A method and system for regulating access by an access program to a data object residing in a storage system, which may be used to protect against data theft in a storage server. The storage server receives, from a client node, a certificate request for a certificate pertaining to access of the data object by the access program. The storage server validates the certificate request and in response, generates the certificate and transmits the certificate to the client node. The certificate request and the certificate each include a signature of the access program and an identifier of the data object. The storage server receives from the client node an I/O request for access of the data object by the access program. The storage server determines whether the I/O request is valid or invalid and processes the I/O request with privileged handling or degraded handling, respectively.