Search

US-12625999-B2 - Leveraging access controls to secure backup data stored on a cloud-based object storage

US12625999B2US 12625999 B2US12625999 B2US 12625999B2US-12625999-B2

Abstract

Described is a system that leverages object storage provided access controls to secure backup data stored on a third-party cloud-based object storage. More particularly, the system may implement a mechanism that ensures that a backup system acts as a gateway for accessing the backup data stored on the object storage. For example, the system may prevent object storage administrative accounts that are authorized to access data directly on the storage from maliciously or inadvertently jeopardizing the integrity of the backup data. Moreover, the backup system may encrypt the backup data to prevent such administrative accounts from performing various backup related operations such as data recovery. Accordingly, to perform backup operations and decrypt the backup data, an account must be authorized by the backup system acting as an exclusive gateway to the backup data stored on a third-party storage.

Inventors

  • Shelesh Chopra
  • Sunil Yadav
  • Tushar Dethe
  • Prabhat Kumar Dubey
  • Ravi Vijayakumar Chitloor
  • Amarendra Behera
  • Himanushu Arora
  • Jigar Bhanushali
  • Deependra Singh

Assignees

  • EMC IP Holding Company LLC

Dates

Publication Date
20260512
Application Date
20210224

Claims (20)

  1. 1 . A system comprising: one or more processors; and a non-transitory computer-readable medium storing a plurality of instructions, which when executed, cause the one or more processors to: perform, by a backup system, a backup of client data stored on a client device to an object storage, which is cloud-based, the backup including encrypting the client data and storing the encrypted data as part of a first set of objects on the object storage, the encrypted data associated with a first backup administrator account, the first backup administrator account being associated with the backup system and the client data stored on the client device, and the object storage having a storage administrator account that manages access to data stored on the object storage, the backup system and the object storage each having separate access accounts, where the storage administrator account of the object storage has a default setting of full access to the data stored on the object storage; maintain, by the backup system, a decryption key for the encrypted data including preventing access to the decryption key from the object storage and the storage administrator account; specify, by the backup system using the first backup administrator account, a set of access controls for the first set of objects including a first setting restricting the storage administrator account to read-only access of the first set of objects stored on the object storage, which is cloud-based, and a second setting allowing full access to the first set of objects by a second backup administrator account, the second backup administrator account being associated with the backup system and the client data stored on the client device, the client data associated with the second backup administrator being one of the same or different than the client data associated with the first backup administrator, such that when a request for a backup operation is made by the storage administrator account, the request for the backup operation is denied based on the storage administrator account not having full access to the first set of objects; receive, by the backup system and from the second backup administrator account, a request to perform a backup operation associated with the first set of objects; and initiate, by the backup system, the backup operation including decrypting the encrypted data using the decryption key, in response to determining the second backup administrator account is allowed full access to the first set of objects.
  2. 2 . The system of claim 1 , wherein the set of access controls are administered by the object storage.
  3. 3 . The system of claim 2 , wherein the specifying the set of access controls for the first set of objects includes providing the set of access controls to an access control interface provided by the object storage.
  4. 4 . The system of claim 3 , wherein the specifying the set of access controls for the first set of objects includes: receiving information to identify backed-up client data stored on the object storage; determining the received information identifies the performed backup; and accessing metadata associated with the performed backup to identify the first set of objects as storing the backed-up client data.
  5. 5 . The system of claim 1 , wherein the plurality of instructions, when executed, further cause the one or more processors to: store, as part of an access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects; and read, in response to the request to perform the backup operation and without accessing the object storage, the access control database to determine whether the second backup administrator account is allowed full access to the first set of objects.
  6. 6 . The system of claim 5 , wherein the storing, as part of the access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects is performed automatically, in response to specifying the set of access controls including the second setting allowing full access to the first set of objects by the second backup administrator account.
  7. 7 . The system of claim 1 , wherein the first backup administrator account is identified as the owner of the encrypted data by the object storage.
  8. 8 . The system of claim 1 , wherein the request to perform the backup operation includes a request to perform a recovery of at least a portion of the encrypted data.
  9. 9 . A method comprising: performing, by a backup system, a backup of client data stored on a client device to an object storage, which is cloud-based, the backup including encrypting the client data and storing the encrypted data as part of a first set of objects on the object storage, the encrypted data associated with a first backup administrator account, the first backup administrator account being associated with the backup system and the client data stored on the client device, and the object storage having a storage administrator account that manages access to data stored on the object storage, the backup system and the object storage each having separate access accounts, where the storage administrator account of the object storage has a default setting of full access to the data stored on the object storage; maintaining, by the backup system, a decryption key for the encrypted data including preventing access to the decryption key from the object storage and the storage administrator account; specifying, by the backup system using the first backup administrator account, a set of access controls for the first set of objects including a first setting restricting the storage administrator account to read-only access of the first set of objects stored on the object storage, which is cloud-based, and a second setting allowing full access to the first set of objects by a second backup administrator account, the second backup administrator account being associated with the backup system and the client data stored on the client device, the client data associated with the second backup administrator being one of the same or different than the client data associated with the first backup administrator, such that when a request for a backup operation is made by the storage administrator account, the request for the backup operation is denied based on the storage administrator account not having full access to the first set of objects; receiving, by the backup system and from the second backup administrator account, a request to perform a backup operation associated with the first set of objects; and initiating, by the backup system, the backup operation including decrypting the encrypted data using the decryption key, in response to determining the second backup administrator account is allowed full access to the first set of objects.
  10. 10 . The method of claim 9 , wherein the set of access controls are administered by the object storage.
  11. 11 . The method of claim 10 , wherein the specifying the set of access controls for the first set of objects includes providing the set of access controls to an access control interface provided by the object storage.
  12. 12 . The method of claim 11 , wherein the specifying the set of access controls for the first set of objects includes: receiving information to identify backed-up client data stored on the object storage; determining the received information identifies the performed backup; and accessing metadata associated with the performed backup to identify the first set of objects as storing the backed-up client data.
  13. 13 . The method of claim 9 , further comprising: storing, as part of an access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects; and reading, in response to the request to perform the backup operation and without accessing the object storage, the access control database to determine whether the second backup administrator account is allowed full access to the first set of objects.
  14. 14 . The method of claim 13 , wherein the storing, as part of the access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects is performed automatically, in response to specifying the set of access controls including the second setting allowing full access to the first set of objects by the second backup administrator account.
  15. 15 . A computer program product comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein to be executed by one or more processors, the program code including instructions to: perform, by a backup system, a backup of client data stored on a client device to an object storage, which is cloud-based, the backup including encrypting the client data and storing the encrypted data as part of a first set of objects on the object storage, the encrypted data associated with a first backup administrator account, the first backup administrator account being associated with the backup system and the client data stored on the client device, and the object storage having a storage administrator account that manages access to data stored on the object storage, the backup system and the object storage each having separate access accounts, where the storage administrator account of the object storage has a default setting of full access to the data stored on the object storage; maintain, by the backup system, a decryption key for the encrypted data including preventing access to the decryption key from the object storage and the storage administrator account; specify, by the backup system using the first backup administrator account, a set of access controls for the first set of objects including a first setting restricting the storage administrator account to read-only access of the first set of objects stored on the object storage, which is cloud-based, and a second setting allowing full access to the first set of objects by a second backup administrator account, the second backup administrator account being associated with the backup system and the client data stored on the client device, the client data associated with the second backup administrator being one of the same or different than the client data associated with the first backup administrator, such that when a request for a backup operation is made by the storage administrator account, the request for the backup operation is denied based on the storage administrator account not having full access to the first set of objects; receive, by the backup system and from the second backup administrator account, a request to perform a backup operation associated with the first set of objects; and initiate, by the backup system, the backup operation including decrypting the encrypted data using the decryption key, in response to determining the second backup administrator account is allowed full access to the first set of objects.
  16. 16 . The computer program product of claim 15 , wherein the set of access controls are administered by the object storage.
  17. 17 . The computer program product of claim 16 , wherein the specifying the set of access controls for the first set of objects includes providing the set of access controls to an access control interface provided by the object storage.
  18. 18 . The computer program product of claim 17 , wherein the specifying the set of access controls for the first set of objects includes: receiving information to identify backed-up client data stored on the object storage; determining the received information identifies the performed backup; and accessing metadata associated with the performed backup to identify the first set of objects as storing the backed-up client data.
  19. 19 . The computer program product of claim 15 , wherein the program code includes further instructions to: store, as part of an access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects; and read, in response to the request to perform the backup operation and without accessing the object storage, the access control database to determine whether the second backup administrator account is allowed full access to the first set of objects.
  20. 20 . The computer program product of claim 19 , wherein the storing, as part of the access control database maintained by the backup system, information indicating the second administrator account is allowed full access to the first set of objects is performed automatically, in response to specifying the set of access controls including the second setting allowing full access to the first set of objects by the second backup administrator account.

Description

TECHNICAL FIELD This disclosure relates to cloud-based storage systems, and more particularly, managing access to backup data stored on a cloud-based object storage. BACKGROUND Cloud-based storage systems (or on-demand storage systems) may provide various tools that are crucial for enterprise level network clients. For example, clients (or customers) may rely on such systems for data protection and recovery services that efficiently back up and recover data in the event of data loss to allow business applications to remain in service or quickly come back up to service. As part of the data protection and recovery infrastructure, clients may rely on third-party cloud-based storages (or services) to leverage the benefits associated with such systems such as cost efficiency (e.g. pay-per-use model) and scalability. These cloud-based systems may implement an object-based storage architecture, and accordingly, client data may be stored as objects (or data objects). To allow for the management of client data, the object storage may provide the ability to create a storage administrator account. For example, the storage administrator account may have direct access to the storage allowing the account to monitor and manage the client data. However, the client may store different types of data on the cloud-based object storage, and each type of data may have different security requirements. For example, the client may require that backup data stored on the object storage be subject to enhanced security requirements that are administered by the data protection and recovery infrastructure. These enhanced security requirements may include ensuring the integrity and confidentiality of the backup data. For example, native security measures provided by the cloud-based object storage may not prevent a storage administrator from directly accessing the backup data and performing a recovery procedure. In other words, the storage administrator may potentially circumvent the security mechanisms implemented by the data protection and recovery infrastructure. Accordingly, there is a continued need for mechanisms that allow data protection and recovery infrastructure to secure critical backup data stored on a third-party cloud-based object storage. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are incorporated into and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure. FIG. 1 is a block diagram illustrating an example of an operating environment that may be used in conjunction with one or more embodiments of the disclosure. FIG. 2 is a diagram illustrating an example configuration of controlling access to backup data stored on an object storage according to one or more embodiments of the disclosure. FIG. 3 is a flow diagram illustrating an example process for authorizing a backup operation to be performed on backup data stored by an object storage according to one or more embodiments of the disclosure. FIG. 4 is a flow diagram illustrating an example method of specifying access controls for backup data stored on an object storage according to one or more embodiments of the disclosure. FIG. 5 is a block diagram illustrating an example of a computing system that may be used in conjunction with one or more embodiments of the disclosure. DETAILED DESCRIPTION Various embodiments and aspects of the disclosures will be described with reference to details discussed below, and the accompanying drawings will illustrate the various embodiments. The following description and drawings are illustrative of the disclosure and are not to be construed as limiting the disclosure. Numerous specific details are described to provide a thorough understanding of various embodiments of the present disclosure. However, in certain instances, well-known or conventional details are not described in order to provide a concise discussion of embodiments of the present disclosure. Although these embodiments are described in sufficient detail to enable one skilled in the art to practice the disclosed embodiments, it is understood that these examples are not limiting, such that other embodiments may be used and changes may be made without departing from their spirit and scope. For example, the operations of methods shown and described herein are not necessarily performed in the order indicated and may be performed in parallel. It should also be understood that the methods may include more or fewer operations than are indicated. In some embodiments, operations described herein as separate operations may be combined. Conversely, what may be described herein as a single operation may be implemented in multiple operations. Reference in the specification to “one embodiment” or “an embodiment” or “some embodiments,” means that a particular feature, structure, or characteristic described in conjunction with the embodiment can be included i