KR102717611B1 - Apparatus and method for processing sensitive data - Google Patents

Abstract

A sensitive data processing device and method are disclosed. A sensitive data processing device according to an embodiment of the present invention includes one or more processors and an execution memory storing at least one program executed by the one or more processors, wherein the at least one program reads sensitive data stored in a storage device from a data non-protected area, transfers the sensitive data to a data protected area using a sensitive data storage endpoint of the data protected area, processes the sensitive data using at least one endpoint when a sensitive data service command requested by a client device is received from the data non-protected area in the data protected area, and transfers a result of processing the sensitive data to the client device in the data non-protected area.

Description

{APPARATUS AND METHOD FOR PROCESSING SENSITIVE DATA}

The present invention relates to a sensitive data processing technology, and more specifically, to a technology for simultaneously supporting processing services for data while fundamentally blocking leakage of sensitive data by using a data protection area.

Currently, the technology development and market demand for cloud computing, which allows users to rent and use desired services without time and place restrictions, is increasing. Cloud computing can provide users with desired network, storage, and computing services via the Internet without having to build dedicated HW and SW for each user.

In the case of storage systems related to data storage services among cloud computing technologies, users can simply request data storage through a safe and convenient service interface provided by the system. At this time, a cloud integrated storage system is being developed in which data is stored in a single-form storage that integrates on-premise and public cloud storage.

In particular, the cloud integrated storage system can manage and operate a single on-premise-public storage that can take advantage of both the on-premise storage owned by companies and organizations and the public cloud storage provided by cloud service providers.

Cloud integrated storage systems can provide a converged storage infrastructure service that secures the elasticity and cost efficiency of storage space through a single-form on-premise-public storage and guarantees control and reliability of sensitive data.

Through this, the cloud integrated storage system can expand the convenience of utilizing cloud services for new business creation and various fields.

The trends of similar systems in the past are as follows:

'IDC 3rd Platform (real-time analysis, IoT, AI computing)' is seeing an increasing demand to build and introduce hybrid cloud computing services to support operations.

'IDC 3rd Platform (Real-time Analysis, IoT, AI Computing)' aims to support the expansion of computing resources by integrating various cloud models into one and improve automation and management efficiency of computing environments.

HP provides REST API-based infrastructure management capabilities based on the OpenStack architecture, and some services offer its open source Helion Eucalyputs platform, which is designed to be compatible with Amazon AWS.

VMware announced vCHS (vCloud Hybrid Service), which provides integrated server, storage, and network virtualization technologies based on existing VMware virtualization and infrastructure.

Rackspace is focusing on expanding its cloud infrastructure business, integrating cloud servers, corporate SAN storage, and supporting data protection through Cisco ASA firewalls.

Avere FlashCloud from Avere Systems and Storsimple from MS have cloud storage gateway technology with a storage tiering structure that divides local and cloud storage according to data usage frequency to provide data backup and archive, Tier 2-level applications, and disaster recovery services.

The technology that operates the same data in the form of replication on both local and public storage is the cloud storage gateway copy structure, and there is a Ctera Networks Cloud Storage Gateway solution. The technology additionally provides file distribution and file synchronization and sharing services.

Cloud integrated storage is a storage system that operates by integrating on-premise storage and cloud storage. Cloud integrated storage can automatically distribute and store data or move data to on-premise storage and cloud storage based on the characteristics of the data. In addition, data can be manually stored in a specific on-premise storage or cloud storage by user command.

Data stored in storage is used for various data processing services, but there is still a risk of data leakage when servicing security-sensitive data such as financial, medical, and personal information. In particular, the risk of data leakage increases when servicing such data on the cloud. This is because, even if on-premise or cloud systems provide various security functions, they cannot fundamentally block various hacking techniques and data leakage by humans.

Data is stored in storage after being encrypted for security. Encrypted data is safe because it cannot be decrypted without a key even if it is leaked. However, in order to perform data processing services for the data, the encrypted data must be decrypted. If the decrypted data is leaked, sensitive data is exposed as it is, which is problematic. Therefore, in existing systems that provide processing services for sensitive data, there is no way to fundamentally block data leakage.

Meanwhile, Korean Patent Publication No. 10-2015-0040017, “Mobile Sensitive Data Management Method and Entrusted Server Performing Same,” discloses a mobile sensitive data management method and an entrusted server performing the same, which strengthens data protection, minimizes damage from data exposure due to device loss, and prevents installation of illegal software by entrusting storage of a user’s sensitive data in a mobile terminal using an entrusted server and verifying the validity of app software installed in the mobile terminal.

The purpose of the present invention is to fundamentally block the leakage of sensitive data stored in storage while simultaneously supporting processing services for sensitive data.

In addition, the present invention aims to provide a sensitive data processing service by decrypting encrypted data stored in storage and to fundamentally block the leakage of sensitive data.

In addition, the present invention aims to improve the read/write performance of integrated storage that integrates cloud storage and on-premise storage.

In addition, the present invention aims to provide a data storage service with the same performance as cloud storage and on-premise storage included in the integrated storage.

Additionally, the present invention aims to move user data based on the elasticity and cost efficiency of storage space.

In addition, the present invention aims to provide an integrated storage service that meets the needs of users by supporting various cloud storages such as Amazon S3 and MS Azure.

In addition, the present invention aims to provide access speeds to cloud storage at the level of on-premise storage.

In addition, the present invention aims to provide a service interface that allows users to access cloud integrated storage using various service protocols.

In addition, the present invention aims to provide various types of storage services, such as conventional traditional file and block-level storage services and object-based storage services provided by recent cloud storage.

In addition, the present invention aims to ensure the confidentiality of user data by ensuring secure data transmission between on-premise storage and cloud storage.

In addition, the present invention aims to prevent data loss due to system errors.

In addition, the present invention aims to support a multi-tenant function that performs multiple cloud services simultaneously.

According to an embodiment of the present invention for achieving the above object, a sensitive data processing device comprises: one or more processors; and an execution memory storing at least one program executed by the one or more processors, wherein the at least one program reads sensitive data stored in a storage device in a data non-protected area, transfers the sensitive data to a data protected area using a sensitive data storage endpoint of the data protected area, processes the sensitive data using at least one endpoint when a sensitive data service command requested by a client device is received from the data non-protected area in the data protected area, and transfers a result of processing the sensitive data to the client device in the data non-protected area.

At this time, the data protection area may have input/output functions provided by the operating system blocked, and memory access from outside the data protection area may be blocked based on hardware functions and virtualization functions.

At this time, the at least one program can receive a decryption key for decrypting the encrypted sensitive data from the storage device in the data non-protected area, and transmit the decryption key to the data protected area using the key storage endpoint of the data protected area.

At this time, the at least one program can decrypt the sensitive data using the decryption key in the data protection area, and process the decrypted sensitive data by a sensitive data service command from the client device received from the data non-protection area using the sensitive data service endpoint.

At this time, the at least one program can store the processing result of the sensitive data in the data protection area through the sensitive data service gateway, and transmit the processing result of the sensitive data to the data non-protection area.

At this time, the at least one program can store, in the data protection area, a service acquisition of the sensitive data in a non-protected data memory area through the sensitive data service gateway, copy and store the service acquisition of the sensitive data stored in the non-protected data memory area in a data protection memory area, and process the sensitive data using the service acquisition of the sensitive data stored in the data protection memory area.

At this time, the at least one program can store the processing result of the sensitive data in the data protection area through the sensitive data service gateway, copy the processing result of the sensitive data stored in the data protection memory area to the data non-protection memory area and store it, and transfer the processing result of the sensitive data stored in the data non-protection memory area to the data non-protection area.

At this time, the data protection area includes at least one endpoint for processing the sensitive data, and can process the sensitive data using an endpoint called from the data non-protection area.

At this time, the data protection area may include an endpoint that receives a call for starting the transmission of the sensitive data from the data non-protection area, an endpoint that receives the decryption key, an endpoint that receives the sensitive data to the data protection area, and an endpoint that receives a call for ending the transmission of the sensitive data.

At this time, the at least one program can check a tag preset for service acquisition of the sensitive data by an endpoint included in the data protection area, and process the sensitive data using information corresponding to the tag.

In addition, according to an embodiment of the present invention for achieving the above purpose, a sensitive data processing method is provided in a sensitive data processing device, comprising: a step of reading sensitive data stored in a storage device in a data non-protection area, and transferring the sensitive data to a data protection area using a sensitive data storage endpoint; a step of processing the sensitive data using at least one endpoint when a sensitive data service command requested by a client device is received from the data non-protection area in the data protection area; and a step of transferring a processing result of the sensitive data to the client device in the data non-protection area.

At this time, the data protection area may have input/output functions provided by the operating system blocked, and memory access from outside the data protection area may be blocked based on hardware functions and virtualization functions.

At this time, the step of transmitting the sensitive data may include receiving a decryption key for decrypting the encrypted sensitive data from the storage device in the data non-protection area, and transmitting the decryption key to the data protection area using the key storage endpoint of the data protection area.

At this time, the step of processing the sensitive data may include decrypting the sensitive data using the decryption key in the data protection area, and processing the decrypted sensitive data by a sensitive data service command from the client device received from the data non-protection area using the sensitive data service endpoint.

At this time, the step of transmitting the processing result of the sensitive data may store the processing result of the sensitive data in the data protection area through a sensitive data service gateway, and transmit the processing result of the sensitive data to the data non-protection area.

At this time, the step of processing the sensitive data may include: storing the service acquisition of the sensitive data in a non-protected data memory area through the sensitive data service gateway in the data protection area, copying and storing the service acquisition of the sensitive data stored in the non-protected data memory area in a data protection memory area, and processing the sensitive data using the service acquisition of the sensitive data stored in the data protection memory area.

At this time, the step of transmitting the processing result of the sensitive data may include storing the processing result of the sensitive data in the data protection memory area through the sensitive data service gateway in the data protection area, copying and storing the processing result of the sensitive data stored in the data protection memory area in the data non-protection memory area, and transmitting the processing result of the sensitive data stored in the data non-protection memory area to the data non-protection area.

At this time, the data protection area includes at least one endpoint for processing the sensitive data, and can process the sensitive data using an endpoint called from the data non-protection area.

At this time, the data protection area may include the sensitive data storage endpoint, the key storage endpoint, an endpoint that receives a call to start transmission of the sensitive data from the data non-protection area, and an endpoint that receives a call to end transmission of the sensitive data from the data non-protection area.

At this time, the endpoint included in the data protection area can check the tag preset for the service acquisition of the sensitive data and process the sensitive data using information corresponding to the tag.

In addition, an integrated storage management device according to an embodiment of the present invention for achieving the above-described purpose includes: a data distribution and storage unit for distributing data to be stored in an integrated storage including on-premise storage and cloud storage; a storage management unit for connecting the integrated storage to store the distributed data and providing storage tiering information of the data to be stored; a data manipulation unit for providing the integrated storage as a virtual data storage regardless of the actual storage location of the data; and a storage connection unit for providing an interface to a user with the generated virtual data storage as a single virtual storage; wherein the storage tiering information may vary depending on the performance of the storage, the usage time of the data, and the access cycle of the data.

At this time, the storage connector provides a user access mechanism for using the single virtual storage, and the user access mechanism may vary depending on the type of the single virtual storage.

At this time, the data manipulation unit can convert and store data stored in the single virtual storage according to at least one conversion process among segmentation, encryption, and compression.

In addition, according to an embodiment of the present invention for achieving the above-mentioned object, an integrated storage management method of an integrated storage management device includes: a data distribution step of distributing data for storage in an integrated storage including on-premise storage and cloud storage; a storage management step of connecting the integrated storage to store the distributed data and providing storage tiering information of the data to be stored; and a data management step of providing the integrated storage as a virtual data storage regardless of the actual storage location of the data and providing an interface to the virtual data storage as a single virtual storage to a user; wherein the storage tiering information may vary depending on the performance of the storage, the usage time of the data, and the access cycle of the data.

At this time, the data management step provides a user access mechanism for using the single virtual storage, and the user access mechanism may vary depending on the type of the single virtual storage.

At this time, the data management step can store data stored in the single virtual storage by converting it through at least one of the conversion processes of segmentation, encryption, and compression.

The present invention can fundamentally block the leakage of sensitive data stored in storage while simultaneously supporting processing services for sensitive data.

In addition, the present invention provides a sensitive data processing service by decrypting encrypted data stored in storage, and can fundamentally block leakage of sensitive data.

In addition, the present invention can improve the read/write performance of integrated storage that integrates cloud storage and on-premise storage.

In addition, the present invention can provide a data storage service with the same performance as cloud storage and on-premise storage included in the integrated storage.

Additionally, the present invention can move user data based on the elasticity and cost efficiency of storage space.

In addition, the present invention can provide an integrated storage service that meets the needs of users by supporting various cloud storages such as Amazon S3 and MS Azure.

Additionally, the present invention can provide access speeds to cloud storage at the level of on-premise storage.

Additionally, the present invention can provide a service interface to enable users to access cloud integrated storage using various service protocols.

In addition, the present invention can provide various types of storage services, such as conventional traditional file and block-level storage services and object-based storage services provided by recent cloud storage.

In addition, the present invention can ensure the confidentiality of user data by ensuring secure data transmission between on-premise storage and cloud storage.

Additionally, the present invention can prevent data loss due to system errors.

In addition, the present invention provides a cloud integrated storage in the form of an appliance in which storage hardware and software are integrated into one for the convenience of users, thereby allowing for easy system construction.

In addition, the present invention can support a multi-tenant function that performs multiple cloud services simultaneously.

FIG. 1 is a block diagram illustrating an integrated storage system according to one embodiment of the present invention.
FIG. 2 is a block diagram illustrating an integrated storage management device according to one embodiment of the present invention.
FIG. 3 is a block diagram illustrating in detail an example of a storage connection unit illustrated in FIG. 2.
Figure 4 is a block diagram showing in detail an example of the data manipulation unit illustrated in Figure 2.
FIG. 5 is a drawing showing an example of a RAM disk according to one embodiment of the present invention.
FIG. 6 is a drawing showing in detail the operation of a data distribution and storage unit and a backend storage management unit according to one embodiment of the present invention.
Figure 7 is a flow chart illustrating an integrated storage management method according to one embodiment of the present invention.
FIG. 8 is a diagram showing the relationship between an integrated storage management device and a service provider according to one embodiment of the present invention.
FIG. 9 is a flowchart illustrating an integrated storage management method for registering a storage service according to one embodiment of the present invention.
FIG. 10 is a block diagram illustrating an integrated storage management device according to an embodiment of the present invention.
FIG. 11 is a block diagram illustrating a multi-tenant-based integrated storage management device using a backend connection daemon according to one embodiment of the present invention.
FIG. 12 is a flowchart illustrating a multi-tenant-based integrated storage management method for providing storage services according to one embodiment of the present invention.
FIG. 13 is a diagram illustrating a computer system according to one embodiment of the present invention.
FIG. 14 is a drawing showing an integrated storage system according to one embodiment of the present invention.
FIG. 15 is a diagram illustrating a multi-storage type and access mechanism for data access in an integrated storage system according to one embodiment of the present invention.
Figure 16 is according to one embodiment of the present invention.
FIG. 17 is a diagram illustrating a use case of an integrated storage management system according to one embodiment of the present invention.
FIG. 18 is a flowchart illustrating a registration process of data storage for an integrated storage service according to an embodiment of the present invention.
FIG. 19 is a block diagram showing a sensitive data processing device according to one embodiment of the present invention.
FIG. 20 is a block diagram illustrating in detail an example of a cloud integrated storage device and a data non-protection area processing unit illustrated in FIG. 19.
Figure 21 is a block diagram showing in detail an example of a data non-protection area processing unit and a data protection area processing unit illustrated in Figure 20.
Figure 22 is a block diagram showing in detail an example of the sensitive data service gateway unit illustrated in Figure 21.
Figure 23 is a flow chart showing a sensitive data processing method according to one embodiment of the present invention.
Figure 24 is a flow chart showing a sensitive data processing method in a data non-protection area processing unit and a data protection area processing unit according to one embodiment of the present invention.
Figure 25 is a flow chart showing a sensitive data processing method in a sensitive data service gateway unit according to one embodiment of the present invention.
FIGS. 26 and 27 are block diagrams illustrating in detail an integrated storage management function according to one embodiment of the present invention.

The present invention will be described in detail with reference to the attached drawings as follows. Herein, repeated descriptions, well-known functions that may unnecessarily obscure the gist of the present invention, and detailed descriptions of configurations are omitted. The embodiments of the present invention are provided to more completely explain the present invention to those with average knowledge in the art. Accordingly, the shapes and sizes of elements in the drawings may be exaggerated for a clearer description.

Throughout the specification, whenever a part is said to "include" a component, this does not mean that it excludes other components, but rather that it may include other components, unless otherwise stated.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the attached drawings.

FIG. 1 is a block diagram illustrating an integrated storage system according to one embodiment of the present invention.

Referring to FIG. 1, an integrated storage system according to one embodiment of the present invention may include a user client device (10), an integrated storage management device (100), and an integrated storage (20).

A user client device (10) can request a service of the integrated storage (20) and receive the service through the integrated storage management device (100).

Unified storage (20) may include cloud storage (21) and non-cloud storage (22).

Cloud storage (21) may correspond to public cloud storage provided by a business operator.

Non-cloud storage (22) may correspond to on-premise storage owned by companies and institutions.

The integrated storage management device (100) can manage and operate the cloud storage (21) and non-cloud storage (22) included in the integrated storage (20) in a single form.

At this time, the integrated storage management device (100) can provide cloud services with the same level of performance that cannot identify whether the user is accessing cloud storage (21) or non-cloud storage (22).

FIG. 2 is a block diagram showing an integrated storage management device according to an embodiment of the present invention. FIG. 3 is a block diagram showing in detail an example of a storage connection unit shown in FIG. 2. FIG. 4 is a block diagram showing in detail an example of a data manipulation unit shown in FIG. 2.

Referring to FIG. 2, an integrated storage management device (100) according to one embodiment of the present invention includes a storage connection unit (110), a data manipulation unit (120), a data distribution and storage unit (130), a backend storage management unit (140), and a provisioning and policy management unit (150).

The storage connection unit (110) can be linked with the integrated storage (20) to provide the service of the integrated storage (20) to the user.

Referring to FIG. 3, the storage connection unit (110) may include a virtual block device service engine (111), a file system service engine (112), and an object storage service engine (113).

At this time, the storage connection (110) can provide protocol processing of block, file and object storage, IO interface and acceleration functions to improve the same.

At this time, the storage connection unit (110) can basically provide the user with a block device and file system service, which are traditional storage service interfaces, and can also provide a recently introduced object storage interface.

The data manipulation unit (120) can provide users with a virtual disk pool to provide a single storage view of the entire storage system.

That is, the data manipulation unit (120) can configure a virtual disk pool using fast storage resources and provide storages as virtual disks to users.

Accordingly, users may be presented with a single storage configuration without considering where the data is actually stored, even though the data is physically distributed across different types of storage.

At this time, the data manipulation unit (120) can provide data management functions such as snapshots, fast replication, and distributed transaction logs.

At this time, the data manipulation unit (120) can provide a write buffer or read cache function to the user in case of a data write or data read operation.

At this time, the data manipulation unit (120) can guarantee a fast response time to the user by using memory, SSD, and PCIe flash card.

At this time, the data manipulation unit (120) can provide a read/write cache of data for providing the service of the integrated storage using a RAM disk.

The data manipulation unit (120) can provide a cache function for data stored in public cloud storage (cloud storage (21)). Data stored in public cloud storage is slower than on-premise storage (non-cloud storage (22)) because the data is transmitted through the Internet.

Additionally, since data is automatically distributed and stored in public cloud storage without the user's knowledge, high-speed access to data stored in public cloud storage is required.

The data manipulation unit (120) can cache data stored in public cloud storage as a storage device within the cloud integrated storage operation platform, thereby providing access speeds for public cloud storage at the level of on-premise storage.

Referring to FIG. 4, the data manipulation unit (120) may include an in-memory name space block (121), a read cache unit (122), a write cache unit (123), an in-memory deduplication engine (124), and an in-memory data compression engine (125).

The in-memory name space block (121) stores information that is read and written periodically to access actual data, and can guarantee high-speed access speed.

At this time, the in-memory name space block (121) can provide data storage and management functions by storing information required for data access in high-speed main memory.

At this time, the in-memory name space block (121) has limitations in its capacity or volatile storage medium. Therefore, backup is performed through real-time backup, and the backed-up name space block can perform a high availability function through clustering of multiple nodes (virtual machines or physical servers).

At this time, the data manipulation unit (120) may simultaneously perform an in-memory-based namespace block (121) and an in-memory deduplication engine (124), which is a data compression structure, and an in-memory data compression engine (125) in the in-memory block to provide fast performance of the integrated storage structure.

At this time, the data manipulation unit (120) must ensure a high-speed access speed of the global namespace for actual data access and can provide a high-speed processing method to store and read the data at a high speed.

The read cache unit (122) and the write cache unit (123) may be configured in the form of a single disk including RAM corresponding to the main memory and an SSD (Solid State Drive) in the form of a RAM disk.

The read cache unit (122) and the write cache unit (123) can perform real-time backup with SSD due to the characteristics of volatile memory.

At this time, the read cache unit (122) and the write cache unit (123) can be automatically switched to the SSD-based cache area when the RAM-based cache area is exhausted.

At this time, the read cache unit (122) and the write cache unit (123) can provide a form that returns immediately when a user performs a write operation in a memory area for a fast write response.

The in-memory deduplication engine (124) and the in-memory data compression engine (125) may correspond to the data distribution and storage unit (130) described below.

That is, the data distribution and storage unit (130) may be included in the data manipulation unit (120).

The in-memory deduplication engine (124) can provide a function to distribute and store data across multiple physical devices to prevent data loss.

At this time, the in-memory deduplication engine (124) can detect the occurrence of data errors and apply error detection and recovery coding that can correct them, thereby dealing with data and system errors.

The in-memory data compression engine (125) can perform a compression function on actual data stored in backend storage to reduce the size of the data. In particular, in the case of public cloud storage, the in-memory data compression engine (125) can reduce the size of data transmitted through a network by reducing the size of the data through compression.

The data distribution and storage unit (130) can provide optimized functions to ensure that writing of received data can always be accessed with minimal overhead.

At this time, the data distribution and storage unit (130) can distribute each object into several pieces for efficient management of data, and distribute and store the distributed pieces in other nodes or data centers to improve reliability.

At this time, the data distribution and storage unit (130) can process optional encryption and compression on the distributed pieces and reflect policy decisions for this.

At this time, the data distribution and storage unit (130) can detect the occurrence of data errors and apply error detection and recovery coding that can correct them, thereby dealing with data and system errors.

The backend storage management unit (140) can provide a storage interface of cloud storage (21) and non-cloud storage (22) for storing the final data generated in the data distribution and storage unit (130) in the final resource.

At this time, the backend storage management unit (140) can provide an automatic or manual storage function by using tiering based on performance, time, and frequency of use according to the policy of the data distribution storage layer.

At this time, the backend storage management unit (140) can provide a function to automatically distribute and store data in various storage layers.

At this time, the backend storage management unit (140) can hierarchize various types of storage based on the characteristics of the provided storage.

At this time, the backend storage management unit (140) can store initially generated data in high-speed storage, move data to lower-level storage when data access frequency decreases, and finally store data in public cloud storage.

At this time, the backend storage management unit (140) can automatically move data between various storage layers depending on the characteristics of the data.

The provisioning and policy management unit (150) can be responsible for management of each layer and user-based policy management. At this time, the provisioning and policy management unit (150) can provide a hierarchical interface for provisioning of a disk requested by a user.

At this time, metadata for managing and accessing the data stored in the backend storage is required. The metadata of the present invention may be generated by the user while using the client device (10), or may be used as client metadata for the interface between the user client device (10) and the integrated cloud management device (20), data management metadata required for data manipulation, and storage management metadata used in the last backend storage.

FIG. 5 is a drawing showing an example of a RAM disk according to one embodiment of the present invention.

Referring to Figure 5, it can be seen that the read cache unit (122) and the write cache unit (123), which are RAM disks of the data manipulation unit (120), are illustrated in detail.

It can be seen that the read cache unit (122) distributes hashes into block data using a data deduplication engine (122a).

It can be seen that the write cache unit (123) uses the data transaction log unit (123a) to manage a log for data recovery in the same node or a node connected to the network in case data stored in the write cache is lost due to a system failure.

Logs can store the location and hash values of data for a detail block, and can be maintained until the data is stored in backend storage.

Synchronization between the write cache and the transaction log can be asynchronous synchronization, where synchronization is performed when the log queue reaches a certain size or at regular intervals, or synchronization can be performed whenever data is generated according to a write request. The detailed blocks located in the write cache can be synchronized to the transaction log node under certain conditions. Over time, when the data related to the detailed blocks is stored in the back-end storage, the detailed blocks of the write cache and the detailed blocks of the transaction log node can be excluded from the management target and deleted.

FIG. 6 is a drawing showing in detail the operation of a data distribution and storage unit and a backend storage management unit according to one embodiment of the present invention.

Referring to FIG. 6, the data distribution and storage unit (130) can perform a task of reducing the size of data by performing a compression function on actual data stored in backend storage through a data compression block (131). In particular, in the case of public cloud storage, the data compression block (131) can reduce the size of data transmitted through a network by reducing the size of data through compression.

The data distribution block (132) can provide a function to distribute and store data across multiple physical devices to prevent data loss.

At this time, the data distribution block (132) can detect the occurrence of data errors and apply error detection and recovery coding that can correct them, thereby dealing with data and system errors.

It can be seen that the backend storage management unit (140) may include HDD, SAS, iSCSI storage, and public cloud storage, and provides an interface function for finally storing data in the backend storage.

At this time, it can be seen that the backend storage management unit (140) provides high availability services for data operation and connected storage by using various types of storage ranging from memory storage for ensuring fast response speed through data distribution policy, parallel input/output (Parallel IO Engine), and multi-path input/output (Multi-Path IO Engine) to cloud storage for large-capacity data operation.

At this time, the backend storage management unit (140) can store data by distributing it to storage within the same node or storage within multiple nodes configured as a cluster, and can prevent data loss due to system errors by controlling the data size and the number of distributed storages.

It can be seen that the backend storage management unit (140) provides a function to automatically distribute and store data in various storage layers. It can be seen that various types of storage are hierarchized based on the characteristics of the provided storage. It can be seen that when data is initially created, it is stored in high-speed storage, and when the data access frequency decreases, it is moved to a lower-layer storage, and finally, it is stored in a public cloud storage. The backend storage management unit (140) automatically performs data movement between various storage layers according to the characteristics of the data.

Figure 7 is a flow chart illustrating an integrated storage management method according to one embodiment of the present invention.

Referring to FIG. 7, in one embodiment of the present invention, an integrated storage management method can first perform data access (S210).

That is, step (S210) can perform data access in conjunction with the integrated storage (20) to provide the service of the integrated storage to the user.

At this time, step (S210) can provide a virtual disk pool to the user to provide a single storage view of the entire storage system.

In one embodiment of the present invention, an integrated storage management method can perform data reading and writing (S220).

That is, step (S220) can provide a read/write cache of data for providing the service of the integrated storage using a RAM disk.

At this time, step (S220) can cache data stored in public cloud storage as a storage device within a cloud integrated storage operation platform, thereby providing access speeds for public cloud storage at the level of on-premise storage.

At this time, step (S220) performs data reading and writing using a RAM disk configured in the form of a single disk including RAM corresponding to the main memory and an SSD (Solid State Drive), and when the RAM-based cache area is completely exhausted, it can be automatically switched to an SSD-based cache area.

In one embodiment of the present invention, an integrated storage management method can perform data distribution and storage (S230).

That is, step (S230) can store the objects of the above data in a distributed manner and encrypt and compress the distributed objects.

At this time, step (S230) can detect the occurrence of data errors and apply error detection and recovery coding that can correct them, thereby dealing with data and system errors.

In one embodiment of the present invention, an integrated storage management method can perform final resource storage of data (S240).

That is, step (S240) can store the final data generated in step (S230) in the final resource.

At this time, step (S240) can provide an automatic or manual storage function by using tiering of data based on performance, time, and frequency of use according to the policy of the data distribution storage layer.

At this time, step (S240) can provide a function to automatically distribute and store data in various storage layers.

At this time, step (S240) can hierarchize various types of storage based on the characteristics of the provided storage.

At this time, step (S240) can store initially generated data in high-speed storage, move data to lower-tier storage when data access frequency decreases, and finally store data in public cloud storage.

At this time, step (S240) can automatically move data between various storage layers according to the characteristics of the data.

FIG. 8 is a diagram showing the relationship between an integrated storage management device and a service provider according to one embodiment of the present invention.

Referring to FIG. 8, an integrated storage management device (100) according to one embodiment of the present invention can register storage services (Data Storage Service A to N) from multiple DSF (Data Storage Federation) service providers (DSF Service Provider for Service A to N).

At this time, the administrator (DSF Service Administrator) can provide multiple registered storage services to the user through the integrated storage management device (100).

At this time, the user (DSF Service Customer of Client user) can receive multiple storage services using the integrated storage management device (100).

At this time, the integrated storage management device (100) can manage the integrated storage (20) on a multi-tenant basis to provide multiple storage services.

FIG. 9 is a flowchart illustrating an integrated storage management method for registering a storage service according to one embodiment of the present invention.

Referring to FIG. 9, the integrated storage management method for registering a storage service according to one embodiment of the present invention first enables the integrated storage management device (100) to perform a provider login (S310).

At this time, step (S310) allows the provider to log in to the integrated storage management device (100) using a pre-registered ID and password to register a storage service.

At this time, step (S310) may generate a new ID and password if the provider's ID and password are not registered for login.

In addition, an integrated storage management method for registering a storage service according to one embodiment of the present invention can register a storage service in storage (S320).

That is, step (S320) can register a storage service by checking cloud storage (21) and non-cloud storage (22) for registering a storage service.

At this time, step (S320) may provide a registration method to the provider through a GUI for registering a storage service.

At this time, step (S320) can receive the storage service name, storage specifications (size, caching, number of tiers, encryption, on-premise storage support, etc.), data storage service protocol, and cloud storage name and type, etc. from the provider through the GUI, and register them in the corresponding storage.

At this time, information entered through the GUI can also be registered through pre-registration when a new provider registers an ID and password.

In addition, the integrated storage management method for registering a storage service according to one embodiment of the present invention can set up storage (S330).

That is, step (S330) can create a virtual storage corresponding to the storage in which the storage service is registered.

At this time, step (S330) can register virtual storage in a virtual disk pool and provide a single storage view for providing storage services to users through the virtual disk pool.

FIG. 10 is a block diagram illustrating an integrated storage management device according to an embodiment of the present invention.

Referring to FIG. 10, it can be seen that an integrated storage management device according to an embodiment of the present invention is configured as a multi-tenant in which a service connection unit (110), a data manipulation unit (120), a data distribution and storage unit (130), and a backend storage management unit (140), which are components or main components of each layer, are configured in a number corresponding to the number of storage services registered from providers (DSF Service Providers A to C).

That is, it can be seen that the integrated storage management device (100) supports a multi-tenant function that performs multiple services simultaneously.

At this time, the provisioning and policy management unit (150) provides an administration GUI to the administrator (Admin) and can provide and manage a multi-tenant-based integrated storage service.

The storage connection unit (110) and data manipulation unit (120) can perform data management steps.

At this time, the storage connector (110) can provide an interface to the user as a single virtual storage for the virtual data storage.

At this time, the storage connector (110) can provide a user access mechanism for using the single virtual storage.

At this time, the user access mechanism may vary depending on the type of the single virtual storage.

At this time, the storage connection (110) can provide the corresponding protocol or I/O interface of a single virtual volume together with a virtual block device, a file system, and object storage.

At this time, the storage connector (110) can provide protocol performance acceleration.

Additionally, the interface provided by the storage connector (110) may correspond to a direct interface (i.e., an object or block storage interface) or a proxy interface that constitutes various types of storage interfaces with software programs.

At this time, the software program may include a RESTful API for interfacing to software agents, daemons, web workers, and integrated storage (20).

At this time, the proxy interface can automatically detect the interface with the software program and connect the integrated storage (20).

At this time, the storage connector (110) can provide a user interface for the user client device (10) to use a single virtual volume.

The user interface may include a graphical user interface, a web application, or a specific client for a user client device (10) to access a particular virtual volume.

At this time, the storage connection unit (110) can provide conversion between the data manipulation unit (120) and the corresponding interface of the integrated storage device (20).

The interface includes API, I/O interface, etc.

At this time, the storage connector (110) can provide a secure access mechanism for using a single virtual volume to the user client device (10).

At this time, the storage connection (110) can register the requirements of the user client device (10).

Requirements of the user client device (10) may include data storage capacity, access mechanism, storage type of a single virtual volume, policies, etc.

At this time, the storage connection unit (110) can provide a smooth connection of the interface with the integrated storage (20) for smooth communication with the integrated storage (20).

At this time, the data manipulation unit (120) can provide the integrated storage (20) as a virtual data storage regardless of the actual storage location of the data.

At this time, the data manipulation unit (120) can convert and store data stored in the single virtual storage through at least one of the conversion processes of division, encryption, and compression.

At this time, the data manipulation unit (120) can provide a single virtual storage view of the integrated storage (20) as a virtual storage pool.

At this time, the data manipulation unit (120) can provide a write buffer or read cache function to the user client device (10).

At this time, the data manipulation unit (120) can improve the read and write response time by using memory, SSD, or PCIe (peripheral component interconnect express) flash card, etc.

At this time, the data manipulation unit (120) can compensate for the slow access speed compared to on-premise by using read and write cache.

Read and write caches can improve the performance of storage and devices that store data, and can be used in a variety of devices for high-speed cache operations.

Various devices for high-speed cache operations can correspond to main memory, RAM-based disks, and SSDs.

For high-speed access, the cache hierarchy can be extended to the main memory. In addition, the main memory can be used in an approach used in SSDs because of capacity limitations. That is, when the RAM-based cache area is exhausted, it can be automatically converted to the SSD area cache. When the user client device (10) performs a write operation, the write operation can be performed in the memory area for a fast write response.

At this time, the data manipulation unit (120) can provide data management for snapshots, fast replication, and distributed transaction logs.

At this time, the data manipulation unit (120) can provide execution of create, read, update, and delete (CRUD) data operations of the user client device (10).

CRUD data operations can include creating, reading, updating, and deleting data.

At this time, the data manipulation unit (120) can provide a search data operation from the data of the user client device (10) using a query to the global registry.

At this time, the data manipulation unit (120) can provide shared data operation by checking the sharing status of the DSF data and then updating the sharing status of the data in the global registry.

Data sharing may mean that the same data is shared during data manipulation.

The data sharing status may correspond to information about whether data is shared.

At this time, the data manipulation unit (120) can save data storage capacity by using data deduplication.

At this time, the data manipulation unit (120) can provide data encryption/decryption to transmit data to the integrated storage (20).

At this time, the data manipulation unit (120) can provide data recovery of the user client device (10) from a system failure.

Data recovery can prevent data loss due to errors caused by storage and network connection errors by restoring data from the most recently used user client device (10).

At this time, the data manipulation unit (120) can provide data migration to the available integrated storage (20) for storage space resilience and cost efficiency.

Data migration for resilience and cost efficiency of data storage can be performed automatically without user intervention or awareness.

At this time, the data manipulation unit (120) can provide data validation for data manipulation to check data integrity.

At this time, the data manipulation unit (120) can support data consistency of the user client device (10) for the replicated data.

Data consistency may mean that the data manipulation unit (120) correctly backs up current data to recover storage error data of the user client device (10).

At this time, the data manipulation unit (120) can support data transparency of the user client device (10).

Data transparency may mean accessing data without knowing the location of the user client device (10).

At this time, the data manipulation unit (120) can provide a backup of the global name space for high availability.

Backups of the global namespace are synchronized with the actual data, and backups of the global namespace can perform high availability functions through clustering of multiple nodes (virtual machines or physical servers).

At this time, the data manipulation unit (120) can add a single virtual volume according to the customer's needs, such as block-based storage, file-based storage, or other cloud storage.

The data distribution and storage unit (130) can perform a data distribution step.

At this time, the data distribution and storage unit (130) can distribute data for storage in integrated storage (20) including on-premise storage and cloud storage.

At this time, the data distribution and storage unit (130) can provide optimization to ensure minimal overhead while writing data to the integrated storage (20).

At this time, the data distribution and storage unit (130) can provide data fragmentation for distributing and storing data in the integrated storage (20).

Data fragmentation is the practice of distributing and storing user data across different repositories, nodes, or data centers to manage data efficiently and improve reliability.

At this time, the data distribution and storage unit (130) can provide encryption, decryption, and compression/decompression of data.

At this time, encryption and compression can be considered according to the user's needs.

Additionally, the data distribution and storage unit (130) can support its own files and file contents as data.

The content type of a file can correspond to any of structured, semi-structured, and unstructured.

At this time, the support of the data distribution and storage unit (130) can support aggregating data distributed in the local storage of multiple integrated storage (20) providers into a corresponding API.

At this time, the data distribution and storage unit (130) can manage the data of the client device (10) with a focus on the resilience and cost efficiency of the storage space.

For example, data migration for resiliency and cost efficiency of data storage can be done automatically without user intervention or awareness.

At this time, the user client device (10) can receive the integrated cloud storage service with the same performance without knowing whether the data is stored in on-premise storage (22) or cloud storage (21).

At this time, the data distribution and storage unit (130) can verify the service provider at this time to integrate the data of the user client device (10).

The backend storage management unit (140) can perform storage management steps.

At this time, the backend storage management unit (140) can connect the integrated storage (20) to store the distributed data and provide storage tiering information of the data to be stored.

At this time, the storage tiering information may vary depending on the performance of the storage, the usage time of the data, and the access cycle of the data.

At this time, the backend storage management unit (140) can provide storage tiering that tiers data according to the performance of the storage, the usage time of the data, and the access cycle of the data.

Storage tiering can correspond to the task of distributing data across multiple storage tiers in a hierarchical manner.

At this time, the backend storage management unit (140) can automatically move data between various storage layers depending on the characteristics of the data.

Data can be stored on high-speed storage when it is first created. If the data is accessed less frequently, the data can be moved to lower-speed storage.

At this time, the backend storage management unit (140) can simultaneously access providers of multiple data storages to aggregate distributed data.

At this time, the backend storage management unit (140) can support a function of delegating access rights to the integrated storage (20) to the user client device (10).

The provisioning and policy management unit (150) can provide configuration and control of logical components.

At this time, the provisioning and policy management unit (150) can provide policy management for data storage and data manipulation.

Data storage policies may include backups, snapshots, expansion, recovery, data caching, thin provisioning, tiering, storage type (file, block, object, etc.).

At this time, the data storage policy can be set by default and can be reconfigured according to the user's request. In addition, the data storage policy can also depend on the policy of the integrated storage (20).

A reconfigured policy is a policy reconfigured by the provisioning and policy management unit (150) when the integrated storage (20) does not support its own policy.

Data manipulation policies may include sharing support, read/write, replication, data migration, fragmentation, encryption, compression, deduplication, etc.

At this time, the data manipulation policy can select non-shared and shared modes including read-only, write, replication option, and write option.

At this time, the provisioning and policy management unit (150) can provide a single virtual volume to the virtual storage pool.

At this time, the provisioning and policy management unit (150) can support a security policy for data transmission (e.g., data encryption) to ensure data confidentiality of the user client device (10).

At this time, the provisioning and policy management unit (150) can prevent data loss due to errors in the storage structure based on distributed storage and provide data recovery when a system error occurs.

Additionally, the provisioning policy management unit (150) can share data operation metadata with the storage connection unit (110), data manipulation unit (120), data distribution and storage unit (130), and backend storage management unit (140).

Data Operations Metadata is the description required to perform data operations. Data Operations Metadata may include properties of virtual storage pools and single virtual volumes. Data Operations Metadata may include transaction logs and DSF data properties such as read/write caching, snapshots, replication, and fragmentation.

The backend storage management unit (140) can share storage management metadata with the cloud storage (21) and non-cloud storage (22) of the integrated storage (20).

Storage management metadata is a description required to perform storage area operations. Storage management metadata may include the location of the integrated storage (20), interface, API for customer data operations, read/write speed, storage capacity, etc.

Customer metadata can be created by customers to configure their environment.

FIG. 11 is a block diagram illustrating a multi-tenant-based integrated storage management device using a backend connection daemon according to one embodiment of the present invention.

Referring to FIG. 11, a multi-tenant-based integrated storage management device using a backend connection daemon according to one embodiment of the present invention includes a plurality of storage connection units (110), a data manipulation unit (120), a data distribution and storage unit (130), and a backend storage management unit (140), and one provisioning and policy management unit (150), each individually configured for storage services provided by service providers (31, 32, 33).

The storage connection unit (110) can be linked with the integrated storage (20) to provide the user with the storage service of the integrated storage (20).

At this time, the integrated storage (20) may include at least one cloud storage (21) and a non-cloud storage (22).

The data manipulation unit (120) can create a virtual disk pool of the integrated storage (20) to provide a single storage view through at least one virtual disk.

The data distribution and storage unit (130) can provide data distribution and encryption functions so that writing of received data can always be accessed with minimal overhead.

The backend storage management unit (140) can interface with the integrated storage (20) using a software-type connection daemon.

At this time, the backend storage management unit (140) may include a backend connection daemon configured to interface with various types of storage and the necessary interface (object or block storage interface) and provide a proxy interface for easily registering multiple storages.

At this time, the backend storage management unit (140) can detect the storage area interface of the first daemon connected to the cloud storage (21) and the second daemon connected to the non-cloud storage (22) through the proxy interface to register the cloud service.

The backend storage proxy can automatically detect the storage area interface and register the service by storing the backend connection daemon that stores the object storage daemon interface or block storage interface driver.

The backend connection daemon can be run through a virtual machine or container excluding a block device to connect the integrated storage (20), and through this, object storage can be connected.

At this time, the backend storage management unit (140) can output the storage on which the interface is performed as a registerable storage of the storage service.

At this time, the backend storage management unit (140) can manage information for users to access the system or provide a secure path for access in order to register the storage service.

At this time, the backend storage management unit (140) can create a backend connection daemon one by one whenever connecting one storage, and connect it to a proxy server. The proxy server (not shown) can store and manage the user's data through a driver interface connected to the upper virtual disk pool (Vpool) through the data manipulation unit (120).

Through this, the integrated storage management device (100) can create one virtual disk (vdisk) when a registered service provider connects, and the created virtual disk can be managed within a virtual disk pool. At this time, the user can receive multiple storage services from the storage where the storage service is registered through each virtual disk pool.

In the backend storage management unit (140), the storage configuration may be configured differently from the on-premise and public cloud storage services. The interface for the backend storage may be provided in the form of a separate software daemon. In the case of multiple cloud storage devices, DSF local storage management may be configured, and a proxy interface may be configured to interface, and an interface may be provided for registering and using on-premise storage.

The provisioning and policy management unit (150) can register storage services from multiple service providers and manage the provision of the storage services on a multi-tenant basis.

At this time, the provisioning and policy management unit (150) allows the administrator to register cloud storage (21) and non-cloud storage (22) for providing storage services in the integrated storage management device (100) through the management GUI and configure new services.

At this time, the provisioning and policy management unit (150) can create a cloud account when a service provider subscribes to the service, registers, uploads and creates a file, and the uploaded file can be stored in cloud storage (21) or non-cloud storage (22) at the discretion of the administrator.

At this time, the provisioning and policy management unit (150) can also provide the function of displaying, creating, modifying and deleting contents of cloud services registered in the cloud storage (21) and non-cloud storage (22) integrated in the integrated storage (20) through the management GUI.

The configuration of the storage may be provided separately from the non-cloud storage (22) and the service of cloud storage (21) may be provided separately along with the basic configuration.

At this time, the provisioning and policy management unit (150) can independently configure the functions of the logical components as servers, virtual systems or containers with a connection network in the form of modules or functions with each individual function.

At this time, the provisioning and policy management unit (150) can register the storage service in any one of the storages included in the integrated storage (20) corresponding to the service registration information received from the service provider.

At this time, the provisioning and policy management unit (150) can provide the storage service by setting up virtual storage in the storage where the storage service is registered.

At this time, the provisioning and policy management unit (150) can manage the storage service by using the first path (Data Path) through which data moves and the second path (Control Path) that controls the data in order to prevent a decrease in the input/output performance of the storage service.

At this time, the management functions that manage the first and second paths can provide the ability to display, create, modify, and delete content from on-premises and public cloud services integrated into a single storage.

In Figure 11, each logical component can be composed of one server or multiple servers, and each logical component can be networked through servers, virtual machines, or containers.

A DSF service provider corresponding to an integrated storage management device (100) according to one embodiment of the present invention may provide different interfaces for a data path and a management path to prevent performance degradation of a storage service.

DSF service providers can independently configure and control all logical concurrency and its interfaces for their own configuration.

Self-configuration refers to automatic configuration of logical components, and DSF service providers can manage the configuration of each component embedded in a server, virtual machine, or container as a connected network.

DSF service provider can manage backend storage interfaces to allow integrated storage to participate in DSF service. To participate in integrated storage, backend storage management can provide interfaces (e.g., object or block storage interfaces) and proxies. Interfaces that configure different types of storage interfaces. Backend storage proxies can automatically detect storage interfaces as backend connection daemons and register services.

A DSF service provider may support a secure cloud storage interface for DSF service customers.

FIG. 12 is a flowchart illustrating a multi-tenant-based integrated storage management method for providing storage services according to one embodiment of the present invention.

Referring to FIG. 12, a multi-tenant-based integrated storage management method according to one embodiment of the present invention can first perform data access (S410).

That is, step (S410) can access data in order to provide a storage service of the integrated storage (20) to the user by linking with the integrated storage (20).

At this time, the integrated storage (20) may include at least one cloud storage (21) and a non-cloud storage (22).

A multi-tenant-based integrated storage management method according to one embodiment of the present invention can provide a single storage view (S420).

That is, step (S420) can create a virtual disk pool of the integrated storage (20) to provide a single storage view through at least one virtual disk.

At this time, step (S420) can provide data distribution and encryption functions so that writing of received data can always be accessed with minimal overhead.

In addition, a multi-tenant-based integrated storage management method according to one embodiment of the present invention can perform an interface (S430).

That is, step (S430) can perform an interface with the integrated storage (20) using a connection daemon in the form of software.

At this time, step (S430) may include a backend connection daemon configured to interface with various types of storage and a required interface (object or block storage interface) and provide a proxy interface for easy registration of multiple storages.

At this time, step (S430) can register a cloud service by detecting the storage area interface of the first daemon connected to the cloud storage (21) and the second daemon connected to the non-cloud storage (22) through the proxy interface.

The backend storage proxy can automatically detect the storage area interface and register the service by storing the backend connection daemon that stores the object storage daemon interface or block storage interface driver.

The backend connection daemon can be run through a virtual machine or container excluding a block device to connect the integrated storage (20), and through this, object storage can be connected.

At this time, step (S430) can output the storage on which the interface is performed as a registerable storage of the storage service.

At this time, step (S430) allows the user to manage information for access to the system or provide a secure path for access in order to register the storage service.

At this time, step (S430) can create a backend connection daemon one by one whenever connecting one storage, and connect it to a proxy server. The proxy server (not shown) can store and manage the user's data through a driver interface connected to the upper virtual disk pool (Vpool) through the data manipulation unit (120).

Through this, the integrated storage management device (100) can create one virtual disk (vdisk) when a registered service provider connects, and the created virtual disk can be managed within a virtual disk pool. At this time, the user can receive multiple storage services from the storage where the storage service is registered through each virtual disk pool.

In addition, a multi-tenant-based integrated storage management method according to one embodiment of the present invention can provide a storage service (S440).

That is, step (S440) can register storage services from multiple service providers and manage the provision of the storage services on a multi-tenant basis.

At this time, step (S440) allows the administrator to register cloud storage (21) and non-cloud storage (22) for providing storage services in the integrated storage management device (100) through the management GUI and configure a new service.

At this time, step (S440) allows the service provider to create a cloud account by signing up for the service, registering, uploading and creating files, and the uploaded files can be stored in cloud storage (21) or non-cloud storage (22) at the discretion of the administrator.

At this time, step (S440) can also provide a function to display, create, modify and delete contents of cloud services registered in cloud storage (21) and non-cloud storage (22) integrated in the integrated storage (20) through the management GUI.

The configuration of the storage may be provided separately from the non-cloud storage (22) and the service of cloud storage (21) may be provided separately along with the basic configuration.

At this time, step (S440) can independently configure the functions of the logical components as modules or functions with individual functions, as servers, virtual systems or containers with a connection network.

At this time, step (S440) can register the storage service in any one storage included in the integrated storage (20) corresponding to the service registration information received from the service provider.

At this time, step (S440) can provide the storage service by setting up virtual storage in the storage where the storage service is registered.

At this time, step (S440) can manage the storage service by using a first path (Data Path) through which data moves and a second path (Control Path) that controls data in order to prevent a decrease in input/output performance of the storage service.

FIG. 13 is a block diagram showing a computer system according to one embodiment of the present invention.

Referring to FIG. 13, a user client device (10) and an integrated storage management device (100) according to an embodiment of the present invention may be implemented in a computer system (1100) such as a computer-readable recording medium. As illustrated in FIG. 17, the computer system (1100) may include one or more processors (1110), a memory (1130), a user interface input device (1140), a user interface output device (1150), and storage (1160) that communicate with each other via a bus (1120). In addition, the computer system (1100) may further include a network interface (1170) connected to a network (1180). The processor (1110) may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory (1130) or the storage (1160). The memory (1130) and the storage (1160) may be various forms of volatile or nonvolatile storage media. For example, the memory may include ROM (1131) or RAM (1132).

FIG. 14 is a drawing showing an integrated storage system according to one embodiment of the present invention.

Referring to FIG. 14, an integrated storage system according to one embodiment of the present invention may include a user client device (10), an integrated storage management device (100), and an integrated storage (20).

First, the data storage federation (DSF) technology according to one embodiment of the present invention may correspond to a technology that provides a single virtual volume from multiple data sources of heterogeneous storage using storage virtualization.

Data Virtualization can correspond to a technology that abstracts and manages multiple data resources as logical data resources regardless of resource location or data structure.

At this time, various data resources may include files, databases, systems, storage, etc.

At this time, data storage integration may include multiple data resources other than the database.

DSF local storage can exist at the backend of a data storage integration and can correspond to the physical storage device where the data is ultimately stored.

Physical storage devices can include on-premises storage (e.g., memory, SSD, HDD, SAS, iSCSI storage, and NAS) and public cloud storage with complex management devices such as block, object, and file.

A Single Virtual Volume may correspond to an entity that presents a virtual block device, virtual disk, or virtual file to a customer using storage virtualization.

A Customer may include end users, servers, operating systems, applications, and storage devices from other cloud service providers that use single-user volumes.

Storage Virtualization can correspond to a technology that integrates various types of storage into a virtual storage pool and divides the virtual storage pool into a single virtual volume without physical operational limitations.

At this time, storage virtualization may not interfere with data access and may not degrade the performance of storage devices.

A Virtual Storage Pool (VPOOL) can correspond to a logical object that aggregates DSF local storage into a single virtual volume.

The abbreviations described below can be explained as follows:

DSF: Data Storage Federation

API: Application Programming Interface

NAS: Network-Attached Storage

CSC: Cloud Service Customer

CSP: Cloud Service Provider

Data storage policies according to one embodiment of the present invention may include backup, replication, snapshot, auto-extension, data migration, sales recovery, data caching, thin provisioning, auto-tiering, storage life (block, object and file), etc.

At this time, the data storage policy is set by default among the above components and can be reconfigured according to the customer (user) request. It can also vary according to the DSF local storage policy.

The reconstructed policy may be a policy reconstructed by the above component in case the DSF local storage does not support its own policy.

Data manipulation policies can select between non-shared mode and shared mode, including read-only, write and replication options, and fragmentation options.

In addition, the integrated storage device according to one embodiment of the present invention can process customer metadata created by a customer to configure a customer environment, data manipulation metadata required for data manipulation, and storage management metadata used in DSF local storage.

At this time, the integrated storage device according to one embodiment of the present invention can provide a unified user interface for CSP:DSM to use a single virtual volume in CSC:CSU.

The unified user interface may include access mechanisms for various storage types in CSC:CSU for integrating interactions with its own data storage, sharing data, and building a single virtual volume.

Storage types can include object-based storage, file-based storage, and block-based storage.

The access mechanism can represent different types of protocols depending on the type of storage to which a single virtual volume is connected. Protocols can include iSCI, SMB, NFS, SFTP for block device storage, FTP for file-based storage, Restful API for object-based storage, etc.

CSP:FDSP can provide an interface for CSC:CSU to set policies.

CSP:DSM can provide a unified management interface to CSC:CSU to manage single virtual volumes, virtual storage pools, and DSF local storage.

Additionally, the integrated storage device according to one embodiment of the present invention may correspond to data storage integration.

Data storage integration can provide a unified user interface to CSC:CSU to use a single virtual volume.

A unified user interface can integrate interactions with its own data storage, including data sharing, access mechanisms for different storage types for CSC:CSU to access a single virtual volume, etc.

Data storage integration could provide an interface for CSC:CSU to set policies.

Data storage integration allows DSF Service Providers to support parallel access to improve the performance of DSF services.

At this time, the DSF service provider can provide an interface for registering storage provided by the data storage provider.

Performance improvements may relate to data caching and data storage.

Data storage integration allows CSP:DSM to provide a unified management interface to CSC:CSU to manage a single virtual volume (virtual storage pool and DSF local storage).

Features for data storage integration may include storage connectivity interfaces, data integration management, and data storage management.

The function related to the storage connection interface can be performed in the storage connection unit (110) according to one embodiment of the present invention.

The storage connection interface allows DSF service providers to support access mechanisms depending on the storage type.

The storage connection interface allows CSP:FDSP to collect and retrieve service information, including storage type and access mechanism when a single virtual volume is required for CSC:CSU.

For example, the service information may correspond to the service catalog of CSP:FDSP.

The storage connection interface can ensure high-speed access to the global name space for CSP:FDSP to access actual data from DSF local storage.

Global namespace can correspond to a technology that abstracts and integrates heterogeneous file systems across multiple storage devices and cloud storage. Global namespace can reduce the complexity of localized file management, facilitate storage expansion, and transparently migrate data, reducing the number of mount points and share points. Global namespace can be implemented in various ways, but the configuration of CSC:CSU can maintain the same access.

The storage connectivity interface allows CSC:CSU to provide a global namespace for integrating and managing multiple file systems into DSF local storage.

Storage connection interface CSP:DSM can provide separate management and data interfaces to prevent performance degradation of DSF service.

The storage connection interface allows CSP:DSM to independently configure and control all logical components and their interfaces for self-configuration.

At this time, self-configuration means automatic configuration of logical components, and the DSF service provider can manage the configuration of each component built on a server, virtual machine, or container as a connection network.

The storage connection interface allows CSP:DSM to manage DSF local storage connections to participate in the integrated storage in the DSF service.

To participate in unified storage, DSF local storage management can provide interfaces that can configure different types of storage interfaces (e.g., object or block storage interfaces) and proxy interfaces. The DSF local storage proxy can automatically detect storage interfaces and register services as a backend connection daemon.

The storage connection interface allows CSP:FDSP to use the secure storage interface to CSC:CSU and DSF local storage.

The storage connection interface can use the CSP:DSM registration information for CSC:CSU to use a single virtual volume.

Registration information may include the data storage service name, data storage specifications (size, caching, tier count encryption, on-premises storage support, etc.), service protocol, and cloud storage type.

The storage connection interface allows CSP:DSM to configure and provision data storage services to call a single virtual volume from the registration information.

Additionally, the function for data integration management can be performed in the data manipulation unit (120) according to one embodiment of the present invention.

Data integration management allows DSF service providers to support both the files themselves and their contents as data.

The content type of a file can be structured, semi-structured, or unstructured.

Data integration management can support CSP:FDSP to aggregate distributed data into DSF local storage of multiple DSF local storage providers by its API.

Data integration management allows CSP:DSM to manage CSC:CSU's data with a focus on elasticity and cost efficiency of storage space.

For example, data migration for resiliency and cost efficiency of data storage can be done automatically without user intervention or awareness.

Data Integration Management enables CSP:FDSP to validate the integration of data from CSC:CSU.

Additionally, functions related to data storage management can be performed in the data distribution and storage unit (130) and the backend storage management unit (140).

Data storage management allows CSP:FDSP to provide concurrent access to multiple data storage providers to aggregate distributed data.

Data storage management can support CSP:FDSP delegation of DSF local storage access rights to CSC:CSU.

Data storage management can be integrated with DSF local storage to provide a virtual storage pool that can be viewed through a single system view.

Data storage management CSP:FDSP can provide read/write cache to compensate for slower access speeds than on-premises.

Read/write caches can improve the performance of storage, and devices that store data can use a variety of devices for fast cache operations.

For example, various devices for fast cache may include main memory, RAM-based disks, and solid-state drives (SSDs).

For example, the cache hierarchy can be extended to the main memory for high-speed access. In addition, the main memory can utilize the access method used for SSD due to capacity limitations. When the RAM-based cache area is exhausted, it can be automatically converted to the SSD area cache. When the DSF service customer performs a write operation, the write operation can be performed in the memory area for fast write response.

Data storage management allows CSP:FDSP to provide backup of the global namespace for high availability.

Backups of the global namespace are synchronized with the actual data and can perform high availability functions through clustering of multiple nodes (virtual machines or physical servers).

Data storage management CSP:FDSP can support adding a single virtual volume according to the needs of DSF service customers, such as block-based storage, file-based storage, or other cloud storage.

Additionally, functions related to provisioning and policy management can be performed in the provisioning and policy management unit (150).

Provisioning and Policy Management can provide configuration for setting data storage policies for CSC:CSU.

Provisioning and policy management can assist DSF service providers in manipulating data policies for DSF service customers.

For example, a data policy may include non-shared modes and shared modes including read-only, write, replicated, etc.

Provisioning and policy management may include functionality regarding security policies (e.g. data encryption) that support CSP:FDSP for data transmission to ensure data confidentiality of CSC:CSU.

Provisioning and Policy Management CSP:FDSP can prevent data loss due to errors in the storage structure based on distributed storage and provide data recovery in the event of a system failure.

The integrated storage management device (100) can handle various data types such as structured, semi-structured, and unstructured data to not only improve service quality but also create new services.

At this time, the integrated storage management device (100) can efficiently handle and synthesize heterogeneous storage to use various data within the integrated storage (20), and can easily use the data.

At this time, the integrated storage management device (100) can provide a virtual storage pool of a single virtual volume (SINGLE VIRTUAL VOLUME) to the user client device (10).

At this time, the integrated storage management device (100) can execute various requests such as creating, storing, reading, updating, and deleting data on the integrated storage (20).

Data virtualization is a technology that manages multiple data resources without interruption, regardless of resource location or data structure.

Data resources can include files, databases, systems, storage, etc.

The integrated storage (20) may be located at the backend of the integrated storage management device (100) and may correspond to physical storage devices where data is ultimately stored.

Physical storage devices may include on-premise storage (22) (e.g., memory, SSD, HDD, SAS, iSCSI storage, and NAS) and public cloud storage (21) such as blocks, objects, and files.

A single virtual volume may correspond to an object presented to a user client device (10) as a virtual file created using a virtual block device, a virtual disk, or a virtual file.

The user client device (10) may include end users, servers, operating systems, applications, and other storage devices of a cloud service provider using a single virtual volume.

The integrated storage management device (100) can integrate different types of storage into a virtual storage pool using storage virtualization technology and divide the virtual storage pool into a single virtual volume without limitations of physical storage.

These single virtual volumes have no impediments to data access and cause less performance degradation on the storage device.

A virtual storage pool may correspond to a logical object that provides storage of the integrated storage (20) as a single virtual storage view in a single virtual volume.

As illustrated in FIG. 14, a virtual storage pool can be formed by integrated storage (20) (cloud storage (21) and on-premise storage (22)) connected and coordinated with API and I/O interfaces. The integrated storage (20) can support block, file, and object types.

The integrated storage management device (100) can create and provide a single virtual volume storage to a user client device (10).

At this time, the integrated storage management device (100) can create a single virtual volume storage through federation of the integrated storage (20) and provide a single access point to the user client device (10).

At this time, the integrated storage management device (100) can support a single virtual volume storage using policy-based provision and management. The contract/operational terms can help the operator improve operational management, and the user can help simplify the use of a single virtual volume storage.

Users can use the single virtual volume storage to create, store, read, update, and delete user data (e.g., images for gallery, audios for music player, documents for collaboration, application data for service, and etc.) on their single virtual volume storage using their user client devices (10).

When a user client device (10) connects to a single virtual volume storage of a unified storage management device (100), unified request commands can be executed as if the unified storage (20) had a different connection.

User data supported by the integrated storage management device (100) may or may not be distributed for contractual/operational reasons.

The integrated storage management device (100) can compress user data into information such as storage location, data history, content type of the file, etc. to handle user data.

At this time, the integrated storage management device (100) can create data virtualization on the virtual storage pool using data abstraction.

At this time, the integrated storage management device (100) can reduce data copying in the virtual storage pool and provide a data sharing environment in which data is shared without copying or moving the original data, thereby reducing the work of finding data and handling data I/O. The interaction for controlling data can be based on the user's data operation/contract. For example, it can be based on a data operation/contract policy such as reading only in a shared mode or overwriting and replication.

At this time, a single virtual volume can be built by connecting a set of different storages in the unified storage.

FIG. 15 is a diagram illustrating a multi-storage type and access mechanism for data access in an integrated storage system according to one embodiment of the present invention.

Referring to FIG. 15, a user client device (10) can request various service interfaces and storage types from an integrated storage management device (100).

At this time, the integrated storage management device (100) can provide a service interface to the user client device (10) using the corresponding access mechanism.

At this time, the user client device (10) can use its own storage type.

At this time, the user client device (10) can be a general user (individually owning storage), some application (APPLICATION PROGRAM), application server (APPLICATION SERVER), and other cloud system.

At this time, the integrated storage management device (100) can provide various storage types.

Storage types can correspond to object-based storage, file-based storage, and block-based storage.

At this time, the integrated storage management device (100) can support an access mechanism based on the storage type.

Access mechanisms may include different types of protocols depending on the storage type.

Examples of protocols might correspond to protocols using iSCSI for block device storage, SMB, NFS, SFTP, FTP for file-based storage, and Restful API for object-based storage.

An example of service information may correspond to a service catalog for an integrated storage device (10).

FIG. 16 is a diagram illustrating a data read/write cache and a parallel distributed file for another performance improvement according to one embodiment of the present invention.

Referring to FIG. 16, CSP:FDSP can provide a cache function for data stored in public cloud storage. Since data is transmitted over the Internet, data stored in public cloud storage can be slower than on-premise storage. In addition, since data is automatically distributed to public cloud storage without CSC:CSU being aware of it, data stored in public cloud storage can have a high-speed access function. CSP:FDSP can cache data stored in public cloud storage in a storage device within a cloud integrated storage operating platform to provide on-premise storage-level access speed to public cloud storage.

CSC:CSU requests a single virtual volume from CSP:FDSP, which may contain its own data storage.

CSP:FDSP can provide a storage system, appliance, or device to integrate other storage.

DSF service providers may offer read/write caches to compensate for slower access speeds than on-premises.

A read/write cache may correspond to software for improving the performance of storage, and the device storing data for the cache function may be implemented using various devices for fast cache operation.

For example, various devices for fast cache operations can correspond to main memory, RAM-based disks, and SSDs.

For high-speed access, the cache hierarchy can be extended to the main memory. In addition, the main memory can use the method used for SSD due to capacity limitations. When the RAM-based cache area is exhausted, it can be automatically converted to the SSD area cache. When the DSF service customer performs a write operation, the write operation can be performed in the memory area for fast write response.

DSF service providers can provide high-speed access to the global namespace for real-world data access using a variety of devices.

A global namespace can abstract and unify heterogeneous file systems across multiple storage devices and cloud storage.

A global namespace can significantly reduce the complexity of localized file management, facilitate storage expansion, and transparently migrate data, reducing the number of mount points and share points. A global namespace can be implemented in several ways, but clients can maintain the same access.

DSF service providers can provide backup of the global namespace for high availability. Backup of the global namespace is performed through real-time backup, and backup of the global namespace can perform high availability function through clustering of multiple nodes (virtual machines or physical sensors).

DSF service providers may support security policies for data transmission (e.g. data encryption) to ensure the confidentiality of users' data.

DSF service providers can support aggregating distributed data across heterogeneous data storage from multiple data storage providers.

A DSF service provider can provide concurrent access to multiple data storage providers to aggregate distributed data.

DSF service providers can support delegation of access rights for DSF service customers to heterogeneous storage.

FIG. 17 is a diagram illustrating a use case of an integrated storage management system according to one embodiment of the present invention.

Referring to FIG. 17, it can be seen that a use case for a unified storage management device (100), which is a single storage system connected to a unified storage (20) including various storage types, is illustrated. As illustrated in FIG. 17, regardless of the type of storage system, the user client device (10) can be regarded as a unified user view, a unified storage, and the user client device (10) may not care about the storage it uses. Accordingly, the unified storage management function by the unified storage management device (10) can display multiple storage systems of the storage as a single system to the user client device (10). Furthermore, the unified storage management device (100) can provide a unified management interface.

At this time, the user client device (10) can request data storage from the integrated storage management device (100) and possess the requested data storage.

At this time, the integrated storage management device (100) may provide a storage system, appliance, or device for integrating other storages.

At this time, the integrated storage management device (100) can support various data storage such as block-based storage, file-based storage, or other cloud storage according to the needs of the user client device (10).

At this time, the integrated storage management device (100) can provide a unified user interface to the user client device (10) for data storage access for various types of service mechanisms.

At this time, the integrated storage management device (100) can prevent data loss due to errors from a storage structure based on distributed storage and provide a data restoration function caused by a system error.

At this time, the integrated storage management device (100) can provide a global name space.

At this time, the integrated storage management device (100) can provide a unified management interface to the user client device (10) to manage data storage.

At this time, the integrated storage management device (100) can integrate data storage by providing a user interface for policies and other options.

At this time, the integrated storage management device (100) can integrate and verify the data of the user client device (10).

For example, CSC:CSU may correspond to unified storage, and CSC:CSU may include various storage. Therefore, the unified storage system or appliance may view multiple storage systems of the storage as a single system. A unified management interface may be provided as a function related to management.

CSC:CSU may request data storage from DSF service providers or may have its own data storage.

CSP:FDSP can integrate storage systems, appliances, or other devices with other storage.

DSF service providers can provide data storage presented in a single system view through integration with on-premises storage, cloud storage, and other storage.

The DSF service provider may correspond to an integrated storage management device (100) according to one embodiment of the present invention.

DSF service providers can manage DSF service customer data with a focus on resiliency and cost efficiency of storage space.

For example, data migration for resilience and cost efficiency of data storage space can be performed automatically without user intervention or awareness. Users can use data storage services with the same performance without knowing whether the data is stored in on-premise storage or cloud storage.

DSF service providers can support various data storage such as block-based storage, file-based storage, or other cloud storage depending on the needs of DSF service customers.

A DSF service provider may provide a unified user interface to allow DSF service customers to access data storage for different types of service mechanisms.

DSF service providers can prevent data loss due to errors in storage structures and provide data recovery in the event of system failures based on distributed storage.

A DSF service provider can provide a global namespace for integrating and managing multiple file systems.

A DSF service provider may provide a unified management interface to DSF service customers to manage data storage.

A DSF service provider can provide a user interface for policies and other options for data storage federation.

DSF service providers can validate the data of DSF service customers to federate them.

FIG. 18 is a flowchart illustrating a registration process of data storage for an integrated storage service according to an embodiment of the present invention.

Referring to Figure 18, after logging in (LOGIN), CSC:CSU can request registration of data storage cloud storage to CSP:FDSP (REGISTERING FOR CLOUD STRAGE).

For data storage registration, CSC:CSU can log in using already registered credentials and register cloud storage and on-premise storage to be used (REGISTERING FOR ON-PREMISE STORAGE).

The registration process can be provided by CSP:DSM via GUI.

CSC:CSU can register service name, storage specification, data storage service protocol, cloud storage name and cloud storage type through GUI, set virtual data storage (SETTING SIGLE VIRTUAL VOLUME), and create virtual data storage (INVCOKING SINGLE VIRTUAL VOLUME).

CSC:CSU for virtual data storage can correspond to a user registered in CSP:DSM.

CSP:DSM may have each cloud storage service interface.

DSF service providers may provide registration information for DSF service customers to use virtual data storage.

Registration information may include the data storage service name, data storage specifications (size, caching, tier count, encryption, on-premises storage support, etc.), service protocol, and cloud storage type.

DSF service providers can invoke virtual data storage by configuring and provisioning data storage services from the registration information.

FIG. 19 is a block diagram showing a sensitive data processing device according to one embodiment of the present invention.

Referring to FIG. 19, a sensitive data processing device (2100) according to one embodiment of the present invention includes a data non-protection area processing unit (2110) and a data protection area processing unit (2120), and can read sensitive data from a cloud integrated storage device (2200) and process the sensitive data according to a request from a client device (2010).

The cloud integrated storage device (2200) may store encrypted sensitive data.

The data non-protection area processing unit (2110) can read encrypted sensitive data from a cloud integrated storage device (2200) and transmit the encrypted sensitive data to the data protection area processing unit (2120) using a sensitive data storage endpoint.

The data protection area processing unit (2120) can perform decryption on the encrypted sensitive data received and wait for a data service command request from the data non-protection area processing unit (2110).

At this time, the data non-protection area processing unit (2110) may receive a data service command from a client device (10) connected to the network, and then request a data service command to the data protection area processing unit (2120) using the sensitive data service endpoint.

At this time, the data protection area processing unit (2120) can perform data processing based on the sensitive data decrypted above according to the received data service command, and then transmit the processing result of the sensitive data to the data non-protection area processing unit (2110).

At this time, the data non-protection area processing unit (2110) can transmit the processing result of sensitive data to the client device (10).

FIG. 20 is a block diagram showing in detail an example of a cloud integrated storage device and a data non-protection area processing unit shown in FIG. 19. FIG. 21 is a block diagram showing in detail an example of a data non-protection area processing unit and a data protection area processing unit shown in FIG. 19.

Referring to FIG. 20, a cloud integrated storage device (2200) according to one embodiment of the present invention may include an encryption unit (2210), a key storage unit (2220), an on-premise storage (2230), and a cloud storage (2240).

The encryption unit (2210) performs encryption on sensitive data, and the key used for encryption can be stored in the key storage unit (2220).

The key used for encryption can be encrypted with a master key and stored in a key storage unit to prevent leakage.

At this time, the encryption unit (2210) can store encrypted sensitive data in on-premise storage (2230) and cloud storage (2240).

In addition, the data non-protection area processing unit (2110) of the sensitive data processing device (2100) according to one embodiment of the present invention may include a sensitive data transmission unit (2111), a key transmission unit (2112), a sensitive data service call unit (2113), and a client service API unit (2114).

In addition, the data protection area processing unit (2120) of the sensitive data processing device (2100) according to one embodiment of the present invention may include a sensitive data service gateway unit (2121), a sensitive data storage unit (2122), a key storage unit (2123), a sensitive data decryption unit (2124), and a sensitive data processing unit (2125).

At this time, the sensitive data service gateway unit (2121) may include a sensitive data storage endpoint (3211), a key storage endpoint (3212), and a sensitive data service endpoint (3213).

The sensitive data service gateway unit (2121) can provide data processing services for sensitive data.

At this time, the sensitive data service gateway unit (2121) can provide the processing result of sensitive data in the data protection area to the data non-protection area.

The sensitive data storage endpoint (3211) can receive encrypted sensitive data transmitted from the non-protected data area.

The key storage endpoint (3212) can receive a decryption key for decrypting encrypted sensitive data from the non-protected data area.

At this time, the sensitive data service gateway unit (2121) may further include an endpoint that receives a call to initiate transmission of sensitive data and an endpoint that receives a call to terminate transmission of the sensitive data from the data non-protected area.

The sensitive data transmission unit (2111) can read encrypted sensitive data stored in a cloud integrated storage device (2200) and transmit the encrypted sensitive data using the sensitive data storage endpoint (3211) of the data protection area processing unit (2120).

The sensitive data storage unit (2122) can store encrypted data received by the sensitive data storage endpoint (3211) in memory within the data protection area.

The key transfer unit (2113) can receive a decryption key from the key storage unit (2220) of the cloud integrated storage device and store the decryption key in the tag-key storage unit (2123a) of the key storage unit (2123) through the key storage endpoint (3212) of the data protection area processing unit (2120). The tag-key storage unit (2123a) can store a tag for encrypted sensitive data and a corresponding decryption key.

The sensitive data decryption unit (2124) can extract a decryption key from the tag-key storage unit (2123a) and decrypt encrypted sensitive data using the decryption key.

At this time, the client device (2010) can request a sensitive data service by calling the client service API part (2111) of the sensitive data processing device (2100) through the network to receive the data service.

The sensitive data service call unit (2112) can request a data service command to the data protection area using the sensitive data service endpoint (3213).

The sensitive data service gateway unit (2121) can perform a data processing service by calling the sensitive data processing unit (2125) called by the sensitive data service call unit (2112).

The sensitive data processing unit (2125) can process decrypted sensitive data according to a data service request and store the processing result of the generated sensitive data as processing result data. Since the decrypted sensitive data is safely protected within the data protection area, leakage to the outside can be prevented at the source. The processing result data is transferred to the non-data protection area through the sensitive data service gateway unit (2121), and then the processing result of the sensitive data can be transferred to the client device (2010).

The data non-protection area of the data non-protection area processing unit (2110) is an area where there is a possibility of data leakage, and sensitive data within the data non-protection area may be encrypted to prevent leakage.

At this time, the non-protected data area does not directly process sensitive data, and can transfer the sensitive data and the key to decrypt it to the protected data area.

Additionally, the data non-protection area processing unit (2110) can receive a sensitive data service command from a client device (2010) and request the sensitive data service command to the data protection area.

The data protection area of the data protection area processing unit (2120) can prevent data leakage at the source. The data protection area may not provide all input/output functions, including storage input/output, network input/output, and user input/output, provided by a general operating system.

Additionally, the data protection area can block access to memory within the data protection area from outside the data protection area based on the hardware function or virtualization function of the CPU.

At this time, the data protection area is only accessible through the sensitive data service endpoint, and since the sensitive data service endpoint only provides predefined services, all other accesses can be blocked.

Therefore, data inside the data protection area can never be accessed from the outside, so data leakage can be prevented at the source.

At this time, the data protection area includes at least one endpoint for processing sensitive data, and can process the sensitive data using an endpoint called from the data non-protection area.

At this time, the data protection area may include an endpoint that receives a call for starting the transmission of the sensitive data from the data non-protection area, an endpoint that receives the decryption key, an endpoint that receives the sensitive data to the data protection area, and an endpoint that receives a call for ending the transmission of the sensitive data.

At this time, the endpoint included in the data protection area can check the tag preset for the service acquisition of the sensitive data and process the sensitive data using information corresponding to the tag.

Figure 22 is a block diagram showing in detail an example of the sensitive data service gateway unit illustrated in Figure 21.

Referring to FIG. 22, the sensitive data service gateway unit (2121) may further include a sensitive data processing execution unit (3214), a service parameter copy unit (2126), a processing result copy unit (2127), a data non-protection memory area processing unit (128), and a data protection memory area processing unit (2129).

The sensitive data service call unit (2112), key transfer unit (2113), and sensitive data transfer unit (2114) of the data non-protection area processing unit (2110) can store the service acquisition of sensitive data required for the service request as a service acquisition in the data non-protection memory area processing unit (2128).

The service acquisition copier (2126) can copy the sensitive data to the data protection memory area processing unit (2129) as a service acquisition.

The data protection area processing unit (2120) can store the result of internal processing as processing result data in the data protection memory area processing unit (2129), and can copy it as processing result data of the data non-protection memory area processing unit (2128) through the processing result copy unit (2127).

At this time, the data protection area processing unit (2120) stores the service acquisition of the sensitive data in the data non-protection memory area processing unit (2128) through the sensitive data service gateway unit (2121), copies the service acquisition of the sensitive data stored in the data non-protection memory area processing unit (2128) and stores it in the data protection memory area processing unit (2129), and processes the sensitive data using the service acquisition of the sensitive data stored in the data protection memory area processing unit (2129).

At this time, the data protection area processing unit (2120) stores the processing result of the sensitive data in the data protection memory area processing unit (2129) through the sensitive data service gateway unit (2121), copies the processing result of the sensitive data stored in the data protection memory area processing unit (2129) to the data non-protection memory area processing unit (2128) and stores it, and transmits the processing result of the sensitive data stored in the data non-protection memory area processing unit (2128) to the data non-protection area processing unit (2110).

The sensitive data processing execution unit (3214) can call a plurality of units (sensitive data processing units 1 to N (2125), sensitive data decryption unit (2124), key storage unit (2123), sensitive data storage unit (2122)) within the data protection area processing unit (2120) corresponding to a plurality of endpoints called from the data non-protection area processing unit (2110).

Referring to FIG. 13, a sensitive data processing device (2100) according to an embodiment of the present invention may be implemented in a computer system (1100) such as a computer-readable recording medium. As illustrated in FIG. 13, the computer system (1100) may include one or more processors (1110), a memory (1130), a user interface input device (1140), a user interface output device (1150), and storage (1160) that communicate with each other via a bus (1120). In addition, the computer system (1100) may further include a network interface (1170) connected to a network (1180). The processor (1110) may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory (1130) or the storage (1160). The memory (1130) and the storage (1160) may be various forms of volatile or nonvolatile storage media. For example, the memory may include ROM (1131) or RAM (1132).

At this time, a sensitive data processing device (100) according to an embodiment of the present invention includes one or more processors (1110) and an execution memory (1130) storing at least one program executed by the one or more processors (1110), and the at least one program reads sensitive data stored in a storage device (2200) in a data non-protected area, transfers the sensitive data to a data protected area using a sensitive data storage endpoint of a data protected area, and, when a sensitive data service command requested by a client device (2010) is received from the data non-protected area in the data protected area, processes the sensitive data using at least one endpoint, and transfers a processing result of the sensitive data to the client device (2010) in the data non-protected area.

At this time, the data protection area may have input/output functions provided by the operating system blocked, and memory access from outside the data protection area may be blocked based on hardware functions and virtualization functions.

At this time, the at least one program may receive a decryption key for decrypting the encrypted sensitive data from the storage device (200) in the data non-protection area, and transmit the decryption key to the data protection area using the key storage endpoint of the data protection area.

At this time, the at least one program can decrypt the sensitive data using the decryption key in the data protection area, and process the decrypted sensitive data by a sensitive data service command from the client device received from the data non-protection area using the sensitive data service endpoint.

At this time, the at least one program can store the processing result of the sensitive data in the data protection area through the sensitive data service gateway, and transmit the processing result of the sensitive data to the data non-protection area.

At this time, the at least one program can store, in the data protection area, a service acquisition of the sensitive data in a non-protected data memory area through the sensitive data service gateway, copy and store the service acquisition of the sensitive data stored in the non-protected data memory area in a data protection memory area, and process the sensitive data using the service acquisition of the sensitive data stored in the data protection memory area.

At this time, the at least one program can store the processing result of the sensitive data in the data protection area through the sensitive data service gateway, copy the processing result of the sensitive data stored in the data protection memory area to the data non-protection memory area and store it, and transfer the processing result of the sensitive data stored in the data non-protection memory area to the data non-protection area.

At this time, the data protection area includes at least one endpoint for processing the sensitive data, and can process the sensitive data using an endpoint called from the data non-protection area.

At this time, the data protection area may include an endpoint that receives a call for starting the transmission of the sensitive data from the data non-protection area, an endpoint that receives the decryption key, an endpoint that receives the sensitive data to the data protection area, and an endpoint that receives a call for ending the transmission of the sensitive data.

At this time, the at least one program can check a tag preset for service acquisition of the sensitive data by an endpoint included in the data protection area, and process the sensitive data using information corresponding to the tag.

Figure 23 is a flow chart showing a sensitive data processing method according to one embodiment of the present invention.

Referring to FIG. 23, a sensitive data processing method according to an embodiment of the present invention first allows a client device (2010) to request a sensitive data service using a client service API of a sensitive data processing device (2100) (S2310).

Additionally, step (S2310) can read sensitive data stored in a storage device from a non-data protection area and transfer the sensitive data to a data protection area using a sensitive data storage endpoint.

At this time, step (S2310) may receive a decryption key for decrypting the encrypted sensitive data from the storage device in the data non-protection area, and transmit the decryption key to the data protection area using the key storage endpoint of the data protection area.

In addition, in a sensitive data processing method according to an embodiment of the present invention, a data non-protection area processing unit (2110) of a sensitive data processing device (2100) can call a sensitive data service command to a data protection area processing unit (2120) using a sensitive data service endpoint (S2320).

In addition, in a sensitive data processing method according to one embodiment of the present invention, a data protection area processing unit (2120) of a sensitive data processing device (2100) can store the sensitive data processing and derived results in processing result data, and transmit the processing result of the sensitive data to a data non-protection area processing unit (2110) (S2330).

That is, when step (S2330) receives a sensitive data service command requested by a client device (2010) from a data non-protection area processing unit (2110), the sensitive data can be processed using at least one endpoint.

At this time, step (S2330) can decrypt the sensitive data using the decryption key in the data protection area, and process the decrypted sensitive data by a sensitive data service command from the client device (2010) received from the data non-protection area using the sensitive data service endpoint.

At this time, step (S2330) can store the processing result of the sensitive data through the sensitive data service gateway in the data protection area and transmit the processing result of the sensitive data to the data non-protection area processing unit (2110).

At this time, step (S2330) stores the service acquisition of the sensitive data in the data protection area through the sensitive data service gateway in a data non-protection memory area, copies the service acquisition of the sensitive data stored in the data non-protection memory area and stores it in a data protection memory area, and processes the sensitive data using the service acquisition of the sensitive data stored in the data protection memory area.

At this time, step (S2330) can store the processing result of the sensitive data in the data protection area through the sensitive data service gateway, copy and store the processing result of the sensitive data stored in the data protection memory area in the data non-protection memory area, and transfer the processing result of the sensitive data stored in the data non-protection memory area to the data non-protection area.

In addition, a sensitive data processing method according to one embodiment of the present invention can have a data non-protection area processing unit (2110) transmit the processing result of sensitive data to a client device (2010) (S2340).

In addition, a sensitive data processing method according to one embodiment of the present invention allows a client device (2010) to receive a processing result of sensitive data for a sensitive data service request from a sensitive data processing device (2100) (S2350).

Figure 24 is a flow chart showing a sensitive data processing method in a data non-protection area processing unit and a data protection area processing unit according to one embodiment of the present invention.

Referring to FIG. 24, a sensitive data processing method according to an embodiment of the present invention can first read encrypted sensitive data from a cloud storage device (2200) in a data non-protection area processing unit (2110) (S2410).

In addition, a sensitive data processing method according to one embodiment of the present invention can divide encrypted sensitive data into N segments (S2420).

In addition, a sensitive data processing method according to an embodiment of the present invention can notify the data protection area processing unit (2120) of the start of transmission of encrypted data by calling the put_data_start endpoint (S2430).

At this time, the tag of service argument 1 is a tag that distinguishes encrypted sensitive data, and service argument 2 can indicate the total size of the encrypted data.

In addition, a sensitive data processing method according to one embodiment of the present invention can prepare to store encrypted sensitive data by having the data protection area processing unit (2120) allocate memory of the size specified in the endpoint to the data protection area (S4300).

In addition, in a sensitive data processing method according to one embodiment of the present invention, a data non-protection area processing unit (2110) can use a put_key endpoint to inform a data protection area processing unit (2120) of a decryption key for decrypting encrypted sensitive data (S2440).

At this time, the tag for service argument 1 is a tag that distinguishes encrypted sensitive data, and the tag for service argument 2 is a key for decrypting the encrypted sensitive data.

In addition, a sensitive data processing method according to one embodiment of the present invention can store a decryption key and a tag together in a tag-key storage unit (2123a) of a key storage unit (2123) by a data protection area processing unit (2120) (S4400).

In addition, in a sensitive data processing method according to one embodiment of the present invention, a data non-protection area processing unit (2110) can divide encrypted sensitive data into segments using a put_data endpoint and transmit each segment to a data protection area processing unit (2120) (S450).

At this time, the tag of service argument 1 is a tag that distinguishes encrypted sensitive data, the data of service argument 2 is an encrypted data segment to be transmitted, the size of service argument 3 is the size of the data to be transmitted, and the segment number of service argument 4 is the number of the segment currently to be transmitted.

At this time, the put_data endpoint transmits data in segment units, so it can be repeatedly performed until the entire encrypted data is transmitted (S2460).

In addition, in a sensitive data processing method according to one embodiment of the present invention, the non-protected area processing unit (110) can use the put_data_end endpoint to inform the data protection area processing unit (2120) that transmission of data corresponding to a tag has been completed (S2470).

At this time, the service acquisition tag 1 is a tag that distinguishes encrypted data.

In addition, a sensitive data processing method according to one embodiment of the present invention can decrypt encrypted sensitive data received by a data protection area processing unit (2120) in response to a call to a put_data_end endpoint using a key stored in a tag-key storage unit (2123a) (S4700).

In addition, the sensitive data processing method according to one embodiment of the present invention can wait for a sensitive data service request from a client device (2010) after step (S4700) (S4800).

Figure 25 is a flow chart showing a sensitive data processing method in a sensitive data service gateway unit according to one embodiment of the present invention.

Referring to FIG. 25, a method for processing sensitive data in a sensitive data service gateway according to one embodiment of the present invention can first receive service acquisition data (S2510).

At this time, step (S2510) can store the service acquisition of sensitive data required for the service request as a service acquisition in the data non-protected memory area processing unit (2128).

A method for processing sensitive data in a sensitive data service gateway unit according to one embodiment of the present invention can call endpoints within the sensitive data service gateway unit (2121) (S2520).

In addition, in a method for processing sensitive data in a sensitive data service gateway unit according to one embodiment of the present invention, a service acquisition copier (2126) can copy the corresponding sensitive data to a data protection memory area processing unit (2129) as a service acquisition (S2530).

In addition, the sensitive data processing method in the sensitive data service gateway unit according to one embodiment of the present invention can call processing units within the data protection area processing unit (S2540).

That is, step (S2540) can call a plurality of units (sensitive data processing units 1 to N (2125), sensitive data decryption unit (2124), key storage unit (2123), sensitive data storage unit (2122)) within the data protection area processing unit (2120) corresponding to the plurality of called endpoints.

In addition, the sensitive data processing method in the sensitive data service gateway unit according to one embodiment of the present invention can complete data processing and store the processing result in processing result data (S2550).

That is, step (S2550) can store the processing result of processed sensitive data as processing result data in the data protection memory area processing unit (2129).

In addition, the sensitive data processing method in the sensitive data service gateway unit according to one embodiment of the present invention can copy the processing result data (S2560).

That is, step (S2560) can copy the processing result data of the non-protected memory area processing unit (2128) through the processing result copy unit (2127).

At this time, in steps (S2510) to (S2550), the service acquisition of the sensitive data is stored in the data non-protection memory area processing unit (2128) through the sensitive data service gateway unit (2121), the service acquisition of the sensitive data stored in the data non-protection memory area processing unit (2128) is copied and stored in the data protection memory area processing unit (2129), and the sensitive data can be processed using the service acquisition of the sensitive data stored in the data protection memory area processing unit (2129).

At this time, in steps (S2550) to (S2570), the processing result of the sensitive data is stored in the data protection memory area processing unit (2129) through the sensitive data service gateway unit (2121), the processing result of the sensitive data stored in the data protection memory area processing unit (2129) is copied and stored in the data non-protection memory area processing unit (2128), and the processing result of the sensitive data stored in the data non-protection memory area processing unit (2128) can be transferred to the data non-protection area processing unit (2110).

FIGS. 26 and 27 are block diagrams illustrating in detail an integrated storage management function according to one embodiment of the present invention.

Referring to FIGS. 26 and 27, the global registration storage (GLOBAL REGISTRY) can send and receive a DATA OPERATION WRITE BUFFER OR READ CACHE and DATA OPERATION METADATA.

PROVISION OF SINGLE VIRTUAL AND VIRTUAL STORAGE POOL can send and receive storage operations and metadata (STORAGE OPERATION & METADATA) with VIRTUAL STORAGE POOL MANAGEMENT.

The POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION section can send and receive a DATA OPERATION WRITE BUFFER OR READ CACHE and a POLICY FOR DATA MANIPULATION.

The POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION section can send and receive the ENHANCEMENT OF DATA MANIPULATION section and the POLICY FOR ENHANCEMENT section.

The POLICY MANAGEMENT OF DATA STORAGE AND DATA MANIPULATION section can send and receive the STORAGE STRUCTURE section and the POLICY FOR STORAGE OF TIER.

In addition, DSF functional requirements according to one embodiment of the present invention can be explained as follows.

CSP:DMP can provide data recovery of CSC:CSU from system failures.

CSP:DMP can provide elasticity and cost efficiency of storage space by providing DSF data migration to available DSF local storage.

CSP:DMP can provide validation of DSF data for data manipulation to ensure data integrity.

CSP:DMP can provide data consistency of CSC:CSU for replicated DSF data.

CSP:DMP can support data transparency of CSC:CSU.

CSP:SFP can provide single virtual volume optimization for the purpose of CSC:CSU.

CSP:SFP can provide global registry backup for high availability.

In addition, the data manipulation unit (120) according to one embodiment of the present invention can provide an enhanced management function for data manipulation.

ENHANCED MANAGEMENT can replicate fragments for distribution to DSF local storage.

These replicas, using the same data, are distributed to DSF local storage and can be shared with other servers in other locations for high availability.

Enhanced management features can keep data up-to-date between replicas and original data.

Enhanced management capabilities can determine replication distribution based on DSF local storage information.

For example, slow storage in the information in DSF local storage can be easily excluded from DSF local storage for replication distribution.

Enhanced management capabilities include the ability to back up DSF local storage by creating snapshots.

For example, a snapshot can represent data information at a specific point in time to provide a quick copy of the data. Several types of snapshot technologies can be used, such as copy-on-write snapshots, clones, split mirror snapshots, and write-on-write snapshots.

Enhanced management capabilities include the ability to restore DSF local storage to the latest snapshot.

For example, enhanced management features use snapshots to provide quick and easy access to data for backup and recovery.

Enhanced management capabilities can migrate DSF local storage when it is full or has failed.

For example, migration can move data from existing storage to new storage and access the new storage instead of the existing storage when the existing storage is underperforming or has insufficient capacity and can be excluded from the DSF local storage at the request of the CSC.

Enhanced management capabilities include the ability to back up the DSF global registry for high availability.

For example, a global registry backup can fail over to a secondary DSF global registry by providing a single virtual volume and virtual storage pool.

Enhanced management features can provide error correction capabilities to prevent data loss.

For example, error correction capabilities may correspond to techniques for preventing data loss during data transmission, such as Cyclic Redundancy Codes (CRCs), checksums, cryptographic hash functions, or forward error correction.

Enhanced governance capabilities can maintain up-to-date data locations in a global registry for data transparency.

Data transparency can correspond to the ability to access and act on data regardless of its location and whether reported data is accurate and comes from official sources.

Enhanced management features can help prevent data leaks while handling sensitive data to protect your data.

Sensitive data can include financial information, health information, personally identifiable data, etc.

At this time, sensitive data can be processed by the sensitive data processing device (2100) described above.

The sensitive data processing device (2100) can add a data protection area and process data in the data protection area to block all I/O interfaces to prevent external intrusion.

The data protection area may correspond to a HW or SW structure that uses a security gateway or API to copy sensitive data to a protected area, decrypt encrypted sensitive data, process service operations of the CSC, and return results.

Enhanced management capabilities can enforce enhanced policies.

Hardening policies may include replication, backup, snapshots, migration, error correction, data protection, etc.

In addition, the data fragmentation function for DSF distribution according to one embodiment of the present invention can provide the following functions.

CSP:SFP can provide performance information of DSF local storage in storage management metadata.

CSP:SFP can provide virtual storage pool optimization considering the performance of DSF local storage.

The data fragmentation feature for distribution can receive information about DSF local storage and fragmentation size from virtual storage pool management.

Examples of DSF local storage information may include credentials, access mechanisms, endpoints, storage performance, and storage capacity.

The data fragmentation feature for distribution can set a maximum fragment size.

The data fragmentation feature for distribution can collect data from the CSC from the write buffer when the data fills the buffer.

The maximum fragment size can be determined by the I/O bandwidth of the storage, the storage capacity, the cache usage, etc. If the fragment size is large, it may be copied in bulk to the DSF local storage, and if the fragment size is small, it may be difficult to fit it into the cache size.

The data fragmentation feature for distribution can verify fragment size in virtual storage pool management.

The data fragmentation feature for distribution can receive data from the CSC in the write buffer for storage in the DSF local storage.

The data fragmentation feature for distribution can transfer the data of the requested CSC from the DSF local storage to the cache when a cache miss occurs.

The data fragmentation feature for distribution can verify and enforce fragmentation policies.

Examples of fragmentation policies may include fragment size, number of fragments, number of parity bits, number of fragments per storage, etc.

As described above, the sensitive data processing device and method according to one embodiment of the present invention are not limited to the configuration and method of the embodiments described above, but the embodiments may be configured by selectively combining all or part of the embodiments so that various modifications can be made.

10: User client devices 20: Unified storage
21: Cloud storage 22: Non-cloud storage
100: Unified storage management device 110: Storage connection
111: Virtual Block Device Service Engine
112: File System Service Engine
113: Object Storage Service Engine
120: Data Manipulation Section 121: In-Memory Namespace Block
122: Read cache 122a: Data deduplication engine
123: Write cache 123a: Data transaction log
124: In-memory deduplication engine
125: In-memory data compression engine
130: Data Distribution and Storage 131: Data Completion Block
132: Data distribution block
140: Backend storage management 150: Provisioning and policy management
1100: Computer System 1110: Processor
1120: Bus 1130: Memory
1131: Rom 1132: Ram
1140: User Interface Input Device
1150: User interface output device
1160: Storage 1170: Network Interface
1180: Network
2010: Client Device 2100: Sensitive Data Processing Device
2110: Data Non-Protected Area Processing Unit
2111: Sensitive Data Transfer Unit 2112: Key Transfer Unit
2113: Sensitive Data Service Call Part 2114: Client Service API Part
2120: Data Protection Area Processing Unit
2121: Sensitive Data Services Gateway
3211: Sensitive Data Storage Endpoint
3212: Key Vault Endpoint 3213: Sensitive Data Service Endpoint
3214: Sensitive Data Processing Execution Unit
2122: Sensitive data storage 2123: Key storage
2123a: Tag-key storage unit 2124: Sensitive data decryption unit
2125: Sensitive Data Processing Unit 2126: Service Acquisition Copy Unit
2127: Copy processing results
2128: Data unprotected memory area processing unit
2129: Data Protection Memory Area Processing Unit
2200: Cloud Integrated Storage Device
2210: Encryption Unit 2220: Key Storage Unit
2230: On-Premises Stories 2240: Cloud Storage

Claims (20)

one or more processors; and
An execution memory storing at least one program executed by said one or more processors;
Including,
At least one of the above programs
In the non-protected data area, the sensitive data stored in the storage device is read, and the sensitive data is transferred to the protected data area using the sensitive data storage endpoint of the protected data area.
In the above data protection area, when a sensitive data service command requested by a client device is received from the above data non-protection area, the sensitive data is processed using at least one endpoint,
In the above data non-protected area, the result of processing the sensitive data is transmitted to the client device,
At least one of the above programs
A sensitive data processing device characterized in that, in the data non-protected area, a decryption key for decrypting the encrypted sensitive data is received from the storage device, and the decryption key is transmitted to the data protected area using the key storage endpoint of the data protected area. In claim 1,
The above data protection area is
A sensitive data processing device characterized in that input/output functions provided by an operating system are blocked, and memory access from outside the data protection area is blocked based on hardware functions and virtualization functions. delete In claim 1,
At least one of the above programs
A sensitive data processing device characterized in that, in the data protection area, the sensitive data is decrypted using the decryption key, and the decrypted sensitive data is processed by a sensitive data service command from the client device received from the data non-protection area using the sensitive data service endpoint. In claim 4,
At least one of the above programs
A sensitive data processing device characterized in that, in the above data protection area, the processing result of the sensitive data is stored through a sensitive data service gateway, and the processing result of the sensitive data is transmitted to the data non-protection area. In claim 5,
At least one of the above programs
A sensitive data processing device characterized in that, in the data protection area, the service acquisition of the sensitive data is stored in a non-protected data memory area through the sensitive data service gateway, the service acquisition of the sensitive data stored in the non-protected data memory area is copied and stored in a data protection memory area, and the sensitive data is processed using the service acquisition of the sensitive data stored in the data protection memory area. In claim 6,
At least one of the above programs
A sensitive data processing device characterized in that, in the data protection area, the processing result of the sensitive data is stored in the data protection memory area through the sensitive data service gateway, the processing result of the sensitive data stored in the data protection memory area is copied and stored in the data non-protection memory area, and the processing result of the sensitive data stored in the data non-protection memory area is transferred to the data non-protection area. In claim 5,
The above data protection area is
A sensitive data processing device comprising at least one endpoint for processing the sensitive data, characterized in that the sensitive data is processed using an endpoint called from the data non-protected area. In claim 8,
The above data protection area is
A sensitive data processing device, characterized in that it includes an endpoint that receives a call to start transmission of the sensitive data from the data non-protected area, an endpoint that receives the decryption key, an endpoint that receives the sensitive data transmitted to the data protected area, and an endpoint that receives a call to end transmission of the sensitive data. In claim 9,
At least one of the above programs
A sensitive data processing device characterized in that an endpoint included in the data protection area checks a tag preset for service acquisition of the sensitive data and processes the sensitive data using information corresponding to the tag. In a sensitive data processing method of a sensitive data processing device,
In a data non-protected area, a step of reading sensitive data stored in a storage device and transferring the sensitive data to a data protected area using a sensitive data storage endpoint;
In the data protection area, a step of processing the sensitive data using at least one endpoint when receiving a sensitive data service command requested by a client device from the data non-protection area; and
In the above data non-protected area, a step of transmitting the processing result of the sensitive data to the client device;
Including,
The step of transmitting the above sensitive data is
A method for processing sensitive data, characterized in that, in the data non-protected area, a decryption key for decrypting the encrypted sensitive data is received from the storage device, and the decryption key is transmitted to the data protected area using the key storage endpoint of the data protected area. In claim 11,
The above data protection area is
A method for processing sensitive data, characterized in that input/output functions provided by an operating system are blocked, and memory access from outside the data protection area is blocked based on hardware functions and virtualization functions. delete In claim 11,
The steps for processing the above sensitive data are:
A sensitive data processing method characterized in that, in the data protection area, the sensitive data is decrypted using the decryption key, and the decrypted sensitive data is processed by a sensitive data service command from the client device received from the data non-protection area using the sensitive data service endpoint. In claim 14,
The step of transmitting the results of processing the above sensitive data is
A sensitive data processing method characterized in that, in the above data protection area, the processing result of the sensitive data is stored through a sensitive data service gateway, and the processing result of the sensitive data is transmitted to the data non-protection area. In claim 15,
The steps for processing the above sensitive data are:
A method for processing sensitive data, characterized in that in the data protection area, the service acquisition of the sensitive data is stored in a non-protected data memory area through the sensitive data service gateway, the service acquisition of the sensitive data stored in the non-protected data memory area is copied and stored in a data protection memory area, and the sensitive data is processed using the service acquisition of the sensitive data stored in the data protection memory area. In claim 16,
The step of transmitting the results of processing the above sensitive data is
A sensitive data processing method characterized in that, in the data protection area, the processing result of the sensitive data is stored in the data protection memory area through the sensitive data service gateway, the processing result of the sensitive data stored in the data protection memory area is copied and stored in the data non-protection memory area, and the processing result of the sensitive data stored in the data non-protection memory area is transferred to the data non-protection area. In claim 15,
The above data protection area is
A method for processing sensitive data, comprising at least one endpoint for processing the sensitive data, characterized in that the sensitive data is processed using an endpoint called from the data non-protected area. In claim 18,
The above data protection area is
A sensitive data processing method, characterized in that it includes an endpoint for storing the sensitive data, an endpoint for storing the key, an endpoint for receiving a call to start transmitting the sensitive data from the non-protected data area, and an endpoint for receiving a call to end transmitting the sensitive data from the non-protected data area. In claim 19,
The endpoints included in the above data protection area are:
A sensitive data processing method characterized by checking a tag preset for service acquisition of the above sensitive data and processing the sensitive data using information corresponding to the tag.

Images