbers, or other utilities. The DLP system may determine if the data is compressed rather than encrypted by attempting to decompress the file.