[go: up one dir, main page]

WO2025163233A1 - Method and system for storing data based on geographical regions - Google Patents

Method and system for storing data based on geographical regions

Info

Publication number
WO2025163233A1
WO2025163233A1 PCT/FI2024/050038 FI2024050038W WO2025163233A1 WO 2025163233 A1 WO2025163233 A1 WO 2025163233A1 FI 2024050038 W FI2024050038 W FI 2024050038W WO 2025163233 A1 WO2025163233 A1 WO 2025163233A1
Authority
WO
WIPO (PCT)
Prior art keywords
platform component
geographic region
technology platform
operational technology
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/FI2024/050038
Other languages
French (fr)
Inventor
Teemu Turpeinen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tosibox Oy
Original Assignee
Tosibox Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tosibox Oy filed Critical Tosibox Oy
Priority to PCT/FI2024/050038 priority Critical patent/WO2025163233A1/en
Publication of WO2025163233A1 publication Critical patent/WO2025163233A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/29Geographical information databases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Definitions

  • the present disclosure relates to method for storing data based on geographical regions. Moreover, the present disclosure relates to a system for storing data based on geographical regions.
  • CDN Content Deliver Network
  • the aim of the present disclosure is to provide methods and systems for storing data based on geographical regions, to enhance the scalability of storing data while complying with data privacy laws.
  • the aim of the present disclosure is achieved by methods and systems for storing data based on geographical regions as defined in the appended independent claims to which reference is made to.
  • Advantageous features are set out in the appended dependent claims.
  • FIG. 1 is a flowchart illustrating steps of a method for storing data, in accordance with an embodiment of the present disclosure.
  • FIG. 2 illustrates a block diagram of an architecture of a system for storing data, in accordance with an embodiment of the present disclosure
  • FIGs. 3A, 3B, 3C and 3D illustrate sequence diagrams illustrating steps of operation of a system for storing data, in accordance with various embodiments of the present disclosure
  • FIG. 4 illustrates a sequence diagram illustrating a system for resolving geographic region of use of another operational technology platform component, in accordance with an embodiment of the present disclosure.
  • FIG. 5 illustrates an exemplary sequence diagram illustrating storing of information of an operational technology platform component in a global directory index, in accordance with an embodiment of the present disclosure.
  • the present disclosure provides a method for storing data the method comprising: receiving, at a main server, a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component whose data is to be stored; storing information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index managed by the main server; and provisioning the operational technology platform component to a regional server which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
  • the present disclosure provides a system for storing data, the system comprising a main server that is communicably coupled to an operational technology platform component whose data is to be stored, and to a plurality of regional servers that are physically located in a plurality of geographical regions, wherein the main server is configured to: receive a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of the operational technology platform component whose data is to be stored; store information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index managed by the main server; and provision the operational technology platform component to a regional server which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, the regional server being selected from amongst the plurality of regional servers, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
  • the present disclosure provides the aforementioned first aspect and the aforementioned second aspect, wherein the present disclosure provides a world-wide service to store data associated with an operational technology (OT) platform component, while complying with legal requirements of jurisdictions of geographical regions.
  • the information about one of: the default geographic region, the at least one target geographic region, of use of the OT platform component, at the global directory index managed by the main server provides a reference which is centrally managed by the main server.
  • the data storage is performed in a distributed manner across a plurality of regional servers, wherein the regional server is selected by a user.
  • the method is scalable, allowing for the provisioning of the OT platform component to the plurality of regional servers.
  • the method works synergistically by combining the global directory index, which centralizes information about the geographic regions, with regional data repositories managed by the regional servers.
  • the term "main server” refers to a structure and/or a module that includes programmable and/or non- programmable components that manages and coordinates various operations of the OT platform component. Examples of such operations may include, but are not limited to, sharing, processing, and storing, data for the OT platform component.
  • the main server includes any arrangement of physical or virtual computational entities capable of enhancing information to perform various computational tasks.
  • the main server may be a single hardware server and/or a plurality of hardware servers operating in a parallel or distributed architecture.
  • the server may include components such as memory, a processor, a network adapter, and the like, to store, process and/or share information with other computing components, such as user device/user equipment.
  • the server is implemented as a computer program that provides various services (such as database service) to other devices, modules or apparatus.
  • the term "operational technology platform component” refers to a specialised component used for at least one of: monitoring, managing, controlling, an equipment (for example, such as industrial equipment), wherein such specialised component operates in an OT network.
  • the OT platform component is one of: a device associated with an OT platform, or a software application associated with an OT platform.
  • the OT platform component when the OT platform component is the device associated with the OT platform, said device provides at least one of: connectivity, processing, managing, of the data essential for operations related to OT.
  • the term "device” refers to an electronic device associated with (or used by) a user that is capable of enabling the user to perform specific tasks.
  • the device is intended to be broadly interpreted to include any electronic device that may be used for voice and/or data communication over a wireless communication network. Examples of the device may include, but are not limited to, laptop computers, personal computers, cellular phones, personal digital assistants (PDAs), handheld devices, wireless modems, etc.
  • the OT platform component is the software application associated with the OT platform
  • said software application provides at least one of: connectivity, processing, managing, of the data essential for operations related to OT.
  • the term "software application” refers to a software program that is executed on the OT platform component, by employing a processor of such device.
  • the software application comprises a set of predefined functions therein that are programmed to provide instructions to hardware and/or software elements of said device.
  • the software application is configured to provide a user interface on the OT platform component, to allow the user to perform specific tasks associated with the aforementioned method.
  • the software application is affiliated with an organization. Hence, the software application could function in accordance with pre-programmed guidelines provided by the organization.
  • the software application is configured to function in accordance with the pre-programmed guidelines upon installation thereof.
  • the method further comprises: receiving, at the main server, a communication indicative of licence and activation information of the OT platform component whose data is to be stored; activating the OT platform component and assigning a license thereto; and sending, from the main server to the OT platform component, a communication indicative of the OT platform component being ready for provisioning.
  • the license and activation information of the OT platform component comprises at least one of: a licence key, an activation code, which is required to authorize a user of the OT platform component.
  • the main server Based on the license and activation information received, the main server initiates a process of activating the OT platform component.
  • activating the OT platform component and assigning the license ensures that the OT platform component is legally licensed to operate. Thereafter, the main server sends the communication to the OT platform component to notify that the OT platform component is ready for provisioning.
  • first communication refers to information sent from the OT platform component to the main server to convey where the OT platform component wants to store the data.
  • the first communication comprises at least one message.
  • the first communication is sent through a communication protocol that connects the main server to the OT platform component.
  • This communication protocol could be Hypertext Transfer Protocol (HTTP), WebSocket or another communication protocol depending on the architecture and requirements of the system.
  • the first communication is received from a software application managing manufacturing and/or serialization of the OT platform component, wherein the first communication indicates the default geographic region for which the OT platform component is manufactured and/or serialized.
  • the first communication is received from the OT platform component or a user device that manages the OT platform component, wherein the first communication indicates the at least one target geographic region.
  • the term "default geographic region” refers to a pre-defined region or default region where the OT platform component is configured to be used initially.
  • the term "at least one target geographic region” refers to one or more specific geographic regions where the OT platform component intends to store the data.
  • a geographic region of the OT platform component may be European Union (EU).
  • EU European Union
  • the first communication may indicate the default geographic region, i.e., EU.
  • the first communication may indicate at least one target geographic region, wherein the at least one target geographic region may be United States of America (USA).
  • the first communication is also indicative of whether the data comprises sensitive data, when the first communication indicates that the data comprises the sensitive data, the at least one target geographic region comprises a single target geographic region.
  • the term "sensitive data" refers to confidential information related to a user or an organization, that is at least one of: stored, processed, managed, accessed, only by an authorized entity.
  • the sensitive data comprises at least one of: personally identifiable data (for example, such as, names, addresses, email addresses, social security numbers, phone numbers), confidential government data, financial information (for example, such as credit card numbers, bank account details, financial statements), and authentication data (for example, such as usernames, passwords, security questions), a confidential entity data (the entity could be any entity, i.e., a person, a company, a financial institution, and the like).
  • the term "single target geographic region” refers to a specific geographical region that has been designated as the only destination for provisioning the OT platform component when the data is identified to be sensitive data.
  • the OT platform component that is provisioned is restricted to the single target geographic region, to prevent exposing the sensitive data to any server of a different geographical region.
  • the provisioning of the OT platform component is restricted in such a manner due to data privacy laws of the single geographic region (for example, such as General Data Protection Regulation (GDPR) in the European Union, State data privacy protection laws of United States of America (USA)) having strict requirements regarding residency of the sensitive data.
  • GDPR General Data Protection Regulation
  • a technical effect of restricting the provisioning of the OT platform component to the single geographic region is that it ensures compliance with the data privacy laws by keeping the sensitive data within the legal or regulatory boundaries of the single geographic region.
  • the at least one target geographic region comprises one of a single target geographic region, a plurality of target geographic regions.
  • the OT platform component is provisioned simultaneously to the plurality of target geographic regions. This means that non-sensitive data can be stored at one or more target geographic regions.
  • the term "global directory index” refers to a centralized and comprehensive database managed by the main server, wherein the global directory index is used for storing and/or organizing information related to the one of: the default geographic regions, at least one target geographic region, of the use of the OT platform components.
  • the database refers to a structured and organized collection of data that is stored and managed on the main server.
  • the global directory index comprises at least an amount of data required for knowing whereabouts of the OT platform component, to make the OT platform component fully compliant with local data privacy laws.
  • the global directory index comprises mapping of the OT platform component with the one of: the default geographical region, the at least one geographical region (i.e., a destination) of the data of the OT platform component.
  • the global directory index may be in a form of a table, a list, an infographic, and similar.
  • the term "regional server” refers to a region-specific structure and/or a region-specific module that includes programmable and/or non-programmable components that manages and coordinates various operations of the operational technology (OT) platform component.
  • the regional server is communicably coupled with the main server. This coupling enables the main server to coordinate provisioning of the OT platform component to the regional server and to manage the overall distribution of data of the OT platform component.
  • the regional server is selected from amongst a plurality of regional servers that are physically located in a plurality of geographical regions. The communication between the main server and the regional server is established through the communication protocol (as described in detail above).
  • provision refers to a process of preparing and configuring at least one of: resources, services, components, to make them available and operational when the regional server is in use.
  • provisioning the OT platform component to the regional server can be performed in various manners, which will be described in detail later.
  • the term "data repository” refers to hardware, software, firmware, or a combination of these for storing a given information in an organized (namely, structured) manner, thereby, allowing for easy storage, access (namely, retrieval), updating and analysis of the data.
  • the data repository may be implemented as a memory of the system, a removable memory, a cloud-based database, or similar.
  • the data repository can be implemented as one or more storage devices. A technical advantage of using the data repository is that it provides an ease of storage and access of processing the input data, as well as processing outputs.
  • the provisioning of the OT platform component to the regional server is performed based on information stored in the global directory index.
  • an appropriate location for storing the data of the OT platform component is determined based on the location of the data repository, which can be one of: the default geographic region, the at least one target geographic region.
  • the main server communicates with the regional server which is responsible for managing the storing data, wherein such communication includes details about the OT platform component and the intent to provision it to the data repository of the appropriate location.
  • the regional server confirms the successful provisioning. Then, the data of the OT platform component is stored in the data repository of the regional server.
  • a technical effect of provisioning the OT platform component in such a manner is that it facilitates a distributed and region-specific approach of storing the data of the OT platform component.
  • the method improves scalability of the system, and also enables efficient data management.
  • the method further comprises: generating a prompt for receiving a user input indicative of the at least one target geographic region; and providing the prompt at the operational technology platform component or a user device that manages the operational technology platform component, wherein the first communication comprises the user input.
  • the term "prompt” refers to a command or a message that the main server is configured to ask a user associated with a user device that manages the OT platform component or the OT platform component regarding the at least one target geographic region, when the main server has activated the OT platform component and assigned a license thereto.
  • the prompt may include, but are not limited to, a textual prompt, a graphical prompt, and a visual prompt.
  • user input refers to an information provided by the user in response to the generated prompt.
  • the user input indicates the at least one target geographic region as preferred by the user.
  • the term "user device” refers to a hardware device used by the user to interact with or manage the OT platform component.
  • Examples of user device includes a desktop, a laptop, and a smart phone.
  • the user input indicative of the at least one target geographic region is comprised in the first communication which is sent from the main server to the OT platform component or the user device that manages the OT platform component.
  • a technical effect of generating and providing the prompt in such a manner is to enable the user associated with associated with a user device that manages the OT platform component or the OT platform component to select a geographical region as per requirement.
  • the first communication comprises a set of rules based on which the at least one target geographic region is to be determined, and wherein the method further comprises determining the at least one target geographic region based on the set of rules.
  • the set of rules are conditions used to determine the at least one target geographic region while provisioning the OT platform component to the regional server.
  • at least one rule amongst the set of rules is based on the at least one of a data privacy rule, a data privacy regulation, the data privacy law, in the at least one target geographic region.
  • the set of rules can also be used to automatically determine the at least one target geographic region without requiring the user input.
  • the OT platform component when the OT platform component is available for only the geographical region, and this information is available in the global directory index, the OT platform component is automatically provisioned to that geographical region.
  • the set of rules can be defined by the user associated with the OT platform component, wherein the provisioning of the OT platform component is performed based on the set of rules defined by the user.
  • At least one rule amongst the set of rules is based on at least one organizational policy that is applicable to the OT platform component.
  • the organization policies are guidelines and/or rules set by the organization to govern its operations, including how the OT platform component shall be configured.
  • the system configures the OT platform component to store data in such geographic regions that complies with local data residency laws and local industry standards.
  • an organizational policy may be, "Data related to sensitive industrial processes must be stored in such geographic regions with the highest level of security protocols".
  • an OT platform component may be already linked with another platform component. There may be a rule in the set of rules to provision the OT platform component to a same geographic region as that of the linked component.
  • a technical effect of determining the at least one target geographic region based on the set of rules is to make the system adaptable and customizable while selecting the geographical region to store the data of the OT platform component.
  • the method further comprises selecting at least one target geographic region during initialization of the OT platform component.
  • the step of provisioning the operational technology platform component to the regional server comprises: sending a request from the main server to the regional server, for initializing provisioning the operational technology platform component to the regional server; receiving, at the main server from the regional server, a second communication indicative of successful provisioning of the operational technology platform component to the regional server; and sending, from the main server to the operational technology platform component, a third communication indicative of the second communication and information of the regional server, wherein when the third communication is received at the operational technology platform component, a communication coupling between the operational technology platform component and the regional server is established.
  • the term "request” refers to an initiation message sent from the main server to notify the regional server to initiate the process of provisioning the OT platform component.
  • the request is sent to prepare and configure the OT platform component for use within a domain of the regional server.
  • the term “second communication” refers to at least a follow-up message which signals that provisioning the OT platform component to the regional server has been successful. The second communication is important for the main server to acknowledge that the OT platform component is configured and ready to be communicably coupled with the regional server.
  • the “third communication” conveys details about the second communication, and information about the regional server. Such information about the regional server may include, but is not limited to, an identification information, a location, a network configuration, and an operational status.
  • the OT platform component configures its communication parameters, which may involve, but are not limited to, setting up network configurations, setting up authentication credentials, setting up the communication protocol.
  • the OT platform component initiates connecting to the regional server to establish the communication coupling between the OT platform component and the regional server.
  • the communication coupling is achieved by establishing a network connection, for example, such as a secure socket connection.
  • the OT platform component and the regional server performs a first handshake to ensure mutual recognition and authentication between the OT platform component and the regional server. This opens a communication channel between the OT platform component and the regional server.
  • the communication channel allows an exchange of data between the OT platform component and the regional server.
  • a technical effect of provision the OT platform component to the regional server is that it facilitates successful setup of the OT platform component to the regional server of one of: the default geographic region, the at least one target geographic region, to store data therein.
  • this provides a structured and automated approach to provisioning, thereby reducing errors while streamlining the provisioning. This is particularly advantageous while scaling, i.e., in large-scale systems where multiple OT platform components need to be provisioned across different regional servers.
  • the communication channel between the main server and the regional server is encrypted, and wherein end-to-end encrypted payloads are communicated across the communication channel.
  • the communication channel is encrypted to ensure that said communication channel is protected and is not vulnerable to any attacks when any communication occurs between the main server and the regional server using the communication channel.
  • payload refers to actual information and/or data being shared between the main server and the regional server.
  • end-to-end encrypted payload refers to the information and/or data being encrypted and transmitted from any one of the main server or the regional server, to be decrypted by another one of the regional server or the main server.
  • the information and/or data is encrypted into a format that is unreadable without an appropriate decryption key.
  • a pair of public key and private key may be generated, wherein the public key is used for encryption and the private key is used for decryption.
  • a technical effect of encrypting the communication channel in such a manner is that ensures confidentiality of the information and/or data throughout its transmission in the communication channel.
  • the method further comprises: receiving, at the main server, a fourth communication indicative of a new geographic region of use of the operational technology platform component; storing information indicative of the new geographic region of use of the operational technology platform component, at the global directory index; and provisioning the operational technology platform component to a new regional server which manages data storage in a new data repository located in the new geographic region, wherein upon said provisioning, at least a portion of the data of the operational technology platform component is stored by the new regional server at the new data repository.
  • the OT platform component is used to store data at the new geographic region.
  • the new geographic region is different from one of: the default geographic region, the at least one target geographic region.
  • the term "fourth communication" refers to information sent from the OT platform component to the main server to convey where the OT platform component wants to store the data additionally.
  • the fourth communication may indicate a new geographic region, i.e., Asia.
  • the global directory index is updated to reflect the new geographic region of use of the OT platform component.
  • This global directory index could be updated by any one of: removing old information indicative of the at least one target geographical region with the new geographic region of use of the OT platform component, adding the information of the new geographic region of use of the OT platform component as a list.
  • the main server maintains an accurate record of the new geographic region of use of the OT platform component.
  • the global directory index is structured in such a manner that information related to different geographic regions of multiple OT platform components are available.
  • the main server may authenticate the information received, to ensure validity and integrity of said information. This ensures prevention of any unauthorized changes or inaccuracies in the stored information.
  • the main server performs an update operation on the global directory index, replacing the information related to the OT platform component with the new details indicating the changed geographic region.
  • the new regional server is located in the new geographic region, wherein the new regional server manages data storage of the OT platform component in the new data repository.
  • the new regional server processes information received from the main server and sends a response to the main server of successful provisioning of the OT platform component, thus communicably coupling the main server with the new regional server.
  • the method further comprises: receiving, at the main server, another communication indicative of the licence and the activation information of the operational technology platform component whose data is to be stored at the new data repository of the new regional server; activating the operational technology platform component and assigning a license thereto; and sending, from the main server to the operational technology platform component, another communication indicative of the operational technology platform component being ready for provisioning.
  • the OT platform component Upon successful provisioning the OT platform component transmits at least a portion of the data to be stored at the new data repository of the new regional server at the new geographical location.
  • the OT platform component and the regional server performs a second handshake to ensure mutual recognition and authentication between the OT platform component and the new regional server.
  • the communication channel allows an exchange of data between the OT platform component and the regional server.
  • a technical effect of provisioning the at least one a portion of the data in such a manner is that it enables adjusting the OT platform component dynamically. Beneficially, this provides an efficient management of the OT platform component with respect to changing operational needs of the user and/or organization.
  • the fourth communication is also indicative of whether the operational technology platform component is to be de-provisioned from the regional server, wherein when the fourth communication indicates that the operational technology platform component is to be deprovisioned from the regional server, the method further comprises: removing information indicative of a previously-provisioned geographic region of use of the operational technology platform component from the global directory index; and enabling transfer of an entirety of the data of the operational technology platform component from a data repository located in the previously-provisioned geographic region to the new data repository.
  • the OT platform component is to be de-provisioned from the regional server.
  • the regional server located at a previously-provisioned geographic region is removed and not used by the OT platform component.
  • the term "previously-provisioned geographic region” encompasses namely the default geographic region and/or the at least one target geographic region.
  • the main server upon receiving the fourth communication from the OT platform component, updates the global directory index by removing a mapping of the OT platform component with the previously-provisioned geographic region of use of the OT platform component. Thereafter, the entirety of the data is transferred to the new data repository as the regional server at the previously-provisioned geographic region is no longer used by the OT platform component.
  • the phrase "entirety of the data” refers to a complete data related to the OT platform component. This ensures that the entirety of the data of the OT platform component is preserved in the new data repository of the new regional server, as it was preserved in the data repository of the regional server.
  • a technical effect of deprovisioning the OT platform component from the regional server in such a manner is that it enables maintaining integrity of the data and ensures that the data of the OT platform component remains accessible and available even after de-provisioning the data of the OT platform component from the regional server.
  • the fourth communication when the fourth communication indicates that the operational technology platform component is not to be de-provisioned from the regional server, the fourth communication also indicates whether the new geographic region is a primary region or a secondary region, and wherein the method further comprises: when the new geographic region is the primary region, enabling transfer of an entirety of the data of the operational technology platform component from a data repository located in a previously-provisioned geographic region to the new data repository, while retaining only basic component information from amongst the data of the operational technology platform component, at the data repository located in the previously-provisioned region; or when the new geographic region is the secondary region, enabling transfer of basic component information from amongst the data of the operational technology platform component, from a data repository located in a previously-provisioned geographic region to the new data repository.
  • the term "primary region” refers to the new geographic region when the OT platform component primarily intends to store the data at the new data repository located at the new geographic region.
  • the term “secondary region” refers to the new geographic region when the OT platform component primarily intends to store the data at the data repository located at the previously-provisioned geographic region. The primary and secondary regions are selected based on requirements of the OT platform component.
  • the fourth communication indicates that the OT platform component is not to be de-provisioned from the regional server, and also indicates that the new geographic region is the primary region.
  • the new geographic region for storing at least a portion of the data of the OT platform component is to be added, and when the new geographic region is the primary region, the entirety of the data is transferred to the new data repository.
  • the basic component information from amongst the data of the OT platform component is retained at the data repository of the regional server located at the previously-provisioned geographic region to ensure availability of the data in case of any changes, or modifications.
  • the basic component information comprises at least one of: certificate common name, certificate, timestamps, local serialisation, an identifier, a type, a version information, a configuration information, a public key, a serial number of the OT platform component.
  • the fourth communication indicates that the OT platform component is not to be de-provisioned from the regional server, and also indicates that the new geographic region is the secondary region.
  • the new geographic region for storing at least a portion of the data of the OT platform component is to be added, and when the new geographic region is the secondary region, the entirety of the data is retained at the data repository located at the previously- provisioned geographic region.
  • the basic component information from amongst the data of the OT platform component is transferred to the new data repository of the new regional server located at the new geographic region to ensure availability of the data in case of any changes, or modifications.
  • a technical effect of not de-provisioning the OT platform component from the regional server in such a manner is that it provides a flexible mechanism for managing the data associated with the OT platform component based on a preference of where the user wants to store the data. Beneficially, this facilitates customized data management strategies, ensuring efficient and selective transfer of information depending on the importance of the geographic regions in the overall OT platform component.
  • the method further comprises: receiving, at the main server, a fifth communication indicative of another operational technology platform component whose geographic region of use is to be resolved, from the operational technology platform component; identifying the geographic region of use of the another operational technology platform component, using the global directory index; and sending, from the main server to the operational technology platform component, a sixth communication indicative of the geographic region of use of the another operational technology platform component.
  • the term "fifth communication" refers an information sent from the OT platform component to the main server, in order to resolve (i.e., determine or identify) the geographic region of use of the another OT platform component.
  • the another OT platform component is different from the OT platform component.
  • the another OT platform component could belong to a same user and/or organization or to a different user and/or organization, to which the OT platform component belongs.
  • database structure technique is used to determine the geographic region of use of the another OT platform component.
  • the global directory index is used as a reference to identify the geographic region of use for the another OT platform component.
  • the database structure technique involves mapping addresses, for example, such as Internet Protocol (IP) addresses, to several geographical regions to identify the geographic region associated with the another OT platform component.
  • IP Internet Protocol
  • the term "sixth communication" refers to a response sent by the main server to the OT platform component, indicating that the geographic region of use for the another OT platform component has been resolved.
  • identification of the geographic region of use for the another OT platform component ensures compliance, optimization, security, and efficient resource management in various industries.
  • an information stored which may be indicative of a geographical region of use of the OT platform component.
  • an OT platform component #ID001 may store data in a regional server of North America
  • an OT platform component #ID002 may store data in a regional server of Europe
  • an OT platform component #ID003 may store data in a regional server of Asia.
  • the main server may receive a fifth communication from the OT platform component #ID001.
  • the fifth communication may be indicative of the OT platform component #ID002, whose geographic region of use is to be resolved. Based on the fifth communication received, the geographic region of use of the OT platform component #ID002 may be identified to be in Europe.
  • a technical effect of determining the geographical region of another OT platform component is to manage and coordinate the geographic regions associated with different OT platform components i.e., the OT platform component and the another OT platform component.
  • the method further comprises routing at least one message between two regional servers, using the global directory index.
  • routing refers to directing at least one message between two regional servers.
  • the at least one message is routed between the two regional servers to provide a collaborative environment, when the system is optionally a distributed system.
  • the two regional servers could be located at two different geographical regions, but used by the same user and/or organization.
  • the global directory index also includes information of all regional servers to which the main server is connected. Hence, routing is done based on this information.
  • routing at least one message between the two regional servers improves efficiency as redundancy of data is reduced. Hence, such routing improves a responsiveness of the system, due to reduced processing requirements.
  • routing the at least one message between the two regional servers facilitates in coordinating the two regional servers with each other. For example, if one regional server experiences issues, at least one message may be sent to another regional server to avoid facing a same issue.
  • a technical effect of utilizing the global directory index to route the at least one message between the two regional servers in such a manner is to enable effective coordination of operations between different OT platform components in the system.
  • the method further comprises enabling communication between at least one external regional server and an operational technology platform to which the operational technology platform component is connected, via the main server.
  • the "external regional server” refers to another server that is not originally communicably coupled with the OT platform component, which is connected to an OT platform, but is associated with one of: the default geographic region, the at least one target geographic region, of use of the OT platform component.
  • the OT platform is a central platform that manages various OT platform components and serves as a hub for coordinating activities within the system.
  • the communication between the at least one external regional server and the OT platform is enabled by establishing secure communication channels between the at least one external regional server and the OT platform.
  • Such communication indicates that there is a capability for bidirectional communication between the at least one external regional server and the OT platform.
  • a technical effect of enabling communication between the at least one external regional server and the OT platform to which the OT platform component is connected is that it enables improving the scalability of the system, which enhances an overall integration of the OT platform with the at least one external regional server.
  • the method further comprises enabling the main server for providing a functionality related to a certificate authority, or for connecting to an external certificate authority.
  • certificate authority refers to an entity responsible for issuing and managing digital certificates, which are used to secure communications, via the main server.
  • external certificate authority refers to an independent trusted entity that issues digital certificates but is not communicably coupled with the main server.
  • the main server is capable of providing the functionality related to the certificate authority, including tasks such as issuing digital certificates and ensuring secure communication within the OT platform. It will be appreciated that the digital certificates are essential in verifying the authenticity of entities involved in communication and enables encryption of data during transmission, thus protecting the data from unauthorized access.
  • the certificate authority follows a particular procedure to generate digital certificates to verify an identity of the entity requesting a certificate.
  • This particular procedure may involve, but is not limited to, checking domain ownership, confirming legal identity of an organization, matching public key included in a digital certificate with a private key secured by the certificate authority.
  • the main server is configured to connect to the external certificate authority, to interact with the external certificate authority for managing and issuing digital certificates.
  • connecting the main server to the external certificate authority provides flexibility in choosing a different certificate authority than a default certificate authority, as the user and/or the organization may prefer to use their own internal certificate authority while others may opt for the external certificate authority to comply with industry standards and regulations.
  • a security and integrity of the OT platform component is based on a Trust Chain, which is often referred to as a Public Key Infrastructure (PKI), in which a defined Certificate Authority (CA) is a root of trust for all entities.
  • PKI Public Key Infrastructure
  • CA Certificate Authority
  • the Certificate Authority is managed by the OT platform component, and all certificates for any entity connected to the OT platform are signed by a certificate authority managed by the OT platform.
  • at least one of: a customer, a partner, a third party might want to secure their OT platform with their own PKI, wherein a root of the Certificate Authority is from their internal PKI or from a trusted external Certificate Authority.
  • an external application programming interface (API) of the external certificate authority is provided with a functionality of the certificate authority in the main server. This would allow the main server to manage all certificates internally, while still keeping the PKI internal.
  • API application programming interface
  • a technical effect for providing a functionality related to a certificate authority, or for connecting to an external certificate authority enables enhancing security infrastructure of the system, by establishing a trust within the system by providing digital certificates, and thereby reducing a risk of being vulnerable during attacks.
  • the present disclosure also relates to the aforementioned second aspect as described above.
  • the system further comprises a plurality of regional servers that are physically located in a plurality of geographical regions.
  • the main server is communicably coupled to the plurality of regional servers.
  • the operational technology platform component is one of: a device associated with an operational technology platform, or a software application associated with an operational technology platform.
  • a communication channel between the main server and the plurality of regional servers is encrypted, and end-to-end encrypted payloads are communicated across the communication channel.
  • a first communication is received which is indicative of one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component whose data is to be stored.
  • a global directory index managed by the main server information is stored which is indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component.
  • the operational technology platform component to a regional server is provisioned which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
  • the system 200 comprises a main server 202 and an operational technology platform component 204.
  • the system 200 further comprises a plurality of regional servers (depicted as two regional servers 206A and 206B) that are physically located in a plurality of geographical regions.
  • the main server 202 is communicably coupled to the operational technology platform component 204 whose data is to be stored, and to the two regional servers 206A-B.
  • the main server 202 manages a global directory index 208, the regional server 206A manages data storage in a data repository 210A, and the regional server 206B manages data storage in a data repository 210B.
  • the main server 202 is configured to perform various operations, as described earlier with respect to the aforementioned second aspect.
  • FIG. 2 includes a simplified architecture of a system 200 for sake of clarity, which should not unduly limit the scope of the claims herein.
  • the person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
  • the system 300 comprises a main server 302, an operational technology platform component 304 whose data is to be stored.
  • the system 300 further comprises a regional server 306A that is physically located in a geographical region.
  • the main server 302 is communicably coupled to the operational technology platform component 304 whose data is to be stored, and to the regional servers 306A.
  • the operational technology platform component 304 manages communication via an activation user interface 308, the main server manages communication via an application programming interface 310, and the regional server 306A manages communication via another application programming interface 312A.
  • the main server 302 receives a first connection request from the operational technology platform component 304.
  • the first connection request is indicative of licence and activation information of the operational technology platform component 304 whose data is to be stored.
  • the main server 302 activates the operational technology platform component 304 and assigns a license thereto.
  • the main server 302 sends a first response to the operational technology platform component 304.
  • the first response is indicative of the operational technology platform component 304 being ready for provisioning.
  • the operational technology platform component 304 selects one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component 304 whose data is to be stored.
  • the main server 302 receives a first communication indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component 304 whose data is to be stored, from the operational technology platform component 304.
  • steps 3.5, 3.6, 3.7, 3.9 and 3.10 illustrate a procedure of provisioning the operational technology platform component 304 to the regional server 306A which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region.
  • a request is sent from the main server 302 to the regional server 306A, for initializing provisioning the operational technology platform component 304 to the regional server 306A.
  • the regional server 306A performs necessary processing operations required for successful provisioning.
  • the main server 302 receives from the regional server 306A, a second communication indicative of successful provisioning of the operational technology platform component 304 to the regional server 306A.
  • step 3.8 information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component 304, is stored at a global directory index managed by the main server 302.
  • This step 3.8 could alternatively be performed prior to the step 3.5.
  • the main server 302 sends to the operational technology platform component 304, a third communication indicative of the second communication and information of the regional server 306A, wherein when the third communication is received at the operational technology platform component 304, a communication coupling between the operational technology platform component 304 and the regional server 306A is established.
  • the regional server 306A and the operational technology platform component 304 performs a first handshake.
  • the system 300 further comprises a new regional server 306B.
  • the main server 302 is communicably coupled with the new regional server 306B.
  • the main server 302 receives a second connection request from the operational technology platform component 304.
  • the second connection request is indicative of the licence and the activation information of the operational technology platform component 304 whose data is to be stored.
  • the main server 302 activates the operational technology platform component 304 and assigns a license thereto.
  • the main server 302 sends a second response to the operational technology platform component 304.
  • the second response is indicative of the operational technology platform component 304 being ready for provisioning.
  • the operational technology platform component 304 selects a new geographic region of use of the operational technology platform component 304 whose data is to be stored.
  • the main server 302 receives a fourth communication indicative of the new geographic region of use of the operational technology platform component 304.
  • the fourth communication is also indicative of whether the operational technology platform component 304 is to be de-provisioned or not from the regional server 306A.
  • an information indicative of the new geographic region of use of the operational technology platform component 304 is stored at the global directory index managed by the main server 302.
  • steps 3.16, 3.17, 3.18, 3.19, 3.20, and 3.21 illustrate a procedure of provisioning the operational technology platform component 304 to the regional server 306B (which is the new regional server for the operational technology platform component 304), which manages data storage in a new data repository located in the new geographic region.
  • a request is sent from the main server 302 to the regional server 306B, for initializing provisioning the operational technology platform component 304 to the regional server 306B.
  • the regional server 306B performs necessary processing operations required for successful provisioning, wherein upon said provisioning, at least a portion of the data of the operational technology platform component 304 is stored by the regional server 306B at the new data repository.
  • the fourth communication may indicate that the operational technology platform component 304 is to be de-provisioned from the regional server 306A.
  • the main server 302 removes information indicative of a previously-provisioned geographic region of use of the operational technology platform component 304 from the global directory index. Subsequently, the main server 302 enables transfer of an entirety of the data of the operational technology platform component 304 from a data repository located in the previously- provisioned geographic region to the new data repository.
  • the regional server 306A transfers entirety of the data of the operational technology platform component 304 from the data repository located in the previously-provisioned geographic region to the new data repository of the regional server 306B.
  • the fourth communication may indicate that the operational technology platform component 304 is not to be de-provisioned from the regional server 306A.
  • the fourth communication also indicates whether the new geographic region is a primary region or a secondary region.
  • the main server 302 enables transfer of an entirety of the data of the operational technology platform component 304 from a data repository located in a previously- provisioned geographic region to the new data repository, while retaining only basic component information from amongst the data of the operational technology platform component, at the data repository located in the previously-provisioned region.
  • the regional server 306A transfers the entirety of the data of the operational technology platform component 304 from a data repository located in a previously-provisioned geographic region to the new data repository, while retaining only basic component information (as indicated by a dashed arrow) from amongst the data of the operational technology platform component, at the data repository located in the previously- provisioned region.
  • the main server 302 when the new geographic region is the secondary region, the main server 302 enables transfer of basic component information from amongst the data of the operational technology platform component 304, from a data repository located in a previously-provisioned geographic region to the new data repository.
  • the regional server 306A will retain the entirety of the data of the operational technology platform component 304, and transfers only basic component information (as indicated by a dashed arrow) from amongst the data of the operational technology platform component 304 at the data repository located in the previously-provisioned region.
  • the new regional server 306B and the operational technology platform component 304 upon establishment of such communicable coupling, at step 3.22, performs a second handshake.
  • FIGs. 3A-3D are merely examples, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
  • the system 400 comprises a main server 402, an operational technology platform component 404, and the another operational technology platform component 406.
  • the main server 402 is communicably coupled with the operational technology platform component 404 and the another operational technology platform component 406 whose geographic region of use is to be resolved.
  • the operational technology platform component 404 manages communication via an activation user interface 408, the another operational technology platform component 406 manages communication via another activation user interface 410, and the main server 402 manages communication via an application programming interface 412.
  • the main server 402 receives a third connection request from the operational technology platform component 404.
  • the third connection request is indicative of licence and activation information of the operational technology platform component 404.
  • the main server 402 activates the operational technology platform component 404 and assigns a license thereto.
  • the main server 402 sends a third response to the operational technology platform component 404.
  • the third response is indicative of the another operational technology platform component 406 being ready for provisioning.
  • the main server 402 receives a fifth communication indicative of the another operational technology platform component 406 whose geographic region of use is to be resolved, from the operational technology platform component 404.
  • the main server 402 identifies the geographic region of use of the another operational technology platform component 406, using the global directory index.
  • the main server 402 sends to the operational technology platform component 404, a sixth communication indicative of the geographic region of use of the another operational technology platform component 406.
  • FIG. 4 is merely an example, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
  • FIG. 5 there is shown an exemplary sequence diagram illustrating storing of information of an operational technology platform component 502 in a global directory index 504, in accordance with an embodiment of the present disclosure.
  • the operational technology platform component 502 is one of: a device associated with the operational technology platform 502, or a software application associated with the operational technology platform 502.
  • the global directory index 504 manages communication regarding the storing of information via still another application programming interface 506.
  • the operational technology platform 502 sends the information to the global directory index 504.
  • the global directory index 504 sends a response indicative of an acknowledgement of receiving the information of the operational technology platform 502.
  • FIG. 5 is merely an example, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Remote Sensing (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed is a method for storing data, wherein the method comprises: receiving at a main server (202, 302, 402), a first communication indicative of one of: a default geographic region, target geographic region(s), of use of an operational technology platform component (204, 304, 404, 502) whose data is to be stored; storing information indicative of the one of: the default geographic region, the target geographic region(s), of use of the operational technology platform component, at a global directory index (208, 504) managed by the main server; and provisioning the operational technology platform component to a regional server (206A, 306A) which manages data storage in a data repository (210A) located in the one of: the default geographic region, the target geographic region(s), wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.

Description

METHOD AND SYSTEM FOR. STORING DATA BASED ON GEOGRAPHICAL
REGIONS
TECHNICAL FIELD
The present disclosure relates to method for storing data based on geographical regions. Moreover, the present disclosure relates to a system for storing data based on geographical regions.
BACKGROUND
Nowadays, due to increased dependence on information technology of individuals and organizations alike, information security is of great importance to maintain control over data. This data must be securely stored and made accessible to authorized parties to reduce any risk, like hacking, phishing, etc. Additionally, the data stored must comply with data privacy laws specific to a particular geographic region, which enables the individual and/or organizations to securely store their data to prevent unauthorized access. This involves implementing security measures to protect sensitive information from any threat.
However, various regulations, such as the General Data Protection Regulation (GDPR) in European Union (EU) and state data privacy laws in the United States of America (USA), mandate specific rules on how and when personally identifiable information (PII) can be stored outside the region where a user or an organization is primarily located. Conventionally, data has always been stored at data centre locations belonging to the particular geographical region. However, individuals and/or organisations outside the particular geographical region may have either internal or legislative requirements over the particular geographical region in which the data is stored. For example, if data has been stored in the USA, while the organization mainly operates in EU, the organization is controlled by privacy laws of EU. Existing methods utilized for storing data are associated with several limitations therein. Generally, certain services, for example Microsoft 365®, Google Workspace® allows the individual and/or the organisation to choose the particular geographical region to store the data. However, such services only allow for a single geographical region, which means that all of the data of the individual and/or the organisation must exist in same single geographical region. This impacts a scalability of such existing methods in terms of providing the information security to the data. Moreover, certain Content Deliver Network (CDN) type of solutions provide a similar functionality, but solutions are targeted for replicating the data to multiple geographical regions. Hence, there is a lack of flexibility in determining where data can be stored.
Therefore, in light of the foregoing discussion, there exists a need to overcome the aforementioned drawbacks.
SUMMARY
The aim of the present disclosure is to provide methods and systems for storing data based on geographical regions, to enhance the scalability of storing data while complying with data privacy laws. The aim of the present disclosure is achieved by methods and systems for storing data based on geographical regions as defined in the appended independent claims to which reference is made to. Advantageous features are set out in the appended dependent claims.
Throughout the description and claims of this specification, the words "comprise" , "include", "have", and "contain" and variations of these words, for example "comprising" and "comprises" , mean "including but not limited to", and do not exclude other components, items, integers or steps not explicitly disclosed also to be present. Moreover, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a flowchart illustrating steps of a method for storing data, in accordance with an embodiment of the present disclosure.
FIG. 2 illustrates a block diagram of an architecture of a system for storing data, in accordance with an embodiment of the present disclosure;
FIGs. 3A, 3B, 3C and 3D illustrate sequence diagrams illustrating steps of operation of a system for storing data, in accordance with various embodiments of the present disclosure;
FIG. 4 illustrates a sequence diagram illustrating a system for resolving geographic region of use of another operational technology platform component, in accordance with an embodiment of the present disclosure; and
FIG. 5 illustrates an exemplary sequence diagram illustrating storing of information of an operational technology platform component in a global directory index, in accordance with an embodiment of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognize that other embodiments for carrying out or practising the present disclosure are also possible. In a first aspect, the present disclosure provides a method for storing data the method comprising: receiving, at a main server, a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component whose data is to be stored; storing information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index managed by the main server; and provisioning the operational technology platform component to a regional server which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
In a second aspect, the present disclosure provides a system for storing data, the system comprising a main server that is communicably coupled to an operational technology platform component whose data is to be stored, and to a plurality of regional servers that are physically located in a plurality of geographical regions, wherein the main server is configured to: receive a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of the operational technology platform component whose data is to be stored; store information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index managed by the main server; and provision the operational technology platform component to a regional server which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, the regional server being selected from amongst the plurality of regional servers, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
The present disclosure provides the aforementioned first aspect and the aforementioned second aspect, wherein the present disclosure provides a world-wide service to store data associated with an operational technology (OT) platform component, while complying with legal requirements of jurisdictions of geographical regions. The information about one of: the default geographic region, the at least one target geographic region, of use of the OT platform component, at the global directory index managed by the main server provides a reference which is centrally managed by the main server. Herein, instead of having a single centralized location to store the data of the OT platform component, for the data storage is performed in a distributed manner across a plurality of regional servers, wherein the regional server is selected by a user. This improves a speed of accessing the data, by ensuring that the data is stored only at the data repository of the regional server which has been explicitly defined. Advantageously, the method is scalable, allowing for the provisioning of the OT platform component to the plurality of regional servers. The method works synergistically by combining the global directory index, which centralizes information about the geographic regions, with regional data repositories managed by the regional servers.
Throughout the present disclosure, the term "main server" refers to a structure and/or a module that includes programmable and/or non- programmable components that manages and coordinates various operations of the OT platform component. Examples of such operations may include, but are not limited to, sharing, processing, and storing, data for the OT platform component. Optionally, the main server includes any arrangement of physical or virtual computational entities capable of enhancing information to perform various computational tasks. Furthermore, it will be appreciated that the main server may be a single hardware server and/or a plurality of hardware servers operating in a parallel or distributed architecture. In an example, the server may include components such as memory, a processor, a network adapter, and the like, to store, process and/or share information with other computing components, such as user device/user equipment. Optionally, the server is implemented as a computer program that provides various services (such as database service) to other devices, modules or apparatus.
Throughout the present disclosure, the term "operational technology platform component" refers to a specialised component used for at least one of: monitoring, managing, controlling, an equipment (for example, such as industrial equipment), wherein such specialised component operates in an OT network. Optionally, the OT platform component is one of: a device associated with an OT platform, or a software application associated with an OT platform.
In an instance, when the OT platform component is the device associated with the OT platform, said device provides at least one of: connectivity, processing, managing, of the data essential for operations related to OT. Herein, the term "device" refers to an electronic device associated with (or used by) a user that is capable of enabling the user to perform specific tasks. Furthermore, the device is intended to be broadly interpreted to include any electronic device that may be used for voice and/or data communication over a wireless communication network. Examples of the device may include, but are not limited to, laptop computers, personal computers, cellular phones, personal digital assistants (PDAs), handheld devices, wireless modems, etc.
In another instance, when the OT platform component is the software application associated with the OT platform, said software application provides at least one of: connectivity, processing, managing, of the data essential for operations related to OT. Herein, the term "software application" refers to a software program that is executed on the OT platform component, by employing a processor of such device. The software application comprises a set of predefined functions therein that are programmed to provide instructions to hardware and/or software elements of said device. Optionally, the software application is configured to provide a user interface on the OT platform component, to allow the user to perform specific tasks associated with the aforementioned method. Optionally, the software application is affiliated with an organization. Hence, the software application could function in accordance with pre-programmed guidelines provided by the organization. The software application is configured to function in accordance with the pre-programmed guidelines upon installation thereof.
Optionally, the method further comprises: receiving, at the main server, a communication indicative of licence and activation information of the OT platform component whose data is to be stored; activating the OT platform component and assigning a license thereto; and sending, from the main server to the OT platform component, a communication indicative of the OT platform component being ready for provisioning.
Herein, the license and activation information of the OT platform component comprises at least one of: a licence key, an activation code, which is required to authorize a user of the OT platform component. Based on the license and activation information received, the main server initiates a process of activating the OT platform component. Herein, activating the OT platform component and assigning the license ensures that the OT platform component is legally licensed to operate. Thereafter, the main server sends the communication to the OT platform component to notify that the OT platform component is ready for provisioning.
Throughout the present disclosure, the term "first communication" refers to information sent from the OT platform component to the main server to convey where the OT platform component wants to store the data. Optionally, the first communication comprises at least one message. Optionally, the first communication is sent through a communication protocol that connects the main server to the OT platform component. This communication protocol could be Hypertext Transfer Protocol (HTTP), WebSocket or another communication protocol depending on the architecture and requirements of the system.
Optionally, the first communication is received from a software application managing manufacturing and/or serialization of the OT platform component, wherein the first communication indicates the default geographic region for which the OT platform component is manufactured and/or serialized. Alternatively, optionally, the first communication is received from the OT platform component or a user device that manages the OT platform component, wherein the first communication indicates the at least one target geographic region. Herein, the term "default geographic region" refers to a pre-defined region or default region where the OT platform component is configured to be used initially. The term "at least one target geographic region" refers to one or more specific geographic regions where the OT platform component intends to store the data. As a first example, a geographic region of the OT platform component may be European Union (EU). Hence, the first communication may indicate the default geographic region, i.e., EU. Alternatively, the first communication may indicate at least one target geographic region, wherein the at least one target geographic region may be United States of America (USA).
Optionally, the first communication is also indicative of whether the data comprises sensitive data, when the first communication indicates that the data comprises the sensitive data, the at least one target geographic region comprises a single target geographic region.
Throughout the present disclosure the term "sensitive data" refers to confidential information related to a user or an organization, that is at least one of: stored, processed, managed, accessed, only by an authorized entity. Herein, such authorized entity possesses proper permission and/or privileges to view the sensitive data. Optionally, the sensitive data comprises at least one of: personally identifiable data (for example, such as, names, addresses, email addresses, social security numbers, phone numbers), confidential government data, financial information (for example, such as credit card numbers, bank account details, financial statements), and authentication data (for example, such as usernames, passwords, security questions), a confidential entity data (the entity could be any entity, i.e., a person, a company, a financial institution, and the like). Notably, the term "single target geographic region" refers to a specific geographical region that has been designated as the only destination for provisioning the OT platform component when the data is identified to be sensitive data. In this regard, when the first communication indicates that the data comprises the sensitive data, the OT platform component that is provisioned is restricted to the single target geographic region, to prevent exposing the sensitive data to any server of a different geographical region. The provisioning of the OT platform component is restricted in such a manner due to data privacy laws of the single geographic region (for example, such as General Data Protection Regulation (GDPR) in the European Union, State data privacy protection laws of United States of America (USA)) having strict requirements regarding residency of the sensitive data. A technical effect of restricting the provisioning of the OT platform component to the single geographic region is that it ensures compliance with the data privacy laws by keeping the sensitive data within the legal or regulatory boundaries of the single geographic region.
Optionally, when the first communication indicates that the data does not comprise the sensitive data, the at least one target geographic region comprises one of a single target geographic region, a plurality of target geographic regions. Optionally, in this regard, when the at least one target geographic region comprises the plurality of target geographic regions, the OT platform component is provisioned simultaneously to the plurality of target geographic regions. This means that non-sensitive data can be stored at one or more target geographic regions.
Throughout the present disclosure, the term "global directory index" refers to a centralized and comprehensive database managed by the main server, wherein the global directory index is used for storing and/or organizing information related to the one of: the default geographic regions, at least one target geographic region, of the use of the OT platform components. Herein, the database refers to a structured and organized collection of data that is stored and managed on the main server.
Notably the global directory index comprises at least an amount of data required for knowing whereabouts of the OT platform component, to make the OT platform component fully compliant with local data privacy laws. The global directory index comprises mapping of the OT platform component with the one of: the default geographical region, the at least one geographical region (i.e., a destination) of the data of the OT platform component. The global directory index may be in a form of a table, a list, an infographic, and similar.
Throughout the present disclosure, the term "regional server" refers to a region-specific structure and/or a region-specific module that includes programmable and/or non-programmable components that manages and coordinates various operations of the operational technology (OT) platform component. Herein, the regional server is communicably coupled with the main server. This coupling enables the main server to coordinate provisioning of the OT platform component to the regional server and to manage the overall distribution of data of the OT platform component. Herein, the regional server is selected from amongst a plurality of regional servers that are physically located in a plurality of geographical regions. The communication between the main server and the regional server is established through the communication protocol (as described in detail above). Herein, the term "provision" refers to a process of preparing and configuring at least one of: resources, services, components, to make them available and operational when the regional server is in use. Herein, the process of provisioning the OT platform component to the regional server can be performed in various manners, which will be described in detail later.
The term "data repository" refers to hardware, software, firmware, or a combination of these for storing a given information in an organized (namely, structured) manner, thereby, allowing for easy storage, access (namely, retrieval), updating and analysis of the data. The data repository may be implemented as a memory of the system, a removable memory, a cloud-based database, or similar. The data repository can be implemented as one or more storage devices. A technical advantage of using the data repository is that it provides an ease of storage and access of processing the input data, as well as processing outputs.
The provisioning of the OT platform component to the regional server is performed based on information stored in the global directory index. Herein, an appropriate location for storing the data of the OT platform component is determined based on the location of the data repository, which can be one of: the default geographic region, the at least one target geographic region. The main server communicates with the regional server which is responsible for managing the storing data, wherein such communication includes details about the OT platform component and the intent to provision it to the data repository of the appropriate location. The regional server confirms the successful provisioning. Then, the data of the OT platform component is stored in the data repository of the regional server.
A technical effect of provisioning the OT platform component in such a manner is that it facilitates a distributed and region-specific approach of storing the data of the OT platform component. By associating the data storage location with specific geographic regions, the method improves scalability of the system, and also enables efficient data management.
Optionally, the method further comprises: generating a prompt for receiving a user input indicative of the at least one target geographic region; and providing the prompt at the operational technology platform component or a user device that manages the operational technology platform component, wherein the first communication comprises the user input.
In this regard, the term "prompt" refers to a command or a message that the main server is configured to ask a user associated with a user device that manages the OT platform component or the OT platform component regarding the at least one target geographic region, when the main server has activated the OT platform component and assigned a license thereto. Examples of the prompt may include, but are not limited to, a textual prompt, a graphical prompt, and a visual prompt. The term "user input" refers to an information provided by the user in response to the generated prompt. Herein, the user input indicates the at least one target geographic region as preferred by the user. Herein, the term "user device" refers to a hardware device used by the user to interact with or manage the OT platform component. Examples of user device includes a desktop, a laptop, and a smart phone. The user input indicative of the at least one target geographic region is comprised in the first communication which is sent from the main server to the OT platform component or the user device that manages the OT platform component.
A technical effect of generating and providing the prompt in such a manner is to enable the user associated with associated with a user device that manages the OT platform component or the OT platform component to select a geographical region as per requirement.
Optionally, the first communication comprises a set of rules based on which the at least one target geographic region is to be determined, and wherein the method further comprises determining the at least one target geographic region based on the set of rules. In this regard, the set of rules are conditions used to determine the at least one target geographic region while provisioning the OT platform component to the regional server. Optionally, at least one rule amongst the set of rules is based on the at least one of a data privacy rule, a data privacy regulation, the data privacy law, in the at least one target geographic region. The set of rules can also be used to automatically determine the at least one target geographic region without requiring the user input. In other words, when the OT platform component is available for only the geographical region, and this information is available in the global directory index, the OT platform component is automatically provisioned to that geographical region. Optionally, the set of rules can be defined by the user associated with the OT platform component, wherein the provisioning of the OT platform component is performed based on the set of rules defined by the user.
Optionally, at least one rule amongst the set of rules is based on at least one organizational policy that is applicable to the OT platform component. Herein, the organization policies are guidelines and/or rules set by the organization to govern its operations, including how the OT platform component shall be configured. Herein, when the first communication includes the set of rules, the at least one rule is formulated based on organizational policies, the system configures the OT platform component to store data in such geographic regions that complies with local data residency laws and local industry standards. As an example, an organizational policy may be, "Data related to sensitive industrial processes must be stored in such geographic regions with the highest level of security protocols". As another example, an OT platform component may be already linked with another platform component. There may be a rule in the set of rules to provision the OT platform component to a same geographic region as that of the linked component.
A technical effect of determining the at least one target geographic region based on the set of rules is to make the system adaptable and customizable while selecting the geographical region to store the data of the OT platform component.
Optionally, when the first communication does not comprise the set of rules based on which the at least one target geographic region is to be determined, the method further comprises selecting at least one target geographic region during initialization of the OT platform component.
Optionally, the step of provisioning the operational technology platform component to the regional server comprises: sending a request from the main server to the regional server, for initializing provisioning the operational technology platform component to the regional server; receiving, at the main server from the regional server, a second communication indicative of successful provisioning of the operational technology platform component to the regional server; and sending, from the main server to the operational technology platform component, a third communication indicative of the second communication and information of the regional server, wherein when the third communication is received at the operational technology platform component, a communication coupling between the operational technology platform component and the regional server is established.
Herein, the term "request" refers to an initiation message sent from the main server to notify the regional server to initiate the process of provisioning the OT platform component. In this regard, the request is sent to prepare and configure the OT platform component for use within a domain of the regional server. The term "second communication" refers to at least a follow-up message which signals that provisioning the OT platform component to the regional server has been successful. The second communication is important for the main server to acknowledge that the OT platform component is configured and ready to be communicably coupled with the regional server. The "third communication" conveys details about the second communication, and information about the regional server. Such information about the regional server may include, but is not limited to, an identification information, a location, a network configuration, and an operational status. Using this information about the regional server, the OT platform component configures its communication parameters, which may involve, but are not limited to, setting up network configurations, setting up authentication credentials, setting up the communication protocol. When the configuration of the OT platform component is completed, the OT platform component initiates connecting to the regional server to establish the communication coupling between the OT platform component and the regional server. The communication coupling is achieved by establishing a network connection, for example, such as a secure socket connection. Subsequently, the OT platform component and the regional server performs a first handshake to ensure mutual recognition and authentication between the OT platform component and the regional server. This opens a communication channel between the OT platform component and the regional server. The communication channel allows an exchange of data between the OT platform component and the regional server.
A technical effect of provision the OT platform component to the regional server is that it facilitates successful setup of the OT platform component to the regional server of one of: the default geographic region, the at least one target geographic region, to store data therein. Beneficially, this provides a structured and automated approach to provisioning, thereby reducing errors while streamlining the provisioning. This is particularly advantageous while scaling, i.e., in large-scale systems where multiple OT platform components need to be provisioned across different regional servers.
Optionally, the communication channel between the main server and the regional server is encrypted, and wherein end-to-end encrypted payloads are communicated across the communication channel. In this regard, the communication channel is encrypted to ensure that said communication channel is protected and is not vulnerable to any attacks when any communication occurs between the main server and the regional server using the communication channel. In this regard, the term "payload" refers to actual information and/or data being shared between the main server and the regional server. Moreover, the term "end-to-end encrypted payload" refers to the information and/or data being encrypted and transmitted from any one of the main server or the regional server, to be decrypted by another one of the regional server or the main server. In this regard, the information and/or data is encrypted into a format that is unreadable without an appropriate decryption key. Herein, a pair of public key and private key may be generated, wherein the public key is used for encryption and the private key is used for decryption. A technical effect of encrypting the communication channel in such a manner is that ensures confidentiality of the information and/or data throughout its transmission in the communication channel.
Optionally, the method further comprises: receiving, at the main server, a fourth communication indicative of a new geographic region of use of the operational technology platform component; storing information indicative of the new geographic region of use of the operational technology platform component, at the global directory index; and provisioning the operational technology platform component to a new regional server which manages data storage in a new data repository located in the new geographic region, wherein upon said provisioning, at least a portion of the data of the operational technology platform component is stored by the new regional server at the new data repository.
In this regard, the OT platform component is used to store data at the new geographic region. Herein, the new geographic region is different from one of: the default geographic region, the at least one target geographic region. The term "fourth communication" refers to information sent from the OT platform component to the main server to convey where the OT platform component wants to store the data additionally. Continuing with respect to the first example, the fourth communication may indicate a new geographic region, i.e., Asia. Thereafter, the global directory index is updated to reflect the new geographic region of use of the OT platform component. This global directory index could be updated by any one of: removing old information indicative of the at least one target geographical region with the new geographic region of use of the OT platform component, adding the information of the new geographic region of use of the OT platform component as a list. Beneficially, the main server maintains an accurate record of the new geographic region of use of the OT platform component. Notably, the global directory index is structured in such a manner that information related to different geographic regions of multiple OT platform components are available. Prior to updating the global directory index, the main server may authenticate the information received, to ensure validity and integrity of said information. This ensures prevention of any unauthorized changes or inaccuracies in the stored information. Herein, the main server performs an update operation on the global directory index, replacing the information related to the OT platform component with the new details indicating the changed geographic region.
The new regional server is located in the new geographic region, wherein the new regional server manages data storage of the OT platform component in the new data repository. Herein, the new regional server processes information received from the main server and sends a response to the main server of successful provisioning of the OT platform component, thus communicably coupling the main server with the new regional server.
Optionally, the method further comprises: receiving, at the main server, another communication indicative of the licence and the activation information of the operational technology platform component whose data is to be stored at the new data repository of the new regional server; activating the operational technology platform component and assigning a license thereto; and sending, from the main server to the operational technology platform component, another communication indicative of the operational technology platform component being ready for provisioning.
Upon successful provisioning the OT platform component transmits at least a portion of the data to be stored at the new data repository of the new regional server at the new geographical location.
Subsequently, the OT platform component and the regional server performs a second handshake to ensure mutual recognition and authentication between the OT platform component and the new regional server. This opens a communication channel between the OT platform component and the new regional server. The communication channel allows an exchange of data between the OT platform component and the regional server.
A technical effect of provisioning the at least one a portion of the data in such a manner is that it enables adjusting the OT platform component dynamically. Beneficially, this provides an efficient management of the OT platform component with respect to changing operational needs of the user and/or organization.
Optionally, the fourth communication is also indicative of whether the operational technology platform component is to be de-provisioned from the regional server, wherein when the fourth communication indicates that the operational technology platform component is to be deprovisioned from the regional server, the method further comprises: removing information indicative of a previously-provisioned geographic region of use of the operational technology platform component from the global directory index; and enabling transfer of an entirety of the data of the operational technology platform component from a data repository located in the previously-provisioned geographic region to the new data repository.
In this regard, the OT platform component is to be de-provisioned from the regional server. In other words, the regional server located at a previously-provisioned geographic region is removed and not used by the OT platform component. Herein, the term "previously-provisioned geographic region" encompasses namely the default geographic region and/or the at least one target geographic region. Herein, the main server, upon receiving the fourth communication from the OT platform component, updates the global directory index by removing a mapping of the OT platform component with the previously-provisioned geographic region of use of the OT platform component. Thereafter, the entirety of the data is transferred to the new data repository as the regional server at the previously-provisioned geographic region is no longer used by the OT platform component. Herein, the phrase "entirety of the data" refers to a complete data related to the OT platform component. This ensures that the entirety of the data of the OT platform component is preserved in the new data repository of the new regional server, as it was preserved in the data repository of the regional server. A technical effect of deprovisioning the OT platform component from the regional server in such a manner is that it enables maintaining integrity of the data and ensures that the data of the OT platform component remains accessible and available even after de-provisioning the data of the OT platform component from the regional server.
Optionally, when the fourth communication indicates that the operational technology platform component is not to be de-provisioned from the regional server, the fourth communication also indicates whether the new geographic region is a primary region or a secondary region, and wherein the method further comprises: when the new geographic region is the primary region, enabling transfer of an entirety of the data of the operational technology platform component from a data repository located in a previously-provisioned geographic region to the new data repository, while retaining only basic component information from amongst the data of the operational technology platform component, at the data repository located in the previously-provisioned region; or when the new geographic region is the secondary region, enabling transfer of basic component information from amongst the data of the operational technology platform component, from a data repository located in a previously-provisioned geographic region to the new data repository.
In this regard, the term "primary region" refers to the new geographic region when the OT platform component primarily intends to store the data at the new data repository located at the new geographic region. The term "secondary region" refers to the new geographic region when the OT platform component primarily intends to store the data at the data repository located at the previously-provisioned geographic region. The primary and secondary regions are selected based on requirements of the OT platform component.
In an embodiment, the fourth communication indicates that the OT platform component is not to be de-provisioned from the regional server, and also indicates that the new geographic region is the primary region. In this regard, the new geographic region for storing at least a portion of the data of the OT platform component is to be added, and when the new geographic region is the primary region, the entirety of the data is transferred to the new data repository. However, the basic component information from amongst the data of the OT platform component is retained at the data repository of the regional server located at the previously-provisioned geographic region to ensure availability of the data in case of any changes, or modifications. Herein, the basic component information comprises at least one of: certificate common name, certificate, timestamps, local serialisation, an identifier, a type, a version information, a configuration information, a public key, a serial number of the OT platform component.
In another embodiment, the fourth communication indicates that the OT platform component is not to be de-provisioned from the regional server, and also indicates that the new geographic region is the secondary region. In this regard, the new geographic region for storing at least a portion of the data of the OT platform component is to be added, and when the new geographic region is the secondary region, the entirety of the data is retained at the data repository located at the previously- provisioned geographic region. However, the basic component information from amongst the data of the OT platform component is transferred to the new data repository of the new regional server located at the new geographic region to ensure availability of the data in case of any changes, or modifications.
A technical effect of not de-provisioning the OT platform component from the regional server in such a manner is that it provides a flexible mechanism for managing the data associated with the OT platform component based on a preference of where the user wants to store the data. Beneficially, this facilitates customized data management strategies, ensuring efficient and selective transfer of information depending on the importance of the geographic regions in the overall OT platform component.
Optionally, the method further comprises: receiving, at the main server, a fifth communication indicative of another operational technology platform component whose geographic region of use is to be resolved, from the operational technology platform component; identifying the geographic region of use of the another operational technology platform component, using the global directory index; and sending, from the main server to the operational technology platform component, a sixth communication indicative of the geographic region of use of the another operational technology platform component.
Throughout the present disclosure, the term "fifth communication" refers an information sent from the OT platform component to the main server, in order to resolve (i.e., determine or identify) the geographic region of use of the another OT platform component. Herein, the another OT platform component is different from the OT platform component. The another OT platform component could belong to a same user and/or organization or to a different user and/or organization, to which the OT platform component belongs.
Thereafter, database structure technique is used to determine the geographic region of use of the another OT platform component. Herein, the global directory index is used as a reference to identify the geographic region of use for the another OT platform component. The database structure technique involves mapping addresses, for example, such as Internet Protocol (IP) addresses, to several geographical regions to identify the geographic region associated with the another OT platform component.
The term "sixth communication" refers to a response sent by the main server to the OT platform component, indicating that the geographic region of use for the another OT platform component has been resolved. Herein, such identification of the geographic region of use for the another OT platform component ensures compliance, optimization, security, and efficient resource management in various industries. For example, in the global directory index, an information stored which may be indicative of a geographical region of use of the OT platform component. Herein, an OT platform component #ID001 may store data in a regional server of North America, an OT platform component #ID002 may store data in a regional server of Europe, an OT platform component #ID003 may store data in a regional server of Asia. Herein, the main server may receive a fifth communication from the OT platform component #ID001. The fifth communication may be indicative of the OT platform component #ID002, whose geographic region of use is to be resolved. Based on the fifth communication received, the geographic region of use of the OT platform component #ID002 may be identified to be in Europe.
A technical effect of determining the geographical region of another OT platform component is to manage and coordinate the geographic regions associated with different OT platform components i.e., the OT platform component and the another OT platform component.
Optionally, the method further comprises routing at least one message between two regional servers, using the global directory index. In this regard, the term "routing" refers to directing at least one message between two regional servers. Herein, the at least one message is routed between the two regional servers to provide a collaborative environment, when the system is optionally a distributed system. In this regard, the two regional servers could be located at two different geographical regions, but used by the same user and/or organization. The global directory index also includes information of all regional servers to which the main server is connected. Hence, routing is done based on this information. Beneficially, routing at least one message between the two regional servers improves efficiency as redundancy of data is reduced. Hence, such routing improves a responsiveness of the system, due to reduced processing requirements. Furthermore, routing the at least one message between the two regional servers facilitates in coordinating the two regional servers with each other. For example, if one regional server experiences issues, at least one message may be sent to another regional server to avoid facing a same issue. A technical effect of utilizing the global directory index to route the at least one message between the two regional servers in such a manner is to enable effective coordination of operations between different OT platform components in the system.
Optionally, the method further comprises enabling communication between at least one external regional server and an operational technology platform to which the operational technology platform component is connected, via the main server. In this regard, the "external regional server" refers to another server that is not originally communicably coupled with the OT platform component, which is connected to an OT platform, but is associated with one of: the default geographic region, the at least one target geographic region, of use of the OT platform component. Herein, the OT platform is a central platform that manages various OT platform components and serves as a hub for coordinating activities within the system. The communication between the at least one external regional server and the OT platform is enabled by establishing secure communication channels between the at least one external regional server and the OT platform. Such communication indicates that there is a capability for bidirectional communication between the at least one external regional server and the OT platform. A technical effect of enabling communication between the at least one external regional server and the OT platform to which the OT platform component is connected is that it enables improving the scalability of the system, which enhances an overall integration of the OT platform with the at least one external regional server.
Optionally, the method further comprises enabling the main server for providing a functionality related to a certificate authority, or for connecting to an external certificate authority. In this regard, the term "certificate authority" refers to an entity responsible for issuing and managing digital certificates, which are used to secure communications, via the main server. The term "external certificate authority" refers to an independent trusted entity that issues digital certificates but is not communicably coupled with the main server. Herein, the main server is capable of providing the functionality related to the certificate authority, including tasks such as issuing digital certificates and ensuring secure communication within the OT platform. It will be appreciated that the digital certificates are essential in verifying the authenticity of entities involved in communication and enables encryption of data during transmission, thus protecting the data from unauthorized access. In this regard, the certificate authority follows a particular procedure to generate digital certificates to verify an identity of the entity requesting a certificate. This particular procedure may involve, but is not limited to, checking domain ownership, confirming legal identity of an organization, matching public key included in a digital certificate with a private key secured by the certificate authority.
Alternatively, the main server is configured to connect to the external certificate authority, to interact with the external certificate authority for managing and issuing digital certificates. Herein, connecting the main server to the external certificate authority provides flexibility in choosing a different certificate authority than a default certificate authority, as the user and/or the organization may prefer to use their own internal certificate authority while others may opt for the external certificate authority to comply with industry standards and regulations.
Herein, a security and integrity of the OT platform component is based on a Trust Chain, which is often referred to as a Public Key Infrastructure (PKI), in which a defined Certificate Authority (CA) is a root of trust for all entities. In the OT platform, the Certificate Authority is managed by the OT platform component, and all certificates for any entity connected to the OT platform are signed by a certificate authority managed by the OT platform. In this regard, at least one of: a customer, a partner, a third party, might want to secure their OT platform with their own PKI, wherein a root of the Certificate Authority is from their internal PKI or from a trusted external Certificate Authority. When the main server is enabled to provide the functionality related to the external certificate authority, an external application programming interface (API) of the external certificate authority is provided with a functionality of the certificate authority in the main server. This would allow the main server to manage all certificates internally, while still keeping the PKI internal.
A technical effect for providing a functionality related to a certificate authority, or for connecting to an external certificate authority enables enhancing security infrastructure of the system, by establishing a trust within the system by providing digital certificates, and thereby reducing a risk of being vulnerable during attacks.
The present disclosure also relates to the aforementioned second aspect as described above. Various embodiments and variants disclosed above, with respect to the aforementioned first aspect, apply mutatis mutandis to the aforementioned second aspect.
Optionally, the system further comprises a plurality of regional servers that are physically located in a plurality of geographical regions. The main server is communicably coupled to the plurality of regional servers.
Optionally, in the system the operational technology platform component is one of: a device associated with an operational technology platform, or a software application associated with an operational technology platform. Optionally, in the system a communication channel between the main server and the plurality of regional servers is encrypted, and end-to-end encrypted payloads are communicated across the communication channel.
DETAILED DESCRIPTION OF THE DRAWINGS
Referring to FIG. 1, illustrated are steps of a method for storing data, in accordance with an embodiment of the present disclosure. At step 102, at a main server, a first communication is received which is indicative of one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component whose data is to be stored. At step 104, at a global directory index managed by the main server, information is stored which is indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component. At step 106, the operational technology platform component to a regional server is provisioned which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
The aforementioned steps are only illustrative and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
Referring to FIG. 2, illustrated is a block diagram of an architecture of a system 200 for storing data, in accordance with an embodiment of the present disclosure. The system 200 comprises a main server 202 and an operational technology platform component 204. The system 200 further comprises a plurality of regional servers (depicted as two regional servers 206A and 206B) that are physically located in a plurality of geographical regions. The main server 202 is communicably coupled to the operational technology platform component 204 whose data is to be stored, and to the two regional servers 206A-B. The main server 202 manages a global directory index 208, the regional server 206A manages data storage in a data repository 210A, and the regional server 206B manages data storage in a data repository 210B. The main server 202 is configured to perform various operations, as described earlier with respect to the aforementioned second aspect.
It may be understood by a person skilled in the art that the FIG. 2 includes a simplified architecture of a system 200 for sake of clarity, which should not unduly limit the scope of the claims herein. The person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
Referring to FIGs. 3A, 3B, 3C and 3D, there are illustrated sequence diagrams illustrating steps of operation of a system 300 for storing data, in accordance with various embodiments of the present disclosure. In FIGs. 3A-3C, the system 300 comprises a main server 302, an operational technology platform component 304 whose data is to be stored. In FIG. 3A, the system 300 further comprises a regional server 306A that is physically located in a geographical region. The main server 302 is communicably coupled to the operational technology platform component 304 whose data is to be stored, and to the regional servers 306A. The operational technology platform component 304 manages communication via an activation user interface 308, the main server manages communication via an application programming interface 310, and the regional server 306A manages communication via another application programming interface 312A.
In FIG. 3A, at step 3.1, the main server 302 receives a first connection request from the operational technology platform component 304. Optionally, the first connection request is indicative of licence and activation information of the operational technology platform component 304 whose data is to be stored. Optionally, the main server 302 activates the operational technology platform component 304 and assigns a license thereto. At step 3.2, the main server 302 sends a first response to the operational technology platform component 304. Optionally, the first response is indicative of the operational technology platform component 304 being ready for provisioning. At step 3.3, the operational technology platform component 304 selects one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component 304 whose data is to be stored. At step 3.4, the main server 302 receives a first communication indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component 304 whose data is to be stored, from the operational technology platform component 304.
Further in FIG. 3A, steps 3.5, 3.6, 3.7, 3.9 and 3.10, illustrate a procedure of provisioning the operational technology platform component 304 to the regional server 306A which manages data storage in a data repository located in the one of: the default geographic region, the at least one target geographic region. At step 3.5, a request is sent from the main server 302 to the regional server 306A, for initializing provisioning the operational technology platform component 304 to the regional server 306A. At step 3.6, the regional server 306A performs necessary processing operations required for successful provisioning. At step 3.7, the main server 302 receives from the regional server 306A, a second communication indicative of successful provisioning of the operational technology platform component 304 to the regional server 306A. At step 3.8, information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component 304, is stored at a global directory index managed by the main server 302. This step 3.8 could alternatively be performed prior to the step 3.5. At step 3.9, the main server 302 sends to the operational technology platform component 304, a third communication indicative of the second communication and information of the regional server 306A, wherein when the third communication is received at the operational technology platform component 304, a communication coupling between the operational technology platform component 304 and the regional server 306A is established. Upon establishment of such communicable coupling, at step 3.10, the regional server 306A and the operational technology platform component 304 performs a first handshake.
In FIGs. 3B-3D the system 300 further comprises a new regional server 306B. The main server 302 is communicably coupled with the new regional server 306B. In all FIGs. 3B-3D, at step 3.11, the main server 302 receives a second connection request from the operational technology platform component 304. Optionally, the second connection request is indicative of the licence and the activation information of the operational technology platform component 304 whose data is to be stored. Optionally, the main server 302 activates the operational technology platform component 304 and assigns a license thereto. At step 3.12, the main server 302 sends a second response to the operational technology platform component 304. Optionally, the second response is indicative of the operational technology platform component 304 being ready for provisioning. At step 3.13, the operational technology platform component 304 selects a new geographic region of use of the operational technology platform component 304 whose data is to be stored. At step 3.14, the main server 302 receives a fourth communication indicative of the new geographic region of use of the operational technology platform component 304. Herein, the fourth communication is also indicative of whether the operational technology platform component 304 is to be de-provisioned or not from the regional server 306A. At step 3.15, an information indicative of the new geographic region of use of the operational technology platform component 304 is stored at the global directory index managed by the main server 302.
Further in FIGs. 3B and 3C, steps 3.16, 3.17, 3.18, 3.19, 3.20, and 3.21 illustrate a procedure of provisioning the operational technology platform component 304 to the regional server 306B (which is the new regional server for the operational technology platform component 304), which manages data storage in a new data repository located in the new geographic region. At step 3.16, a request is sent from the main server 302 to the regional server 306B, for initializing provisioning the operational technology platform component 304 to the regional server 306B. At step 3.17, the regional server 306B performs necessary processing operations required for successful provisioning, wherein upon said provisioning, at least a portion of the data of the operational technology platform component 304 is stored by the regional server 306B at the new data repository.
Optionally, in FIG. 3B, the fourth communication may indicate that the operational technology platform component 304 is to be de-provisioned from the regional server 306A. At step 3.18, the main server 302 removes information indicative of a previously-provisioned geographic region of use of the operational technology platform component 304 from the global directory index. Subsequently, the main server 302 enables transfer of an entirety of the data of the operational technology platform component 304 from a data repository located in the previously- provisioned geographic region to the new data repository. At step 3.19, the regional server 306A transfers entirety of the data of the operational technology platform component 304 from the data repository located in the previously-provisioned geographic region to the new data repository of the regional server 306B. Alternatively, optionally, in FIGs. 3C and 3D, the fourth communication may indicate that the operational technology platform component 304 is not to be de-provisioned from the regional server 306A. The fourth communication also indicates whether the new geographic region is a primary region or a secondary region. In an instance, in FIG. 3C, when the new geographic region is the primary region, the main server 302 enables transfer of an entirety of the data of the operational technology platform component 304 from a data repository located in a previously- provisioned geographic region to the new data repository, while retaining only basic component information from amongst the data of the operational technology platform component, at the data repository located in the previously-provisioned region. At step 3.20, the regional server 306A transfers the entirety of the data of the operational technology platform component 304 from a data repository located in a previously-provisioned geographic region to the new data repository, while retaining only basic component information (as indicated by a dashed arrow) from amongst the data of the operational technology platform component, at the data repository located in the previously- provisioned region.
In another instance, in FIG. 3D, when the new geographic region is the secondary region, the main server 302 enables transfer of basic component information from amongst the data of the operational technology platform component 304, from a data repository located in a previously-provisioned geographic region to the new data repository. At step 3.21, the regional server 306A will retain the entirety of the data of the operational technology platform component 304, and transfers only basic component information (as indicated by a dashed arrow) from amongst the data of the operational technology platform component 304 at the data repository located in the previously-provisioned region. In all FIGs. 3B-3D, upon establishment of such communicable coupling, at step 3.22, the new regional server 306B and the operational technology platform component 304 performs a second handshake.
FIGs. 3A-3D are merely examples, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
Referring to FIG. 4, there is illustrated a sequence diagram illustrating a system 400 for resolving geographic region of use of another operational technology platform component, in accordance with an embodiment of the present disclosure. The system 400 comprises a main server 402, an operational technology platform component 404, and the another operational technology platform component 406. The main server 402 is communicably coupled with the operational technology platform component 404 and the another operational technology platform component 406 whose geographic region of use is to be resolved. The operational technology platform component 404 manages communication via an activation user interface 408, the another operational technology platform component 406 manages communication via another activation user interface 410, and the main server 402 manages communication via an application programming interface 412.
At step 4.1, the main server 402 receives a third connection request from the operational technology platform component 404. Optionally, the third connection request is indicative of licence and activation information of the operational technology platform component 404. Optionally, the main server 402 activates the operational technology platform component 404 and assigns a license thereto. At step 4.2, the main server 402 sends a third response to the operational technology platform component 404. Optionally, the third response is indicative of the another operational technology platform component 406 being ready for provisioning. At step 4.3, the main server 402 receives a fifth communication indicative of the another operational technology platform component 406 whose geographic region of use is to be resolved, from the operational technology platform component 404. At step 4.4, the main server 402 identifies the geographic region of use of the another operational technology platform component 406, using the global directory index. At step 4.5, the main server 402 sends to the operational technology platform component 404, a sixth communication indicative of the geographic region of use of the another operational technology platform component 406.
FIG. 4 is merely an example, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
Referring to FIG. 5, there is shown an exemplary sequence diagram illustrating storing of information of an operational technology platform component 502 in a global directory index 504, in accordance with an embodiment of the present disclosure. The operational technology platform component 502 is one of: a device associated with the operational technology platform 502, or a software application associated with the operational technology platform 502. The global directory index 504 manages communication regarding the storing of information via still another application programming interface 506. At step 5.1, the operational technology platform 502 sends the information to the global directory index 504. At step 5.2, the global directory index 504 sends a response indicative of an acknowledgement of receiving the information of the operational technology platform 502.
FIG. 5 is merely an example, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.

Claims

CLAIMS What is claimed is:
1. A method for storing data, the method comprising: receiving, at a main server (202, 302, 402), a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of an operational technology platform component (204, 304, 404, 502) whose data is to be stored; storing information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index (208, 504) managed by the main server; and provisioning the operational technology platform component to a regional server (206A, 306A) which manages data storage in a data repository (210A) located in the one of: the default geographic region, the at least one target geographic region, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
2. A method of claim 1, wherein the first communication is also indicative of whether the data comprises sensitive data, wherein when the first communication indicates that the data comprises the sensitive data, the at least one target geographic region comprises a single target geographic region.
3. A method according to any of the preceding claims, further comprising: generating a prompt for receiving a user input indicative of the at least one target geographic region; and providing the prompt at the operational technology platform component (204, 304, 404, 502) or a user device that manages the operational technology platform component, wherein the first communication comprises the user input.
4. A method according to any of the preceding claims, wherein the first communication comprises a set of rules based on which the at least one target geographic region is to be determined, and wherein the method further comprises determining the at least one target geographic region based on the set of rules.
5. A method according to any of the preceding claims, wherein the step of provisioning the operational technology platform component (204, 304, 404, 502) to the regional server (206A, 306A) comprises: sending a request from the main server (202, 302, 402) to the regional server, for initializing provisioning the operational technology platform component to the regional server; receiving, at the main server from the regional server, a second communication indicative of successful provisioning of the operational technology platform component to the regional server; and sending, from the main server to the operational technology platform component, a third communication indicative of the second communication and information of the regional server, wherein when the third communication is received at the operational technology platform component, a communication coupling between the operational technology platform component and the regional server is established.
6. A method according to any of the preceding claims, further comprising: receiving, at the main server (202, 302, 402), a fourth communication indicative of a new geographic region of use of the operational technology platform component (204, 304, 404, 502); storing information indicative of the new geographic region of use of the operational technology platform component, at the global directory index (208, 504); and provisioning the operational technology platform component to a new regional server (206B, 306B) which manages data storage in a new data repository (210B) located in the new geographic region, wherein upon said provisioning, at least a portion of the data of the operational technology platform component is stored by the new regional server at the new data repository.
7. A method according to claim 6, wherein the fourth communication is also indicative of whether the operational technology platform component (204, 304, 404, 502) is to be de-provisioned from the regional server (206A, 306A), wherein when the fourth communication indicates that the operational technology platform component is to be deprovisioned from the regional server, the method further comprises: removing information indicative of a previously-provisioned geographic region of use of the operational technology platform component from the global directory index (208, 504); and enabling transfer of an entirety of the data of the operational technology platform component from a data repository (210A) located in the previously-provisioned geographic region to the new data repository (210B).
8. A method according to claim 7, wherein when the fourth communication indicates that the operational technology platform component (204, 304, 404, 502) is not to be de-provisioned from the regional server (206A, 306A), the fourth communication also indicates whether the new geographic region is a primary region or a secondary region, and wherein the method further comprises: when the new geographic region is the primary region, enabling transfer of an entirety of the data of the operational technology platform component from a data repository (210A) located in a previously- provisioned geographic region to the new data repository (210B), while retaining only basic component information from amongst the data of the operational technology platform component, at the data repository located in the previously-provisioned region; or when the new geographic region is the secondary region, enabling transfer of basic component information from amongst the data of the operational technology platform component, from a data repository located in a previously-provisioned geographic region to the new data repository.
9. A method according to any of the preceding claims, further comprising: receiving, at the main server (202, 302, 402), a fifth communication indicative of another operational technology platform component (406) whose geographic region of use is to be resolved, from the operational technology platform component (204, 304, 404, 502); identifying the geographic region of use of the another operational technology platform component, using the global directory index (208, 504); and sending, from the main server to the operational technology platform component, a sixth communication indicative of the geographic region of use of the another operational technology platform component.
10. A method according to any of the preceding claims, further comprising routing at least one message between two regional servers, using the global directory index (208, 504).
11. A method according to any of the preceding claims, further comprising enabling communication between at least one external regional server and an operational technology platform to which the operational technology platform component (204, 304, 404, 502) is connected, via the main server (202, 302, 402).
12. A method according to any of the preceding claims, further comprising enabling the main server (202, 302, 402) for providing a functionality related to a certificate authority, or for connecting to an external certificate authority.
13. A system (200, 300, 400) for storing data, the system comprising a main server (202, 302, 402) that is communicably coupled to an operational technology platform component (204, 304, 404, 502) whose data is to be stored, and to a plurality of regional servers (206A-B, 306A- B) that are physically located in a plurality of geographical regions, wherein the main server is configured to: receive a first communication indicative of one of: a default geographic region, at least one target geographic region, of use of the operational technology platform component whose data is to be stored; store information indicative of the one of: the default geographic region, the at least one target geographic region, of use of the operational technology platform component, at a global directory index (208, 504) managed by the main server; and provision the operational technology platform component to a regional server (206A, 306A) which manages data storage in a data repository (210A) located in the one of: the default geographic region, the at least one target geographic region, the regional server being selected from amongst the plurality of regional servers, wherein upon said provisioning, the data of the operational technology platform component is stored by the regional server at the data repository.
14. A system (200, 300, 400) according to claim 13, wherein the operational technology platform component (204, 304, 404, 502) is one of: a device associated with an operational technology platform, or a software application associated with an operational technology platform.
15. A system (200, 300, 400) according to claim 13 or 14, wherein a communication channel between the main server (202, 302, 402) and the plurality of regional servers (206A-B, 306A-B) is encrypted, and wherein end-to-end encrypted payloads are communicated across the communication channel.
PCT/FI2024/050038 2024-02-01 2024-02-01 Method and system for storing data based on geographical regions Pending WO2025163233A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2024/050038 WO2025163233A1 (en) 2024-02-01 2024-02-01 Method and system for storing data based on geographical regions

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2024/050038 WO2025163233A1 (en) 2024-02-01 2024-02-01 Method and system for storing data based on geographical regions

Publications (1)

Publication Number Publication Date
WO2025163233A1 true WO2025163233A1 (en) 2025-08-07

Family

ID=89854695

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2024/050038 Pending WO2025163233A1 (en) 2024-02-01 2024-02-01 Method and system for storing data based on geographical regions

Country Status (1)

Country Link
WO (1) WO2025163233A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040139124A1 (en) * 2002-12-19 2004-07-15 Nobuo Kawamura Disaster recovery processing method and apparatus and storage unit for the same
CN109657146A (en) * 2018-12-21 2019-04-19 拉扎斯网络科技(上海)有限公司 Distributed search method, device and system, main server and regional server
EP3667514A1 (en) * 2018-12-14 2020-06-17 Slack Technologies, Inc. Methods, apparatuses, and computer program products for management of and search index generation based on geographically distributed data
CN114201454A (en) * 2021-12-15 2022-03-18 中国建设银行股份有限公司 A file processing system, method, apparatus, device and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040139124A1 (en) * 2002-12-19 2004-07-15 Nobuo Kawamura Disaster recovery processing method and apparatus and storage unit for the same
EP3667514A1 (en) * 2018-12-14 2020-06-17 Slack Technologies, Inc. Methods, apparatuses, and computer program products for management of and search index generation based on geographically distributed data
CN109657146A (en) * 2018-12-21 2019-04-19 拉扎斯网络科技(上海)有限公司 Distributed search method, device and system, main server and regional server
CN114201454A (en) * 2021-12-15 2022-03-18 中国建设银行股份有限公司 A file processing system, method, apparatus, device and medium

Similar Documents

Publication Publication Date Title
CN102257505B (en) For providing the equipment and method that access through authorization device
EP3138035B1 (en) Method and apparatus for multi-tenancy secrets management
US8532620B2 (en) Trusted mobile device based security
KR102396643B1 (en) API and encryption key secret management system and method
US10642664B2 (en) System and method for securing an inter-process communication via a named pipe
US10255446B2 (en) Clipboard management
US10990692B2 (en) Managing data handling policies
CN102143492B (en) VPN connection establishing method, mobile terminal and server
JP2023539168A (en) Self-authentication identifier and its applications
US20250126130A1 (en) System and method for providing dual endpoint access control of remote cloud-stored resources
US11804969B2 (en) Establishing trust between two devices for secure peer-to-peer communication
US11006278B2 (en) Managing network resource permissions for applications using an application catalog
WO2025163233A1 (en) Method and system for storing data based on geographical regions
US20240413988A1 (en) Multi-factor authentication hardening
CN115037549B (en) Application protection method, device and storage medium
KR20240152761A (en) Secure file management method, apparatus, and system
JP5383768B2 (en) Information management apparatus, system and method
US20170187531A1 (en) Providing encrypted personal data to applications based on established policies for release of the personal data
KR20190097555A (en) Method and apparatus for e-mail service
Jana et al. Controlled privacy in mobile cloud
WO2025012996A2 (en) System and method for handling secure data for at least one user equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24704039

Country of ref document: EP

Kind code of ref document: A1