Security for accessing stored resources

The invention claimed is: 1. A server system comprising: a separate storage area for each of a plurality of parties including a first party and a second party, wherein: a first storage area of the first party stores a primary instance of a data resource of the first party, the data resource is access controlled, and the primary instance of the data resource includes permissions metadata, the permissions metadata comprising a permissions list that specifies which of the plurality of parties are permitted access to the data resource and a reduced size representation of the permissions list; a memory storing instructions; and a processor coupled to the memory, wherein upon execution of the instructions by the processor, the processor is operable to: in response to a request for the second party to access the data resource of the first party, perform a permission check comprising reading the permissions metadata included in the primary instance stored in the first storage area, and therefrom determining whether the second party is specified as being permitted access, wherein reading the permissions metadata comprises: initially reading the reduced size representation of the permissions list to determine whether a decision can be made as to permitting the second party access to the data resource; and if no decision can be made based on the reading of the reduced size representation of the permissions list, reading at least a portion of the permissions list to determine whether the second party is specified by the permissions list; and on condition that the second party is determined to be permitted access according to the permission check, establish a secondary copy of the data resource of the first party in a second storage area of the second party; wherein, once the secondary copy is established in the second storage area, the processor is operable to allow the second party to access the data resource by means of the secondary copy without undergoing another permission check against the permissions metadata. 2. The server system of claim 1 , wherein the permissions metadata specifies which of the plurality of parties are permitted access to the data resource in terms of one or more individual users permitted to access the respective resource, the permission check comprising checking whether the second party is a user that is included in the one or more individual users. 3. The server system of claim 1 , wherein the permissions metadata specifies which of the plurality of parties are permitted access to the data resource in terms of one or more groups of users permitted access to the respective resource, the permission check comprising checking whether the second party is a user included in the one or more groups, or checking whether the second party is one of the one or more groups. 4. The server system of claim 1 , wherein the data resource is public, and the processor is operable to allow any party access to the data resource. 5. The server system of claim 1 , wherein the data resource is private, and the processor is operable to limit access to the data resource to the first party. 6. The server system of claim 1 , wherein the processor is operable to withhold performance of the permission check when the first party accesses the primary instance of the data resource. 7. The server system of claim 1 , wherein the processor is further operable to automatically delete the secondary copy from the second storage area when the primary instance is deleted in the first storage area. 8. The server system of claim 1 , wherein the processor is further operable to automatically delete the secondary copy from the second storage area if the permissions metadata is modified so as to no longer specify the second party as one of the plurality of parties permitted access to the data resource. 9. The server system of claim 1 , wherein the processor is further operable to fail the permission check by default if the reading of the permissions metadata returns empty or corrupt permissions metadata such that the secondary copy is not established and the second party is not granted access to the data resource. 10. The server system of claim 1 , wherein access to one or both of further metadata describing an activity performed in relation to the data resource by the first party, and/or any subsequent modifications to the data resource, are controlled according to a same permissions metadata as the data resource itself. 11. The server system of claim 1 , wherein: the secondary copy comprises relationship metadata describing a relationship between the data resource and the first party or the second party, wherein the relationship can be private or public; and wherein the processor is further operable to store the relationship metadata only in the primary instance or the secondary copy respectively if the relationship is private, and store the relationship metadata in both the primary instance and the secondary copy if the relationship is public. 12. The server system of claim 1 , wherein at least some of the separate storage areas, including at least the first storage area of the first party and the second storage area of the second party, are implemented on separate server units in separate housings, racks, rooms, buildings or geographic locations. 13. The server system of claim 12 , wherein the processor is implemented in a distributed form comprising a respective instance of the processor at each of the server units. 14. The server system of claim 13 , wherein the instance of the processor on a first server unit of the first party is operable to perform an instance of the permission check in response to the request from the instance of the processor on a second server unit of the second party; and the instance of the processor on the second server unit of the second party is configured to perform a second instance of the permission check before establishing the secondary copy in the second storage area of the second party. 15. A method comprising: providing a separate storage area of each of a plurality of parties including a first party and a second party; in a first storage area of the first party, storing a primary instance of a data resource of the first party, wherein the data resource is access controlled, and the primary instance of the data resource includes permissions metadata, the permissions metadata comprising a permissions list that specifies which of the plurality of parties are permitted access to the data resource and a reduced size representation of the permissions list; in response to a request for the second party to access the data resource of the first party, performing a permission check comprising reading the permissions metadata included in the primary instance stored in the first storage area, and therefrom determining whether the second party is specified as being permitted access, wherein reading the permissions metadata comprises: initially reading the reduced size representation of the permissions list to determine whether a decision can be made as to permitting the second party access to the data resource; and if no decision can be made based on the reading of the reduced size representation of the permissions list, reading at least a portion of the permissions list to determine whether the second party is specified by the permissions list; on condition that the second party is determined to be permitted access according to the permission check, establishing a secondary copy of the data resource of the first party in a second storage area of the second party; and once the secondary copy is established i