阅读说明：本技术 对本地网络上的数据存储系统的访问的基于云的管理 (Cloud-based management of access to data storage systems on local networks ) 是由 S.拉查巴图尼 J.盖拉德 于 2018-06-21 设计创作，主要内容包括：本发明公开了用于管理位于同一本地网络上的数据存储服务器和客户端之间的访问的系统和方法。使用云服务管理访问,该云服务距离数据存储服务器和请求访问该服务器的客户端都为远程的。本文所述的本地连接的基于云的管理简化了从客户端程序或设备连接到本地网络上的数据存储服务器的过程。连接是基于使用本地代码授权的。本地代码由云服务生成,并且包括与数据存储服务器相关联的设备标识符与时间变化值(诸如时间戳)的级联。(Systems and methods for managing access between a data storage server and a client located on the same local network are disclosed. Access is managed using a cloud service that is remote from both the data storage server and the client requesting access to the server. The cloud-based management of local connections described herein simplifies the process of connecting from a client program or device to a data storage server on a local network. The connection is authorized based on the use of a local code. The native code is generated by the cloud service and includes a concatenation of a device identifier associated with the data storage server and a time-varying value (such as a timestamp).)

1. A Network Attached Storage (NAS) comprising:

a non-volatile memory module;

a local network interface; and

a control circuit coupled to the non-volatile memory module and the local network interface and configured to:

receiving a request to retrieve a native code from a client through the local network interface;

sending a request for the native code to a cloud service;

receiving the native code from the cloud service, the native code comprising a concatenation of a device identifier associated with the NAS and a time-varying value; and

sending the native code received from the cloud service to the client through the local network interface.

2. The NAS of claim 1, wherein the native code is encrypted using Advanced Encryption Standard (AES) encryption.

3. The NAS of claim 1, wherein the control circuitry is further configured to communicate with the cloud service over a wide area network.

4. The NAS of claim 1, wherein the control circuitry is further configured to send the device identifier associated with the NAS to the cloud service.

5. The NAS of claim 1, wherein the control circuitry is further configured to send an Internet Protocol (IP) address of the NAS to the cloud service.

6. The NAS of claim 1, wherein the control circuitry is further configured to provide the client access to files stored on the non-volatile memory module in response to an indication of a successful attachment from the cloud service.

7. The NAS of claim 1, wherein the time-varying value is a timestamp.

8. A computing device, comprising:

a data storage module;

a local network interface; and

a control circuit coupled to the data storage module and the local network interface and configured to:

sending a request for a native code to a data storage server through the local network interface;

receiving the native code from the data storage server, the native code comprising a concatenation of a device identifier associated with the data storage server and a time-varying value;

sending an attach request with the native code to a cloud service over a wide area network; and

establishing a connection with the data storage server through the local network interface such that the computing device is provided access to files stored on the data storage server.

9. The computing device of claim 8, wherein the control circuitry is further configured to encrypt communications with the cloud service.

10. The computing device of claim 8, wherein the time-varying value is a timestamp.

11. The computing device of claim 8, wherein the control circuitry is further configured to determine an Internet Protocol (IP) address of the data storage server on the local network.

12. A cloud service communicatively coupled to a data storage server and a client device over a wide area network, the cloud service comprising:

a non-volatile memory module;

a network interface; and

a control circuit coupled to the non-volatile memory module and the network interface and configured to:

receiving a request for a native code from the data storage server;

generating the native code based at least in part on a concatenation of a unique device identifier associated with the data storage server and a time-varying value;

sending the generated native code to the data storage server;

receiving an attach request from the client device that includes the provided native code;

verifying that the provided native code matches the generated native code; and

authorizing a connection through a local network between the data storage server and the client device.

13. The cloud service of claim 12, wherein the control circuitry is further configured to deny the attach request in response to the provided native code not matching the generated native code.

14. The cloud service of claim 12, wherein the control circuitry is further configured to receive the unique device identifier associated with the data storage server from the data storage server.

15. The cloud service of claim 12, wherein the control circuitry is further configured to encrypt the generated native code.

16. The cloud service of claim 15, wherein the control circuitry is configured to encrypt the generated native code using a symmetric encryption algorithm.

17. The cloud service of claim 12, wherein the time-varying value is a timestamp associated with the generation of the native code.

18. The cloud service of claim 12, wherein the control circuitry is further configured to store the generated native code.

19. The cloud service of claim 12, wherein the control circuitry is further configured to receive unique device identifiers from a plurality of data storage servers.

20. The cloud service of claim 19, wherein the control circuitry is further configured to generate a unique native code for each of the plurality of data storage servers based at least in part on the unique device identifier.

Technical Field

The present disclosure relates to accessing a data storage system on a local network. More particularly, the present disclosure relates to systems and methods for cloud-based access management to data storage systems on local networks.

Background

Drawings

Various embodiments are shown in the drawings for illustrative purposes and in no way should be construed to limit the scope of the disclosure. In addition, various features of different disclosed embodiments may be combined to form additional embodiments, which are part of this disclosure.

Fig. 1 is a diagram of a network data storage system in accordance with one or more embodiments.

Fig. 2 is a block diagram illustrating an attachment process involving a data storage server, a client, and a cloud service in accordance with one or more embodiments.

Fig. 3 is a flow diagram illustrating a process for establishing a local connection between a client and a Network Attached Storage (NAS) device in accordance with one or more embodiments.

FIG. 4 is a flow diagram illustrating a process for establishing a local connection between a client and a NAS device in accordance with one or more embodiments.

Fig. 5 is a flow diagram illustrating a process for authorizing a connection between a client on a local network and a NAS device in accordance with one or more embodiments.

Detailed Description

While certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of protection. Indeed, the methods and systems described herein may be embodied in a variety of other forms. Furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the scope of protection.

SUMMARY

Systems, devices, and methods for managing access between a Network Attached Storage (NAS) device and a client on the same local network are disclosed herein. Access is managed using a cloud service that is remote (e.g., not on the same local network) from the NAS device and the client requesting access to the device. This advantageously allows the centralized service to control connections with managed NAS devices while still allowing connections between the devices and clients over the local network. In addition, the cloud-based management of local connections described herein simplifies the process of connecting from a client program or device to a NAS device on a local network. For example, in some embodiments, the systems and methods described herein eliminate the need for a user or client program to know or determine the local Internet Protocol (IP) address of a NAS device before connecting to the NAS device.

The disclosed cloud-based management of connections between NAS devices and clients over a local network is accomplished using local codes or codes that authorize access over the local network. The native code is generated by a cloud service. The cloud service will also verify the local code when issuing a request to connect to the NAS device. An authentication and authorization process for establishing a connection on a local network includes a client requesting a NAS device to retrieve a local code, the NAS device requesting the local code from a cloud service, the cloud service generating and sending the local code to the NAS device, the NAS device forwarding the local code to the client, the client attaching to the NAS device using the local code as a credential request, and the cloud service verifying the local code to grant access to the NAS device. The generated native code uses information associated with the NAS device to generate a unique native code, in addition to other data. The local code may also be encrypted. This makes it difficult or impossible to generate the native code outside of the cloud service, making it difficult for an unauthorized client or user to gain access to the NAS device.

The disclosed systems and methods for cloud-based access management may be particularly advantageous in simplifying the process of users connecting to their NAS devices. For example, it may be desirable that a first user creating an account on a NAS device can establish a connection with the NAS device without providing authentication or authorization credentials when the connection is through a local network. However, in the case of remotely managing access to a NAS device (e.g., using cloud services), a problem arises for a user (or client device) in determining whether the user or client is authorized to connect to a particular NAS device. The systems and methods disclosed herein use native code to prove that a client device and a NAS device are on the same local network, allowing connections between devices without requiring the user to provide authorization credentials. In addition, the systems and methods disclosed herein advantageously use cloud services to manage connection authorization rather than requiring NAS devices to perform this function. This simplifies the infrastructure of the NAS device. This also allows the centralized service to manage connections across the NAS devices associated with the service. Thus, a client attempting to connect to a NAS device is authorized through the cloud service rather than through the NAS device.

Although the principles disclosed herein may be applicable to managing connections between devices on a local network using cloud-based services, for clarity and ease of description, certain embodiments are disclosed herein in the context of an attached network storage system. However, it should be understood that the disclosed systems and methods may be used in situations where a client device establishes a connection with a managed device on a local network. This may include, for example, but not limited to, a television, a set-top box, an internet of things (or IOT) device, and so forth.

Attached network storage

A Network Attached Storage (NAS) drive/system may provide file-level or object-level data storage over a computer network, where one or more clients may access the stored data. Although certain embodiments are disclosed herein in the context of files, file servers, file systems, and other file-level references, it should be understood that such references as used herein may refer to object-level data or any other type of data structure, depending on the particular implementation.

The NAS may comprise hardware, software, or a combination of such elements configured to cause the NAS to operate as a file server. FIG. 1 is a diagram of an example embodiment of a NAS system 100 in which a network attached storage device (NAS)110 is communicatively coupled to one or more client devices 131 and 137 via a network 120. NAS110 may provide file-based or object-based data storage services to devices coupled to network 120. The types of client devices that may access NAS110 may include a phone 137 (such as a smart phone), a cable set-top box 136, a smart television 135, a video game console 134, a laptop computer 133, a tablet computer 132, a desktop computer 131, a wearable computer (not shown), and/or other network-connected computing devices. Network 120 may be a Local Area Network (LAN), a Wide Area Network (WAN) (e.g., the internet), a combination of a LAN and a WAN, or other type of computer network, and the connections between the various client components of system 100 and network 120 may be wired or wireless, and may be connected through one or more intermediate systems, which are not shown for clarity.

Although certain embodiments are described herein in the context of a NAS device/system, it should be understood that references herein to a NAS device may refer to other types of data storage devices/systems, such as any type of computer device that implements software that allows data storage access over a network. Further, some embodiments disclosed herein may be implemented using data storage device connections that are not through a network, but are directly through client/server connections.

In certain embodiments, the NAS110 may be configured through the network 120 through a client device interface, such as a web browser of a mobile or desktop computing device. An operating system (e.g., a relatively low-level operating system such as FreeNAS) may be implemented in the NAS110 by its control circuitry 112. NAS110 may provide access to file 117 using one or more network file sharing protocols, such as Network File System (NFS), server message block/general internet file system (SMB/CIFS), Apple Filing Protocol (AFP), and the like. The NAS110 may include a data repository 115 for storing device Identifiers (IDs) 116 that uniquely identify the NAS110, user data (e.g., files) 117, metadata (such as system tables, etc.), and/or other types of data. The data store 115 may include one or more non-volatile memory devices or modules, and may include any type of data storage media (e.g., solid state, magnetic).

The NAS110 may be configured to encrypt user data/files 117 stored in the data repository 115. For example, the NAS110 may implement Transport Layer Security (TLS), Secure Sockets Layer (SSL), and/or Advanced Encryption Standard (AES) keys (e.g., 256 bits, 128 bits, etc.) to protect files that are stationary and/or in motion. The NAS110 may be further configured to implement one or more additional security features, such as user authentication, forward confidentiality, and the like.

As described above, the NAS110 may provide shared access to files/data 117 stored on the NAS 110. For example, any of a plurality of clients may request access to a file over network 120. Access to the NAS110 may be regulated by the cloud service 150. The cloud service 150 may receive attachment requests from one or more clients 131 and 137 to connect to the NAS 110. If the client is authenticated, the cloud service 150 grants the client access to the NAS 110.

In some embodiments, the cloud service 150 is remote from the NAS110 and the client requesting attachment to the NAS110, while the client and NAS are local to each other (e.g., connected to the same LAN). When the attach request from the client corresponds to a request to connect with the NAS110 over a local network (e.g., LAN), the cloud service 150 generates a native code and later verifies the native code provided by the client to grant access to the NAS 110. This advantageously allows the cloud service 150 to manage access, ownership, authorization, and authentication between clients and NAS devices, rather than a single NAS device managing these relationships.

The NAS device 110 includes a non-volatile memory module such as a data storage module 115, a network interface (not shown), and control circuitry 112 coupled to the non-volatile memory module and the network interface. The control circuitry 112 is configured to manage client access using a client access manager 113. The control circuitry 112 is further configured to manage communications with the cloud services 150 using the cloud service manager 114. Although the control circuit 112 is shown as a separate module, it should be understood that any configuration of modules or control circuits may be used to implement the functionality represented thereby.

In some embodiments, non-volatile memory module 115 includes computer-executable instructions configured to perform one or more of the methods or processes described herein (or portions of such processes and methods). In certain embodiments, the control circuitry 112 is configured to execute computer-executable instructions stored on the NAS110 that are configured to perform one or more of the processes or methods described herein (or portions of such processes and methods). In some implementations, the client access manager 113 includes computer-executable instructions configured to manage client access to the NAS device 110. In various implementations, cloud service manager 114 includes computer-executable instructions configured to manage communications and interactions with cloud services 150. In various implementations, client access manager 113 and/or cloud services manager 114 include a combination of software, firmware, and/or hardware configured to perform the processes described herein.

The client access manager 113 is configured to receive a request from a client to retrieve a native code. The request is part of the process of establishing a connection between the client and the NAS110 over a local network (e.g., a LAN). The client access manager 113 is configured to verify that the request from the client is provided through the local network interface. If not, the client access manager 113 may deny the request to retrieve the native code. In this manner, the NAS110 may be configured to regulate client access through a local network. If a request from a client occurs through the local network interface, the client access manager 113 is configured to send a local code to the requesting client, the local code being generated by the cloud service 150.

In various implementations, a client may access the NAS110 when the client is remote from the NAS110 (e.g., the NAS110 and the client are not on the same local network). However, the attach process may involve a process other than using native code. As described herein, the attach process to establish a connection between a NAS and a client over a local network involves the use of a local code.

The cloud service manager 114 of the NAS110 is configured to register the NAS110 with the cloud service 150. To register the NAS110, the cloud service manager 114 provides a device ID 116 corresponding to a unique device identifier associated with the NAS 110. The cloud service manager 114 may be configured to provide the local IP address of the NAS110 to the cloud service 150. This allows the cloud service 150 to manage access to remote NAS devices. The cloud service manager 114 is further configured to request the native code from the cloud service 150 when the client initiates a request for the native code through the local network interface. The cloud service manager 114 is also configured to receive the requested native code from the cloud service 150.

The cloud service 150 is configured to maintain an association between the client and the NAS device. The cloud service 150 may be installed on one or more machines (e.g., servers) and may be provided by a distributed computing system. The term cloud as used herein in connection with the cloud service 150 is used to indicate that NAS devices and clients may access the cloud service 150 through the network 120, but the cloud service 150 is not limited to implementation on a single destination computer or server. Rather, cloud service 150 may be implemented on multiple computing devices (e.g., servers), where each computing device may provide all of the services of cloud service 150, or divide the services of cloud service 150 between two or more computing devices. It should also be understood that the cloud service 150 may be distributed among geographically separated multiple computing devices to enable network communications with less delay for geographically separated client and NAS devices.

The cloud service 150 includes a device registration module 152 and a client access module 154. Similar to the NAS device 110, the cloud services 150 may include a non-volatile memory module, a network interface, and control circuitry coupled to the non-volatile memory module and the network interface. The control circuitry may be configured to manage available NAS devices using the device registration module 152 and to manage client access using the client access module 154. Although the control circuitry of the cloud service is described as a separate module, it should be understood that any configuration of modules or control circuitry may be used to implement the functionality represented thereby.

In some embodiments, the non-volatile memory module of cloud service 150 includes computer-executable instructions configured to perform one or more of the methods or processes described herein (or portions of such processes and methods). In certain embodiments, the control circuitry is configured to execute computer-executable instructions stored on the cloud service 150 that are configured to perform one or more of the processes or methods described herein (or portions of such processes and methods). In some implementations, the client access module 154 includes computer-executable instructions configured to manage the attachment between the client and the NAS device. In various implementations, the device registration module 152 includes computer-executable instructions configured to manage NAS devices available to clients. In various implementations, device registration module 152 and/or client access module 154 include a combination of software, firmware, and/or hardware configured to perform the processes described herein.

The device registration module 152 is configured to receive a device ID from the NAS110 to register the device. The device registration module 152 may also be configured to receive an IP address of the NAS110 to add to registration information associated with the NAS 110. The device registration module 152 may perform this operation on multiple NAS devices to regulate and provide access to the NAS devices.

The client access module 154 is configured to manage the attachment between the client and the NAS device. The client access module 154 is configured to receive an attach request from a client, the attach request being a request to establish a connection between the client and a particular NAS device over a local network. Upon receiving the request, the client access module 154 is configured to determine whether the client is local to the NAS device. This determination is made using a native code. As part of the attach request, the client provides a native code that the client access module 154 is configured to verify before allowing the connection to be established. The native code is generated by the client access module 154.

The client access module 154 generates a native code using the device ID of the NAS device. In some embodiments, the client access module 154 generates the local code by concatenating the device ID with a timestamp or other unique, random, or varying data value. In various implementations, the native code may also be encrypted by the client access module 154. The encryption may be any suitable symmetric encryption (e.g., AES encryption) or asymmetric encryption. The client access module 154 stores a copy of the generated native code for authentication purposes. When an attach request is received from a client, the client access module 154 compares the native code provided by the client with the native code generated by the module that is associated with the particular NAS device. In some embodiments, the client access module 154 is configured to decrypt native code provided by the client as part of the attach request. At least in part because the native code is uniquely generated by the client access module 154, if the client-provided native code is verified, this provides sufficient evidence that the client has been authorized to attach to the requesting NAS device. This eliminates the need for further authentication or authorization requests for the client or user.

Each of the clients 131-137 may include a non-volatile memory module, a network interface, and control circuitry coupled to the non-volatile memory module and the network interface. The control circuitry may be configured to initiate a request for the native code, receive the native code, and make an attachment request using the received native code. The client may be configured to communicate with the cloud service 150 to connect to the NAS 110. The connection request or the attach request may include a native code to be authenticated by the cloud service 150. To obtain the native code, the client initiates a request for the native code through the NAS 110. In some embodiments, the client is configured to initiate a request for native code when it determines that the NAS110 is on the same local network and/or when the request is completed using a local network interface. After initiating the request for the native code, the client receives the native code from the NAS 110. The client uses the native code in an attach request to cloud service 150. If the native code is verified, the client may establish a connection with the NAS110, receiving access to the files 117 stored on the NAS 110. The use of a local code may simplify the process, which may be referred to as "boarding," relative to other processes that require, for example, a user to determine the IP address of the NAS110 prior to establishing a connection.

In some embodiments, the NAS110 and the client are on the same local network, where the network includes a router or other similar network switching device. The router may be configured to direct data to cloud services 150 on a Wide Area Network (WAN), as well as between clients on a Local Area Network (LAN) and NAS 110. A router may be part of network 120 and may be used to define a local area network. For example, a device and a client connected to a router may be considered part of the same local network. In some implementations, devices and clients having IP addresses assigned and/or managed by a router providing access to the WAN can be considered part of the same local network.

Device access control

Fig. 2 is a block diagram illustrating an attachment process involving NAS device 210, client 230, and cloud service 250. The attach process is configured to establish an attachment or connection between NAS device 210 and client 230, where NAS device 210 and client 230 are on the same local network 221. In this network configuration, the cloud service 250 is connected to the NAS device 210 and the client 230 through the wide area network 222. In some embodiments, the connection between the client 230 and the NAS device 210 may be wired, such as through an ethernet, USB, or other connection, or may be wireless, such as through a WiFi, bluetooth, or other wireless connection. The NAS device 210 may be similar to the NAS110 described herein with reference to fig. 1. Likewise, the client 230 may be any of the clients 131-137 described herein with reference to FIG. 1. Further, cloud service 250 may be similar to cloud service 150 described herein with reference to fig. 1. Communications between the client 230 and the NAS device 210, between the client 230 and the cloud service 250, and/or between the cloud service 250 and the NAS device 210 may be encrypted. This may be done using any suitable encryption protocol, such as hypertext transfer protocol secure (HTTPS), Secure Socket Layer (SSL), Transport Layer Security (TLS), and so forth.

First, the attach process includes an initial request from the client 230 to the NAS device 210 to retrieve the native code. In some embodiments, the client 230 is configured to issue the initial request when it is determined that it is on the same local network 221 as the NAS device 210. In some embodiments, the client 230 is restricted from issuing the initial request unless it is determined that the NAS device 210 is on the same local network 221. Where the client 230 is communicatively coupled to the NAS device 210 over a LAN connection, the client 230 may be configured to search for NAS devices on the network 221, where such a search may generate a list of all available devices based on, for example, IP addresses.

Second, the attach process includes requesting the native code from the NAS device 210 to the cloud service 250. In some embodiments, NAS device 210 is configured to reject the initial request from client 230 if the initial request is not transmitted through the local network interface. Thus, the client 230 and/or the NAS device 210 may be configured to determine whether each is connected to the same local network 221. If not, the client 230 and/or the NAS device 210 may be configured to end the attachment process using the native code. In this way, the native code is only available through a network interface local to the local area network 221. If sent from a remote network (e.g., from a client or device on wide area network 222), the request for the local code does not proceed. It should be understood that other attachment procedures may be used in cases where the NAS device 210 and the client 230 are not on the same local area network.

Third, the attach process includes the cloud service 250 generating and sending a native code to the requesting NAS device 210. The local code may be encrypted. The native code may be associated with a device identification of the NAS device 210. The native code may be generated using unique, random, or varying information in addition to the device identification of the NAS device 210. The cloud service 250 stores a copy of the native code for later verification and authentication. In some embodiments, the cloud service 250 concatenates the device ID of the NAS device 210 with a timestamp associated with the request for the native code or a time at which the native code was generated to generate the native code. In this way, it is unlikely or impossible for an unauthorized client to generate duplicate or forged native codes to gain unauthorized access to the NAS device 210.

Fourth, the attach process includes the NAS device 210 sending the native code to the client 230. In some embodiments, the NAS device 210 does not modify the native code. In some embodiments, further encryption may be used between the NAS device 210 and the client 230, using, for example, symmetric or asymmetric encryption techniques.

Fifth, the attach process includes sending an attach request from the client 230 to the cloud service 250, where the request includes the native code received from the NAS device 210. The cloud service 250 is configured to decrypt and verify the received native code. If the local code is verified, the authorized client 230 connects to the NAS device 210 over the local area network 221.

The attach process advantageously provides a way to prove to the cloud service 250 that the boarding client 230 is local to the NAS device 210. This allows authorization policies to exist on the cloud service 250 instead of the NAS device 210. This allows the architecture of the NAS device 210 to be simplified. Furthermore, this is due at least in part to the automatic authentication and authorization provided by using the native code, making the boarding process of the user easier.

Client 230 may include a server, desktop, laptop, tablet, handheld device, etc., and may include control circuitry including one or more Central Processing Units (CPUs), memory/data storage devices or modules, network interface and/or input/output interface components, etc. The control circuitry of client 230 may be implemented to perform the functions described herein. The control circuitry of client 230 may be configured to execute certain software applications for implementing the functionality described herein. Client 230 may include one or more local storage devices, such as a hard disk, a flash memory module, a solid state disk, an optical disk, and so forth. Client 230 includes a network interface for connecting to network 221 and network 222, which may include one or more network adapters (e.g., Network Interface Cards (NICs)).

Establishing a local connection between a client and a NAS device

FIG. 3 is a flow diagram illustrating a process 300 for establishing a local connection between a client and a NAS device in accordance with one or more embodiments. The process 300 may be implemented at least in part by a client communicatively coupled to a NAS device through a local network connection. Thus, for ease of description, process 300 is described herein as being performed by a client. The process 300 allows a client to establish a connection to a NAS device without requiring the user of the client device to determine or provide the IP address or device ID of the NAS device, thereby facilitating the boarding process.

At block 302, the client initiates a request for native code by transmitting the request to the NAS device. In some embodiments, the client determines whether the NAS device is on the local network with the client before initiating the request for the local code.

At block 304, the client receives a response from the NAS device that includes the native code. The native code may or may not be encrypted after it is received from the NAS device. In some embodiments, the client may decrypt the native code. The local code is uniquely associated with the NAS device. The native code may be generated using an algorithm that combines a device identifier (e.g., a Media Access Control (MAC) address, a device ID, a serial number, a hash value of one or more hardware component identifiers, etc.) of the NAS device with a time-related value, such as a timestamp, a random number, and so forth. The resulting local code may be unique, difficult or impossible to forge.

At block 306, the client sends an attach request to the cloud service. The attach request includes an encrypted native code. If the native code is verified, the connection between the client and the NAS device is allowed.

At block 308, the client establishes a connection with the NAS device through the local network interface. This connection allows the client to access the file system and files stored on the NAS device using the local network.

FIG. 4 is a flow diagram illustrating a process 400 for establishing a local connection between a client and a NAS device in accordance with one or more embodiments. The process 400 may be implemented at least in part by the NAS device communicatively coupled to the client over a local network connection. Thus, for ease of description, the process 400 is described herein as being performed by a NAS device. The process 400 allows the NAS device to establish a local connection with the client without the NAS device maintaining access permissions, authenticating the client, and/or authorizing the client, thereby making the architecture of the NAS device simpler.

At block 402, the NAS device receives a request from a client to retrieve a native code. At block 404, the NAS device determines whether a request from a client is received over a local network interface. If so, the NAS device proceeds to block 406. If not, the NAS device terminates the process 400 at block 405 without requesting the native code from the cloud service.

At block 406, the NAS device requests the native code from the cloud service. At block 408, the NAS device receives the native code from the cloud service. A local code is uniquely associated with the NAS device. The native code may be generated using an algorithm that combines a device identifier (e.g., a MAC address, a device ID, a serial number, a hash of one or more hardware component identifiers, etc.) of the NAS device with a time-related value, such as a timestamp, a random number, and so forth. The resulting local code may be unique, difficult or impossible to counterfeit.

At block 410, the NAS device sends the native code to the client requesting it. In some embodiments, the NAS device may decrypt the native code before sending it to the client. In various embodiments, the NAS device may encrypt the received native code for transmission to the client. This may be performed on either unencrypted native code or encrypted native code, adding another layer of encryption.

Fig. 5 is a flow diagram illustrating a process 500 for authorizing a connection between a client on a local network and a NAS device in accordance with one or more embodiments. Process 500 may be implemented at least in part by a cloud service communicatively coupled to a client and NAS device over a wide area network. Thus, for ease of description, process 500 is described herein as being performed by a cloud service. The process 500 allows the cloud service to maintain device associations in a centralized and/or distributed computing environment rather than on a single NAS device. This allows the cloud service to authorize device attachment to clients that may not be known to the NAS device, such as a paid account that provides access to the NAS device.

At block 502, the cloud service receives a request for native code from a NAS device. At block 504, the cloud service generates a native code associated with the requesting NAS device. The native code is uniquely associated with the NAS device requesting the native code. The native code may be generated using an algorithm that combines a device identifier (e.g., a MAC address, a device ID, a serial number, a hash of one or more hardware component identifiers, etc.) of the NAS device with a time-related value, such as a timestamp, a random number, and so forth. The resulting local code may be unique, difficult or impossible to counterfeit.

At block 506, the cloud service sends the local code to the NAS device. Prior to sending the native code, the cloud service may encrypt it using symmetric (e.g., AES encryption) or asymmetric encryption.

At block 508, the cloud service receives an attach request from the client. The attach request includes the native code and the target NAS device. At block 510, the cloud service verifies the native code by comparing the native code to a native code generated for the target NAS device. In some embodiments, the cloud service decrypts the native code received from the client before verifying it. If the native code is verified, the cloud service authorizes the connection between the client and the NAS device at block 512. If the native code does not match the native code generated for the target NAS device, the cloud service denies the attach request at block 514.

Additional embodiments

Those skilled in the art will appreciate that other types of concurrent file modification systems may be implemented in some embodiments while remaining within the scope of the present disclosure. Moreover, the actual steps taken in the processes described herein may differ from those described or illustrated in the figures. According to an embodiment, some of the above steps may be removed and other steps may be added.

While certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of protection. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms. Furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the inventions. For example, the various components shown in the figures may be implemented as software and/or firmware on a processor, ASIC/FPGA, or dedicated hardware. Moreover, the features and attributes of the specific embodiments disclosed above may be combined in different ways to form additional embodiments, all of which fall within the scope of the present disclosure. While the present disclosure provides certain preferred embodiments and applications, other embodiments that are apparent to those of ordinary skill in the art, including embodiments that do not provide all of the features and advantages described herein, are also within the scope of the present disclosure. Accordingly, the scope of the disclosure is intended to be limited only by reference to the appended claims.

All of the processes described above may be embodied in software code modules executed by one or more general purpose or special purpose computers or processors and are fully automated. The code modules may be stored on any type of computer-readable medium or other computer storage device or collection of storage devices. Some or all of the methods may alternatively be embodied in dedicated computer hardware.