JP2008269611A - Method, computer program and system for determining assignment of tape drive for safe data erasing process - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method and a computer program for determining assignment of a tape drive for a safe data erasing process. <P>SOLUTION: The assignment of the additional tape drive is determined to improve performance in the safe data erasing, through evaluation of a physical volume amount to erase a data safely, the maximum threshold value, an average time up to a erasing dead line, and the minimum expiration date threshold value, and the data erasing is thereby secured safely and timely. The additional tape drive is allocated for a safe data erasing process, when the assignment of the additional tap drive is determined to improve performance in the safe data erasing. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an automated data storage system and, more particularly, to a method for selectively performing secure data erase (SDE).

  A virtual tape system is a tape management system, such as a special storage device or group of storage devices and software, where some of the data is actually located in a relatively fast hard disk storage device. Even in such a case, it is for managing the data so that such data is completely stored on the tape cartridge. Programming for a virtual tape system is sometimes referred to as a virtual tape server (VTS). When a virtual tape system is used in conjunction with a hierarchical storage manager (HSM) system, it can be moved to a relatively slow and inexpensive storage medium when the data passes through and drops into various usage thresholds. it can. The virtual tape system can also be used as part of a storage area network (SAN), in which case it is used more frequently by a single virtual tape server for many networked computers. Or, data that is not archived can be managed.

  In conventional virtual tape systems such as "IBM Magstar Virtual Tape Server", at least one virtual tape server (VTS) is coupled to a tape library consisting of a number of tape drives and tape cartridges. The VTS is also coupled to a direct access storage device (DASD) consisting of a number of interconnected hard disk drives.

  DASD functions as a tape volume cache (TVC) for VTS. When using VTS, the host application writes tape data to the virtual drive. Volumes written by the host system are physically stored in a tape volume cache (eg, a RAID disk buffer) and are called virtual volumes. The storage management software in the VTS copies the virtual volume in the TVC to a physical cartridge owned by the VTS. Once the virtual volume is copied or transferred from the TVC to the tape, the virtual volume is called a logical volume. When virtual volumes are copied from a TVC to a Magstar cartridge (tape), they occupy only space written by the host application because they are copied end to end on the cartridge. This configuration makes maximum use of the storage capacity of the cartridge.

  The storage management software manages the location of the logical volume on the physical cartridge, but the customer does not have control over the location of the data. When a logical volume is copied from a physical cartridge to a TVC, this process is called a recall and the volume becomes a virtual volume again. The host cannot distinguish between physical volumes and virtual volumes, nor can it distinguish between physical drives and virtual drives. Thus, the host treats the virtual volume and virtual drive as actual cartridges and drives, and all host interaction with the tape data in the VTS is through the virtual volume and virtual tape drive.

  One problem with VTS is the management of data in the tape. A VTS may have many copies of data, invalid copies of data, potential copies, or useless copies. After a virtual tape volume is created or modified (one or more records are written to the volume) and closed, the virtual tape volume is copied onto a physical tape (logical) volume. When the virtual volume is closed, the image of the virtual volume copied to the physical volume is a complete version of the virtual volume at the time when the virtual volume is closed. If the virtual volume is closed and one virtual volume is subsequently opened and modified, the image of the virtual volume is also copied onto the physical tape. However, the virtual volume does not overwrite the previous version of the volume. This is because the virtual volume may have a different size than previous versions. Thus, at any point in time, several versions of the same volume serial number may exist on one or more physical tape volumes.

  Further, each physical volume in the VTS includes one or more logical volumes and is arranged in a group called “pool”. Each physical volume managed by the VTS is assigned to one of 32 pools, for example. Each pool of physical volumes is assigned a name and may have one or more associated parameters. For example, typical parameters associated with a pool include, but are not limited to, media type (eg, physical volume with 10 gigabyte or 20 gigabyte tape) and rules for managing volumes in the pool. Absent. One rule includes the concept of “reclamation” whereby the VTS monitors how much of the associated data is still valid in a particular physical volume. That is, if the data is no longer used or needed by the host, i.e. expired, the data space occupied by one logical volume needs to be reclaimed from one physical volume over time. Therefore, if any volume in the pool falls below the reuse percentage threshold, a valid logical volume is taken from the physical volume and the logical volume is moved to another by executing the reuse process. Placement on a physical volume (potentially combining multiple partially full physical volumes and filling the other full) will be done.

  If one virtual volume is removed from a physical volume and placed on another physical volume, the data on the first physical volume will be deleted but not overwritten, so recovering that data Can do. In addition, data related to the latest version of a virtual volume may have been expired, i.e., potentially or unusable by the customer, but the virtual volume still exists on the physical tape volume. May be accessible.

  Recently, companies have become more dependent on their ability to store, organize, manage and distribute data. Therefore, the process of managing business data from conception to disposal in an “information life cycle management”, that is, in a manner that optimizes storage, access and cost characteristics, has become increasingly important. In particular, how sensitive data is “deleting” or disposing of data as it begins to play a more critical role in business transactions and is becoming more stringent to maintain customer privacy. The importance of the problem has increased.

  To protect sensitive or important data (eg credit card information, social security numbers) and maintain customer privacy, secure data erasure for that particular data so that it cannot be recovered It is advantageous to perform Secure data erasure is defined as making data permanently unreadable by any reasonable means. Prior art methods of prioritizing data to be safely erased are performed on a first-in, first-out basis, and the first secure data erase is performed on the first physical volume added to the secure data erase queue. Guarantee to do. For example, in the prior art method, the process of determining which physical volume is the next data to be safely erased starts at pool 1 and through all pools to the last pool (eg, pool 32). Until then, it looped through each pool of physical volumes. Therefore, it evaluates and lists all the physical volumes in pool 1 that are to be securely erased, and then evaluates and lists all physical volumes in pool 2 that are to be securely erased. By continuing the same processing until reaching the pool (for example, the pool 32), a list or queue of physical volumes to be securely erased is created. As a result, all physical volumes in all pools that require secure data erasure are evaluated and listed on the queue. Next, a secure data erasure process is initiated. That is, the prior art process using first-in first-out priority starts secure data erasure of each physical volume in the order listed in the queue. Therefore, the VTS performs the first secure data erasure on the physical volume in the pool 1, then the secure data erasure on the physical volume in the pool 2, and so on until reaching the last pool (for example, the pool 32). Continue processing.

  If the VTS can manage all physical volumes to be securely erased within the remaining time until the secure data erase deadline (hereinafter referred to as “SDE deadline” or “erase deadline”), or If there is no physical volume backlog to be securely erased, the above prior art process is sufficient. In practice, the VTS can be overloaded. For example, while performing safe data erasure on one physical volume in the pool 23, one physical volume in the pool 32 may pass through its SDE deadline. Therefore, the physical volume with the shortest remaining time for that SDE deadline may be overlooked or postponed. This means that expired physical volumes that may hold important data (eg, credit card information, social security numbers) may be at risk of being accessed and held.

Therefore, it would be advantageous to have a VTS that gives priority for secure data erasure to the physical volume closest to the SDE deadline. Accordingly, there is a need for a method and system that ensures that after a certain time interval (grace period), an older or expired version of a virtual volume cannot be accessed through any reasonable means.
US Patent Application No. 11/737739 (filed April 19, 2007)

  The question of how to “delete” or dispose of data as sensitive data has begun to play a more significant role in business transactions and is becoming more stringent to maintain customer privacy The importance of has increased. In order to protect sensitive or sensitive data (eg credit card information, social security numbers) and maintain customer privacy, certain data may be sent to any reasonable reason after a certain time interval (grace period). It is advantageous to perform a secure data erase on the particular data so that it cannot be recovered through the means.

  Accordingly, one aspect of the present invention is to allocate an additional tape drive for a secure data erasure process if it is determined that the allocation of the additional tape drive will improve the performance of the secure data erasure, A method and computer program for ensuring timely and secure data erasure are provided. Determining whether the allocation of additional tape drives improves the performance of secure data erasure depends on the amount of physical volume that should be securely erased, the maximum queued threshold, and the erase dead This is done by evaluating the average time to line and the minimum expiration threshold.

  Specifically, the evaluation compares the amount of physical volumes to be securely erased with the maximum queue threshold, and the amount of physical volumes to be securely erased is the maximum queue threshold. In response to being greater than a value, calculating the average time to the erase deadline. Further, the evaluation compares the average time to the erase deadline with the minimum expiration threshold and is responsive to the average time to the erase deadline being less than the minimum expiration threshold. Allocating additional tape drives to the secure data erasure process. Improved secure data erase performance includes performing secure data erase before the SDE deadline.

  The amount of physical volume to be securely erased is determined by the physical volume erase count. This count is determined by incrementing the count for each physical volume that has a remaining time less than the time threshold. The remaining time is calculated by the difference between the erase deadline of the physical volume and the current date of the physical volume.

  The secure data erasure can be accomplished by overwriting the physical volume data one or more times using a data pattern that includes one of logical 1, logical zero, or a combination thereof. .

  Depending on the amount of physical volume to be securely erased, other evaluations of the maximum queue threshold and the minimum queue threshold, one or more existing tape drives (the secure data erase Tape drives that are allocated to the process) can be reallocated. That is, one or more additional tape drives previously allocated can be removed, one or more additional tape drives can be added, or these tape drives can be returned to a minimum requirement.

  Finally, the optimal number for the secure data erasure process by evaluating the amount of physical volume to be securely erased, maximum queue threshold, average time to erase deadline and minimum expiration threshold The tape drive can be determined. In response to this evaluation, the optimal number of tape drives is allocated for a secure data erasure process.

  In the following, an example of the present invention will be described in detail, but this example should not be construed as limiting the invention. Rather, any variation is intended to be included within the scope of this invention as defined in the claims.

  The present invention contemplates a method for ensuring timely secure data erasure by giving priority for safe data erasure to the physical volume closest to the SDE deadline. In addition, if it is determined that the current allocation will not meet the requirements for safe data erasure, timely secure data erasure by allocating more tape drives to assist with the safe data erasure process Guarantee. Finally, in other embodiments, a process is provided for reverting to the minimum allocation of the tape drive if it is determined that the minimum allocation of the tape drive will meet the requirement for secure data erasure. .

  Although the tape management system is referred to herein as a virtual tape system (VTS), the VTS is just one example of a tape management system. As will be apparent to those skilled in the art, the present invention can be applied to any tape management system, such as a tape library or virtual tape software.

  FIG. 1 shows a block diagram of an exemplary virtual storage system 100 that provides a suitable environment for practicing the present invention. The virtual storage system 100 includes a virtual tape server 101, a tape library 112, and a library manager 130. The host system 102 is linked to the virtual tape server 101 via a network connection (eg, TCP / IP, LAN, Ethernet, IBM Enterprise System Connection (ESCON) (not shown)). . The host system 102 is a computer such as a personal computer, workstation or mainframe that is linked to the virtual tape server 101 via the ESCON channel. The virtual tape server 101 is a computer that includes a personal computer, workstation or mainframe and is associated with a direct access storage device (DASD) cache 106. Preferably, DASD cache 106 includes one or more logical volumes. In an embodiment, DASD cache 106 includes a plurality of hard disks organized as a RAID array.

  The tape library 112 includes a plurality of tape drives 110A to 110N. Such a tape drive can be an IBM TS1100, Jaguar 3592 tape drive or any other tape drive known in the art. Generally, each tape drive is loaded with a removable storage volume (eg, tape cartridges 116A-116N). An access mechanism (e.g., a robot) 114 that services the tape drives 110A-110N sends the selected tape cartridges 116A-116N to their corresponding tape drives 110A-110N and their corresponding in the tape cartridge repository. Transfer between positions.

  Note that in FIG. 1, the variable identifier “N” is used to simply represent a series of related elements (eg, tape drives 110A-110N and tape cartridges 116A-116N). The use of such a variable identifier does not imply a correlation between the sizes of such a series of elements, but rather means that such a series of elements has the same number of elements as other series of elements having the same variable identifier. Not a thing.

  In general, the tape library 112 includes storage management software that is used to monitor the active space on the tape cartridges and schedule tape cartridge reuse when the system is less active. In an embodiment, the tape library 112 is a tape library system such as an “IBM Virtualization Engine” TS 7740 and an “IBM Magstar” 3494 tape library. The library manager 130 is used in the virtual storage system 100 to perform installation, maintenance, configuration and operation of the tape library 112. Within automated library 112, access mechanism 114 can be controlled utilizing library manager 130 based on input received from storage management server 108 or automated storage management administrator 128.

  The DASD cache 106, including the tape volume cache, provides a cache for data stored in the tape library 112. The DASD cache 106 maintains the logical volume as a logical volume file, and the logical volume file is linked to a physical volume file in a tape cartridge that is loaded into a tape drive in the tape library 112. When one logical volume file in the DASD cache 106 is moved to one tape drive in the tape library 112, the logical volume file is on one tape cartridge in the real tape drive. Written to one physical volume file. When a physical volume file is recalled for a tape drive and moved to the DASD cache 106, the physical volume file becomes a logical volume file in the DASD cache 106. Thus, the DASD cache 106 provides the host system 102 with a window of all physical volume files in the tape library 112.

  The virtual tape system includes a plurality of virtual tape daemons 118A-118N for representing and emulating a virtual tape device to host system 102. In contrast, the operating system of the host system 102 manages the presentation of such a virtual tape device to a system user (not shown). The host system 102 considers such a virtual tape device as an actual drive and is requested by the host system 102 if the host system 102 attempts to access one logical volume in the selected virtual tape device. Each virtual tape daemon associated with the virtual tape device will process the host access request.

  Data transfer from the host 102 to the DASD cache 106 in the illustrated virtual tape system can be controlled by a VTS code through a process such as a hierarchical storage manager (HSM) client 122. For example, the HSM client 122 in the virtual storage system 100 receives and processes access requests from the virtual tape daemons 118A-118N. The HSM client 122 then processes the request from the host system 102 to access the logical volume file on the DASD cache 106. In an embodiment, data transfer from the host 102 to the DASD cache 106 is controlled directly by file system managers (FSMs) 120A-120N that process DASD read and write commands.

  Similarly, the interface between the DASD cache 106 and the tape drive 110 can be controlled by the storage management server 108. For example, if the HSM client 122 attempts to mount a logical volume file that does not exist in the DASD cache 106, the HSM client 122 will communicate the access request to the storage management server 108. If the tape in the access request is already mounted in one tape drive of the tape library 112, the storage management server 108 changes the tape from the mounted tape to the requested logical volume file. You will access the corresponding physical volume. However, if the requested file is not actually mounted in one tape drive, the storage management server 108 mounts a tape holding a physical volume corresponding to the requested logical volume file. As such, it will initiate a request to the library manager 130.

  Examples of storage management processing modules that can be used as storage management server 108 and HSM client 122 are the “Tivoli Storage Manager (TSM)” application and the “IBM ADSTAR Distributed Storage Manager (ASDM)” product provided by IBM. It is. The storage management server 108 includes a command interface 124 and a console output 126.

  In the embodiment, the storage management server 108 causes the entire logical volume file to be transferred from the DASD cache 106 to the tape library 112. After the available space in the DASD cache 106 reaches a predefined level or after a predefined time period, the automated storage management administrator 128 sends the logical volume from the DASD cache 106 to the storage management server 108. Instructs the file to be transferred to the tape library 112 and stored there. In general, the automated storage management administrator 128 stores information related to physical volumes in an associated volume status table (not shown). According to an embodiment, the automated storage management administrator 128 provides the functions required to achieve the secure data erasure process of the present invention and further utilizes the storage management server 108 to provide a number of VTS specific management. Perform the function. For example, the automated storage management administrator 128 can include a secure data erasure processing module.

  The requirement to process an older version of a VTS volume to ensure that it cannot be recovered retains virtual volume data that has been invalidated within a certain time interval (grace period) specified by the customer. This is satisfied by overwriting one physical volume. Accordingly, functionality has been introduced to allow data associated with a single virtual or logical volume to be invalidated and implemented by the VTS, and more specifically by the components of the automated storage management administrator 128 of the VTS. The In order to perform secure data erasure of a physical volume and its associated data (ie make it permanently unreadable by any reasonable means), a predefined file or data pattern (eg The operation of overwriting all data of the physical volume at least once can be executed using logical 1, logical zero, or a combination thereof. Techniques for the secure data erasure process can be selected by the user or host (eg, based on the desired level of security) or can be determined automatically. Such overwriting can be performed by one of the tape drives 110A-110N.

  When an expiration time is provided and the expiration date expires, the data on one physical volume becomes invalid, potential or useless. For example, the data becomes invalid, latent, or unused by the reclamation, migration, or modification described above. The expiration date can be a date or a date and time, but once the expiration date expires, the data is no longer valid or useful. Hereinafter, the expiration date may be referred to as the expiration date. The SDE deadline is set for each physical volume of the plurality of physical volumes after a certain time interval (grace period) after the expiration date, and can be set by the customer (for example, the customer's SDE deadline). ). The SDE deadline is the date on which secure data erasure must be performed to avoid holding unwanted data. It is advantageous to perform secure data erasure within a certain time interval (grace period) from the expiration date. This will not only ensure that confidential data and customer information can be maintained for a required period of time, but also that such confidential data and customer information cannot be recovered by any reasonable means after the required period of time. Because it is done. For example, bank records and credit card information are required by law to be retained for a certain time interval (grace period). However, it is advantageous for a company to perform secure data erasure on such information so that it can no longer be recovered even after this required time interval (grace period) has elapsed. Thus, for a given pool, after a certain time interval (grace period), overwriting the expired data on one physical volume ensures that the expired data can no longer be accessed through any reasonable means. It is desirable to do.

  FIG. 2 shows a process of periodically determining the next physical volume to be safely erased among a plurality of physical volumes managed by the VTS. For convenience of explanation, it is assumed that the process is a computer-executed instruction executed by the VTS (daily, every 24 hours, every 12 hours, or other suitable granularity). As shown in FIG. 2, the process begins at step 202, where the VTS selects one physical volume (or next physical volume) to be evaluated for secure data erasure requirements.

  The VTS performs various functions during the process shown in FIGS. 2 and 3, and the applications that perform such functions are the storage management server 108 (for example, the TSM server), the HSM client 122 (for example, the TSM HSM client). Or an automated storage management administrator 128 (eg, a TSM automation administrator).

  In step 204, the VTS determines whether the current date is later than the expiration date of the selected physical volume. An expiration date for a physical volume is the time and / or date when the data held in that physical volume is considered invalid, potential or no longer useful when it expires or expires. Is defined as being.

  If it is determined that the current date is not later than the due date, the process proceeds to step 214 where the VTS determines whether the physical volume currently being evaluated is the last physical volume. If so, the process proceeds to step 216. Otherwise, the process returns to step 202 where the VTS selects the next physical volume to evaluate.

  However, if it is determined that the current date is later than the due date, the process proceeds to step 206 where the VTS determines whether the physical volume is available for secure data erasure. The VTS can make such a determination based on a number of factors. For example, if a physical volume is currently being filled with additional data, or if the physical volume or part of it is currently being read, the physical volume will not be available for secure data erasure. Will.

  If it is determined that the physical volume is not available for secure data erasure, the process proceeds to step 214 where the VTS determines whether the physical volume currently being evaluated is the last physical volume. decide. If so, the process proceeds to step 216. Otherwise, the process returns to step 202 where the VTS selects the next physical volume to evaluate.

  If step 206 determines that the physical volume is available for secure data erasure, the process proceeds to step 208 where the VTS calculates the remaining time. This remaining time can be defined as the time that exists between the current date (eg, today's date and / or time) and the SDE deadline. The remaining time is calculated by the difference between the SDE deadline and the current date. For example, if the SDE deadline is July 26, 2006 and the current date is July 11, 2006, the calculated remaining time will be 15 days. The remaining time can be expressed in days, hours, minutes or seconds as required.

  At step 210, the VTS compares the remaining time with a time threshold. This time threshold is a period that can be defined by the customer. In an embodiment, this time threshold may be a period determined by the customer and sufficiently close to the SDE deadline that ensures safe data erasure of the physical volume. . For example, one customer can define a time threshold of 10 days from the SDE deadline, while another customer can define a time threshold of 5 days from the SDE deadline. it can.

  If the VTS determines that the remaining time is greater than the time threshold, the process proceeds to step 214 where the VTS determines whether the physical volume currently being evaluated is the last physical volume. . If so, the process proceeds to step 216. Otherwise, the process returns to step 202 where the VTS selects the next physical volume to evaluate.

  If it is determined that the remaining time is less than the time threshold, the process proceeds to step 212 where the VTS increments the count. This increment of the count prepares a record relating to the amount of physical volumes (safe data erasing queue, that is, physical volumes placed in the SDE queue) to be safely erased. Such a physical volume has a remaining time that is less than the customer defined time threshold and is actually expired, so it can be used for secure data erasure. A record regarding the amount of physical volume to be securely erased (eg, physical volume erase count) can be used to allocate additional tape drives for the secure data erase process, as described below with respect to other embodiments of the invention Useful for making decisions.

  After step 212, the process proceeds to step 214 where the VTS determines whether the physical volume currently being evaluated is the last physical volume. If so, the process proceeds to step 216. Otherwise, the process returns to step 202 where the VTS selects the next physical volume to evaluate.

  The process of FIG. 2 continues as described above until all physical volumes in all pools have been evaluated. Once all physical volumes in all pools have been evaluated, the process proceeds to step 216 and sorts these physical volumes based on remaining time.

  In step 218, in response to sorting the physical volumes based on remaining time, the VTS (or a processor in the VTS (not shown)) secures the physical volume having the minimum or shortest amount of remaining time to the drive. Send a single command to perform a clear data erase. Here, the shortest amount of remaining time is the calculated remaining time corresponding to the smallest difference between the current date (eg, today's date and / or time) and the SDE deadline. The drive uses a pre-defined file or data pattern (eg, logical 1, logical zero, or a combination thereof) to securely erase data by overwriting all data in the physical volume at least once Execute. Once a secure data erase has been performed, the drive sends a response to the VTS (eg, HSM client via the storage management server) to confirm that the secure data erase has been performed. Instruct. However, if the drive does not send such a response, the physical volume will remain in the SDE queue of the physical volume to be securely erased. If there is another physical volume available for secure data erasure, i.e. the other physical volume has a remaining time that is less than the customer defined time threshold and is actually expired, If available for secure data erasure, the VTS will secure the next physical volume with the minimum or shortest remaining time until all secure data erasures of that other physical volume have been performed. Continue to perform data erasure.

As described above, the automated storage management administrator 128 stores information related to these physical volumes in an associated volume status table (not shown). The volume status table lists each physical volume in the system and holds one or more parameters associated with each physical volume. In an embodiment, the volume status table may hold one or more of the following:
Expiration date for each physical volume Time interval for each physical volume (grace period)
SDE deadline remaining time for each physical volume (calculated in step 208)
The number or amount of secure data erasure operations that are queued in the SDE queue (counted and determined in step 212)
The volume status table can be updated periodically (eg, each time the process of FIG. 2 is started) to maintain current parameters associated with each physical volume. The volume status table can also have additional information useful for a secure data erasure process.

  Each step in FIG. 2 and each step in FIG. 3 may be performed by a module (eg, a software module), a portion of a module, or a computer system. Accordingly, the methods disclosed herein, operations thereof, and modules for performing the methods may be performed on a computer system configured to perform the operations of the method or from a machine-readable medium. it can. The method may be embodied in a machine readable medium for configuring a computer system to do this. A software module can be stored in or transmitted to a memory of the computer system to configure the computer system to perform the functions of the module. Alternatively, such actions can be embodied in the structure of a circuit that implements these functions. Examples of such circuits include complex instruction set computer (CISC) or reduced instruction set computer (RISC) microcode, firmware programmed into programmable or erasable programmable devices, field programmable gate array (FPGA). ), Gate array or application specific integrated circuit (ASIC) design.

  The boundaries between modules and operations disclosed herein are merely examples, and in alternative embodiments, such modules or operations may be merged or the above functions may be otherwise disassembled. Can be imposed on each module. For example, the actions disclosed herein can be broken down into partial operations that are to be executed as multiple computer processes. Further, in alternative embodiments, multiple instances of a particular operation or partial operation can be combined. Further, the operation of the exemplary embodiments disclosed herein has been presented only for purposes of illustration. In accordance with the disclosure herein, such operations can be combined and the functionality of such operations can be distributed among the additional operations.

  FIG. 3 shows a flowchart of a method for evaluating allocation of a tape drive for secure data erasure according to an embodiment of the present invention. In this process, one or more existing tapes can be allocated so that additional tape drives can be allocated to perform secure data erasure, and one or more additional tape drives previously allocated can be removed. Reallocate drives (tape drives allocated for secure data erasure process), add one or more additional tape drives, or return these tape drives to minimum requirements . The decision to add a tape drive is based on an assessment of whether or not allocating the tape drive improves secure data erasure performance. The improvement can be the ability of a tape management system (eg, VTS) to perform secure data erasure before the SDE deadline, as described below. The decision to remove a tape drive is that a safe data erasure process can be performed and a SDE deadline when using fewer tape drives or the number of tape drives allocated for minimum operating requirements It is performed based on the evaluation of whether or not it can be satisfied.

  As described in connection with step 212, the incremental count has a remaining time that is less than the customer-defined time threshold and is actually expired so it can be used for secure data erasure. This can be maintained as representing the number or amount of physical volumes. In other embodiments, the count of physical volumes to be securely erased can be obtained by other methods. This physical volume count defines the number or amount of secure data erasure operations that can be placed in the SDE queue.

  For convenience in describing the process of FIG. 3, the process may be performed in response to a secure data erasure request or customer request, or periodically (eg, every 24 hours, every 12 hours, or any other suitable granularity). ), It is assumed that the code is executed by the VTS. The process begins at step 301 and then proceeds to step 302 where the VTS compares the number or amount of secure data erasure operations in the SDE queue with the maximum queue threshold. This maximum queue threshold can be defined by the customer. For example, the customer can determine the maximum queue threshold as the amount of physical volume that the VTS can successfully perform a secure data erase without exceeding the SDE deadline. For example, a customer can define a maximum queue threshold of 15 physical volumes.

  If the amount of secure data erase operations in the SDE queue (eg, 16) is greater than the maximum queue threshold, the process proceeds to step 306 where the average time to SDE deadline is calculated and this is Compared to the minimum expiration threshold. The average time to this SDE deadline is determined by adding the remaining time to the SDE deadline for each physical volume in the SDE queue and dividing the sum by the number of physical volumes in the SDE queue. . The minimum expiration threshold can be defined by the customer. For example, with a current allocation of drives, the customer reasonably predicts that secure data erasure targeting physical volumes in the SDE queue can be performed before reaching their SDE deadline. By considering the time that can be done (eg, the number of days or hours), a minimum expiration threshold can be determined and defined. If the average time to SDE deadline is greater than the minimum expiration threshold, the process ends at step 312 without allocating or removing a secure data erasure tape drive. For example, if the average time to SDE deadline is 15 days and the minimum expiration threshold is set by the customer as 3 days, the current tape drive allocated for secure data erasure Would be expected to be sufficient to complete secure data erasure for physical volumes in the SDE queue before reaching their SDE deadline.

  If the average time to SDE deadline is less than the minimum expiration threshold, the process proceeds to step 310 where the VTS has more tape tapes to complete the secure data erase operation in the SDE queue.・ Allocate drives. For example, if the average time to SDE deadline is 1 day and the minimum expiration threshold is set by the customer to 3 days, the current tape drive allocated for secure data erasure Would be expected to fail to complete secure data erasure for all physical volumes in the SDE queue before reaching their SDE deadline. In such an example, the process proceeds to step 310 where an additional tape drive will be allocated for secure data erasure. After step 310, the process proceeds to step 312 where the process ends.

  In an embodiment, the VTS can allocate additional tape drives by replenishing one of the tape drives 110A-110N to perform a secure data overwrite process. The refill tape drive (one of 110A-110N) may have been previously used in the VTS to perform the read and write processes. Since the refill tape drive (one of 110A-110N) can no longer perform these functions, the VTS is functioning with one fewer drive to perform read and write operations. . Therefore, if an additional tape drive is needed, only that additional tape drive is allocated, and if the additional tape drive is no longer needed, the additional tape drive is returned to its original function. It is desirable to return to

  In other embodiments, the VTS can allocate additional tape drives to a secure data erasure process by requesting that additional tape drives be added to the tape library 112. This request can be communicated through an interface such as a display or a graphical user interface (GUI). In other embodiments, one or more additional tape drives can be allocated to perform secure data erasure.

  Returning to step 302 in FIG. 3, the description will be continued. If it is determined that the amount of secure data erasure operations in the SDE queue is less than the maximum queue threshold, the process proceeds to step 304 where the amount of secure data erasure operations is equal to the minimum queue threshold. To be compared. This minimum queue threshold can be defined by the customer. The customer determines and defines a minimum queue threshold as the amount of secure data erase operations that are likely to be able to complete a secure data erase before reaching the SDE deadline with minimal operational requirements. be able to. If the amount of secure data erase operation is less than the minimum queue threshold, the tape drive allocation for the secure data erase process is set to the minimum operational requirement (step 308). In other embodiments, one or more existing tape drives (tape drives allocated to a secure data erasure process) so that one or more additional tape drives previously allocated can be removed. ) Can be reallocated. After step 308, the process ends at step 312.

  If the VTS determines that the amount of secure data erase operations is greater than the minimum queue threshold, the current allocation of the tape drive is maintained and the process ends at step 312.

  In other embodiments, the allocation of tape drives for a secure data erasure process is not a fragmentary aspect and can be done all at once. That is, the VTS can determine the optimum number of tape drives for a secure data erasure process by performing the steps 302-310 described above. Once such an optimal number of drives is determined, the VTS allocates the optimal number of drives for the secure data erasure process described above. The optimal number of tape drives is the minimum number of tape drives required to perform a secure data erase before the SDE deadline. The optimal number can be reassessed periodically (every day, every 12 hours or every other suitable granularity).

  2 and 3 show a flowchart of a secure data erasure process according to an embodiment of the present invention. Although the flowcharts of FIGS. 2 and 3 illustrate a particular order of process operations and a particular granularity of process operations, in other embodiments, the order can be changed (eg, process operations Can be executed in other orders or substantially in parallel, or one or more process operations can be combined or split). Similarly, in alternative embodiments of the present invention, additional process operations can be added as needed.

As described above, the automated storage management administrator 128 stores information related to physical volumes in an associated volume status table (not shown). The volume status table lists each physical volume in the system and holds one or more parameters associated with each physical volume. In an embodiment, the volume status table may hold one or more of the following:
The number of secure data erasure operations that are put into the SDE queue (determined in step 212)
Average time to SDE deadline This volume status table can be combined with the volume status table described in connection with FIG. 2, or the volume status table can be created as a separate table. it can. This volume status table can be updated periodically, eg, each time the process of FIG. 2 or FIG. 3 is started to maintain current parameters associated with each physical volume. The volume status table can also have additional information useful for a secure data erasure process.

  FIG. 4 illustrates a data processing system that can be used in one or more embodiments of the present invention. Although a particular number of elements and their arrangement are shown for the data processing system 400 of FIG. 4, embodiments of the present invention are not limited to data processing systems having any particular number, type, or arrangement of components. Note that it encompasses various types, architectures and form factors of data processing systems (eg, network elements or nodes, personal computers, workstations, servers, etc.). The illustrated data processing system 400 includes a processor 402 that is coupled to a memory 404 via a bus 406. The memory 404 can be any of a number of system memory type storage elements such as random access memory (RAM), read only memory (ROM), flash memory, and cache.

  The illustrated data processing system 400 also includes input / output (I / O) coupled to the bus 406 to establish communication between one or more I / O devices (not shown) and the data processing system 400. ) Interface 408. Typical I / O devices include normal I / O devices such as keyboards, displays, printers, cursor control devices (trackballs, mice, tablets, etc.), speakers and microphones, fixed magnetic media storage devices, and optical devices. Removable magnetic media storage devices including dynamic storage devices (eg CD or DVD ROM), solid state storage devices (USB memory, Secure Digital SD ™, Compact Flash ™, MMC, etc.), flexible disks and tapes And wired or wireless communication devices (eg, a communication network accessed via a modem or direct network interface).

  Embodiments of the present invention include software, information processing hardware, and various process operations disclosed herein. The features and process operations of the present invention may be embodied in executable instructions recorded in a machine-readable medium such as memory 404, storage device, communication device, medium. A machine-readable medium includes any mechanism that provides (stores or transmits) data in a form readable by a machine (eg, data processing system 400). For example, machine-readable media can be propagated through random access memory (RAM), read only memory (ROM), magnetic storage media, optical storage media, flash memory devices, electrical, optical or acoustically. Including but not limited to signals (eg, carrier wave, infrared signal, digital signal, etc.). The aforementioned executable instructions can be used to cause a general purpose or special purpose processor, such as processor 402 programmed with instructions, to perform the operations, methods or processes of the present invention. Alternatively, the features or operations of the present invention may be implemented by specific hardware components that include hardwired logic to perform the operations, or any combination of programmed data processing components and custom hardware components. Can do this.

  The invention has been described in the context of a fully functional data processing system. However, the present invention can be distributed as a program product having various formats. Thus, the present invention applies equally regardless of the particular type of signal bearing media used to make such distribution. Examples of such signal bearing media include recordable media such as flexible disks and CD-ROM, transmission media such as digital and analog communication links, and media storage devices and distribution systems that will be developed in the future. Similarly, embodiments of the invention can be implemented utilizing software modules that are used to perform specific operations or tasks. Such software modules include scripts, batches or other executable files and can be stored on machine-readable or computer-readable media. Accordingly, these modules can be stored in the memory of the computer system to configure the data processing or computer system to perform one or more functions of the software module. Various other types of machine readable media or computer readable media may be used to store these modules.

  While specific embodiments of the invention have been described above, it will be appreciated that various changes and modifications may be made based on the teachings disclosed herein without departing from the invention and its broad aspects. . Accordingly, the appended claims are intended to cover all such changes and modifications as fall within the true spirit and scope of this invention. The invention is defined only by the claims.

1 is a detailed block diagram illustrating a data storage network including a data storage subsystem, in accordance with an embodiment of the present invention. FIG. 4 is a flowchart of a method for selectively performing secure data erasure according to an embodiment of the present invention. 6 is a flow chart of a method for evaluating allocation of a tape drive for secure data erasure according to another embodiment of the present invention. FIG. 2 illustrates a data processing system that can be used in one or more embodiments of the present invention.

Explanation of symbols

100 Virtual storage system 101 Virtual tape server (VTS)
102 Host System 106 Direct Access Storage Device (DASD) Cache 108 Storage Management Server 110A-110N Tape Drive 112 Tape Library 114 Access Mechanism 116A-116N Tape Cartridge 118A-118N Virtual Tape Daemon (TD)
120A-120N File System Manager (FSM)
122 Hierarchical Storage Manager (HSM) Client 124 Command Interface 126 Console Output 128 Automated Storage Management Administrator 130 Library Manager

Claims (12)

A method for determining tape drive allocation for a secure data erasure process in a tape management system having a plurality of tape drives, comprising:
Receiving a request to perform a secure data erasure process in the tape management system;
In response to the request, additional tape drives are evaluated by evaluating the amount of physical volume to be securely erased, maximum queue threshold, average time to erase deadline, and minimum expiration threshold. Determining whether allocation of data improves the performance of secure data erasure;
Allocating additional tape drives for the secure data erasure process in response to a determination result of the determining step that allocation of additional tape drives improves the performance of the secure data erasure. . Said evaluation is
Compare the amount of physical volume to be securely erased with the maximum queue threshold;
The method of claim 1, comprising calculating the average time to the erasure deadline in response to the amount of physical volume to be securely erased being greater than the maximum queue threshold. Said evaluation is
Comparing the average time to the erasure deadline with the minimum expiration threshold;
The method of claim 2, further comprising performing the allocating step in response to the average time to the erasure deadline being less than the minimum expiration threshold.  The amount of physical volume to be securely erased is determined by the physical volume erase count, which increments the count for each physical volume that has a remaining time less than the time threshold. The method of claim 1, wherein the method is determined.   The method of claim 4, wherein the remaining time is calculated by a difference between the erase deadline of the physical volume and a current date of the physical volume.   The method of claim 1, wherein the secure data erasure process includes overwriting data in the physical volume.   The method of claim 6, wherein the overwriting comprises overwriting the data of the physical volume one or more times using a data pattern comprising one of logical one, logical zero, or a combination thereof.   A plurality of tapes allocated for the secure data erasure process in response to other evaluations of the amount of physical volume to be securely erased, the maximum queue threshold and the minimum queue threshold; The method of claim 1, further comprising the step of reallocating one or more tape drives of the drives.   The method of claim 1, wherein the improved secure data erase performance comprises performing the secure data erase prior to the erase deadline. A method for determining tape drive allocation for a secure data erasure process in a tape management system having a plurality of tape drives, comprising:
By evaluating the amount of physical volume to be securely erased, the maximum queue threshold, the average time to erase deadline and the minimum expiration threshold, the tape drive for the secure data erase process Determining the number;
Allocating the determined number of tape drives for the secure data erasure process in response to the determining step.   The computer program for making a computer perform each step of the method of any one of Claims 1 thru | or 10. A tape management system,
Multiple tape drives;
A processor coupled to the plurality of tape drives;
The processor is
In response to the tape management system receiving a request to perform a secure data erasure process, the amount of physical volume to perform secure data erasure, a maximum queue threshold, an average time to erase deadline, and Determine whether additional tape drive allocation improves secure data erasure performance by assessing the minimum expiration threshold;
A tape management system configured to allocate additional tape drives for the secure data erasure process in response to the determination that the allocation of additional tape drives improves the performance of the secure data erase.

Images