Secure and control data migrating between enterprise and cloud services
First Claim
1. A method for operating a cloud gateway, comprising:
- generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers;
encrypting, at one of a plurality of pass-through connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user,wherein the plurality of pass-through connectors includes a first pass-through connector that is coupled to the proxy server and associated to a first cloud service provider and has a first encryption/decryption module, and a second pass-through connector that is coupled to the proxy server and associated to a second cloud service provider and has a second encryption/decryption module, there being in the cloud gateway one pass-through connector per cloud service provider,wherein the first encryption/decryption module and the second encryption/decryption module are implemented in hardware, firmware, software executing on a processor or combination thereof; and
decrypting, at one of the plurality of pass-through connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user,wherein the incoming data includes padding information and encryption status; and
wherein, the encrypting includes encrypting an outgoing file via application of a first key in accordance with the one of the plurality of rules, encrypting the first key or a key name of the first key and file information via application of a master key, and combining the encrypted file and the encrypted first key or key name and file information as the encrypted outgoing data.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for operating a cloud gateway is provided. The method includes generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers. The method includes encrypting, at one of a plurality of connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user. The method includes decrypting, at one of the plurality of connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user.
-
Citations
19 Claims
-
1. A method for operating a cloud gateway, comprising:
-
generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers; encrypting, at one of a plurality of pass-through connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user, wherein the plurality of pass-through connectors includes a first pass-through connector that is coupled to the proxy server and associated to a first cloud service provider and has a first encryption/decryption module, and a second pass-through connector that is coupled to the proxy server and associated to a second cloud service provider and has a second encryption/decryption module, there being in the cloud gateway one pass-through connector per cloud service provider, wherein the first encryption/decryption module and the second encryption/decryption module are implemented in hardware, firmware, software executing on a processor or combination thereof; and decrypting, at one of the plurality of pass-through connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user, wherein the incoming data includes padding information and encryption status; and wherein, the encrypting includes encrypting an outgoing file via application of a first key in accordance with the one of the plurality of rules, encrypting the first key or a key name of the first key and file information via application of a master key, and combining the encrypted file and the encrypted first key or key name and file information as the encrypted outgoing data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:
-
mapping users and network groups to access permissions relative to a plurality of cloud service providers; encrypting a first data, at one of a plurality of pass-through connectors coupled to a proxy server, responsive to a request associated with one of the users or one of the network groups to write the first data to one of the plurality of cloud service providers, the encrypting in accordance with the mapping, wherein the plurality of pass-through connectors includes a first pass-through connector that is coupled to the proxy server and associated to a first cloud service provider and has a first encryption/decryption module, and a second pass-through connector that is coupled to the proxy server and associated to a second cloud service provider and has a second encryption/decryption module, there being in the cloud gateway one pass-through connector per cloud service provider with keys for the plurality of pass-through connectors managed by the cloud gateway, wherein the first encryption/decryption module and the second encryption/decryption module are implemented in hardware, firmware, software executing on a processor or combination thereof; and decrypting a second data, at one of the plurality of pass-through connectors coupled to the proxy server, responsive to a request associated with one of the users or one of the network groups to read the second data from one of the plurality of cloud service providers, the decrypting in accordance with the mapping, wherein the incoming data includes padding information and encryption status, and wherein the encrypting includes encrypting an outgoing file via application of a first key in accordance with the one of the plurality of rules, encrypting the first key or a key name of the first key and file information via application of a master key, and combining the encrypted file and the encrypted first key or key name and file information as the encrypted outgoing data. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A mapping and access control system in a cloud gateway, comprising:
-
a proxy server configured to access a plurality of cloud service providers; a plurality of pass-through connectors coupled to the proxy server, including a first pass-through connector having a first encryption/decryption module and configured to couple to and associate to a first cloud service provider via a network, and a second pass-through connector having a second encryption/decryption module and configured to couple to and associate to a second cloud service provider via the network; an administration module, executed by a hardware processor, configured to derive a plurality of access control rules based on users and network groups; and the plurality of pass-through connectors configured to encrypt data traveling from the proxy server to the plurality of cloud service providers and decrypt data traveling from the plurality of cloud service providers to the server, in accordance with the plurality of access control rules on a basis of individual users and individual network groups, with each pass-through connector for and associated to a specific cloud service provider, there being in the cloud gateway one pass-through connector per cloud service provider, wherein the first encryption/decryption module and the second encryption/decryption module are implemented in hardware, firmware, software executed on a processor, or combination thereof, wherein incoming data for the decrypting includes padding information and encryption status, and wherein the encrypting includes encrypting an outgoing file via application of a first key in accordance with the one of the plurality of rules, encrypting the first key or a key name of the first key and file information via application of a master key, and combining the encrypted file and the encrypted first key or key name and file information as the encrypted outgoing data. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification