Data loss prevention techniques

US 10,075,471 B2
Filed: 07/01/2013
Issued: 09/11/2018
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors; and

memory including computer executable instructions that, when executed by the one or more processors, cause the system to;

provide, by a service provider, an application programming interface accessible to one or more customers at a network address;

receive, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by the one or more customers;

analyze, by the service provider, the data to identify, based at least in part on a data type;

a subset of data that has the data type and that meets one or more criteria of one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data polices;

modify, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and

provide, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

311 Citations

26 Claims

1. A system, comprising:
- one or more processors; and
  
  memory including computer executable instructions that, when executed by the one or more processors, cause the system to;
  
  provide, by a service provider, an application programming interface accessible to one or more customers at a network address;
  
  receive, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by the one or more customers;
  
  analyze, by the service provider, the data to identify, based at least in part on a data type;
  
  a subset of data that has the data type and that meets one or more criteria of one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data polices;
  
  modify, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and
  
  provide, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The system of claim 1, wherein the computer executable instructions further cause the system to at least:
    - provide one or more notifications corresponding to meeting the one or more criteria, orperform enhanced logging for the subset identified.
  - 3. The system of claim 1, wherein the computer executable instructions further include computer executable instructions that cause the system to:
    - obtain an encrypted cryptographic key;
      
      decrypt the encrypted cryptographic key to form the cryptographic key; and
      
      as a result of transmission of the modified subset of the data to the remote service, destroy the cryptographic key.
  - 4. The system of claim 1, wherein:
    - the computer executable instructions further cause the system to receive, through the application programming interface, user-defined rules for modifying data; and
      
      the computer executable instructions that cause the system to modify the subset of data cause the system to modify the data in accordance with the user-defined rules.
  - 5. The system of claim 1, wherein:
    - the computer executable instructions that cause the system to analyze the data includes computer executable instructions that cause the system to detect, in the data, one or more instances of a data type specified as sensitive; and
      
      the subset of the data includes the one or more instances of the data type specified as sensitive.
  - 6. The system of claim 1, wherein the computer executable instructions further cause the system to provide a second subset of the data received to the remote service without modifying the second subset.
  - 7. The system of claim 1, wherein the computer executable instructions further cause the system to:
    - receive a second request whose fulfillment includes retrieval of the subset of data;
      
      obtain the modified subset of data from the remote service;
      
      reverse modification of the modified subset of the data to form a regenerated subset of data; and
      
      fulfill the second request using the regenerated subset of data.
  - 20. The system of claim 1, wherein the data is received from a requestor that is different from the system.

8. A computer-implemented method, comprising:
- receiving, by a service provider, at an application programming interface proxy to one or more customers at a remote service, a request to process data whose fulfillment involves utilization of the remote service, wherein the remote service comprises a set of computer systems that excludes the system and a cryptographic key is not stored in the remote service in plaintext form;
  
  analyzing, by the service provider, the data to make a determination, based at least in part on a data type;
  
  the data has the data type and whether the data implicates one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data policies;
  
  processing, by the service provider, the data in accordance with the determination at least in part by modifying the data according to the one or more data policies implicated prior to utilization of the remote service and the data type, by at least encrypting the data to form encrypted data, wherein the remote service provides data-related services to customers; and
  
  utilizing, by a service provider, the remote service that is independently capable to process the request, the remote service lacking the cryptographic key usable to decrypt the encrypted data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-implemented method of claim 8, comprising:
    - obtaining an encrypted data key;
      
      decrypting the encrypted data key to form the cryptographic key; and
      
      as a result of the remote service to process the request, destroy the cryptographic key.
  - 10. The computer-implemented method of claim 8, wherein the request is received at a private Internet protocol address of the application programming interface proxy.
  - 11. The computer-implemented method of claim 8, wherein the request to process the data is a request to store the data.
  - 12. The computer-implemented method of claim 8, further comprising:
    - receiving, at the application programming interface proxy, one or more user-defined criteria for the one or more data policies; and
      
      generating the determination is based at least in part on the one or more user-defined criteria.
  - 13. The computer-implemented method of claim 8, further comprising:
    - receiving, at the application programming interface, a second request to process second data whose fulfillment involves utilization of the remote service; and
      
      preventing the second data from being transmitted to the remote service as a result of the second data satisfying one or more criteria of the one or more data policies.

14. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a system, cause the system to:
- provide, by a service provider, an application programming interface proxy to one or more customers at a remote service, wherein the remote service comprises a set of computer systems that excludes the system and a cryptographic key is not stored in the remote service in plaintext form;
  
  cause, by the service provider, one or more data loss prevention policies on data received through the application programming interface proxy to be enforced at the remote service by at least;
  
  identifying, by the service provider, a subset of the data received, based at least in part on a data type, the data has the data type and that satisfies one or more data loss prevention criteria of the one or more data loss prevention policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data loss prevention policies; and
  
  performing, by the service provider, one or more actions on the subset identified in accordance with the one or more data loss prevention criteria, the one or more actions including;
  
  modifying, by the service provider, data in the subset according to the type, at least by encrypting the data in the subset, to form modified data; and
  
  providing, by the service provider, the modified data to the remote service that is independently capable to process a request and lacks access to a cryptographic key usable to decrypt the modified data, wherein the remote service provides data-related services to customers.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The one or more non-transitory computer-readable storage media of claim 14, wherein:
    - the system is operated by a computing resource service provider; and
      
      the application programming interface proxy is available to multiple customers of the computing resource service provider at one or more public network addresses.
  - 16. The one or more non-transitory computer-readable storage media of claim 14, wherein the application programming interface proxy and remote service are implemented in separate facilities.
  - 17. The one or more non-transitory computer-readable storage media of claim 14, wherein the one or more data loss prevention policies are programmatically configurable through the application programming interface proxy.
  - 18. The one or more non-transitory computer-readable storage media of claim 14, wherein the application programming interface proxy and the remote service are accessible by different uniform resource locators.
  - 19. The one or more non-transitory computer-readable storage media of claim 14, wherein performing the one or more actions further includes:
    - encrypting the cryptographic key to form an encrypted data key; and
      
      providing the encrypted data key to the remote service, wherein the remote service is unable to decrypt the encrypted data key.

21. A computer-implemented method, comprising:
- providing, by a service provider, an application programming interface accessible to one or more customers at a network address;
  
  receiving, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by one or more customers;
  
  analyzing, by the service provider, the data to identify, based at least in part on a data type;
  
  a subset of data that has the data type and that meets one or more criteria of one or more data policies;
  
  wherein an encryption algorithm is selected from a plurality of encryption algorithms based on data type and security requirement associated with one or more data polices;
  
  modifying, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and
  
  providing, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The computer-implemented method of claim 21, further comprising:
    - providing one or more notifications corresponding to meeting the one or more criteria, orperforming enhanced logging for the subset identified.
  - 23. The computer-implemented method of claim 21, further comprising:
    - obtaining an encrypted cryptographic key;
      
      decrypting the encrypted cryptographic key to form the cryptographic key; and
      
      as a result of transmission of the modified subset of the data to the remote service, destroying the cryptographic key.
  - 24. The computer-implemented method of claim 21, further comprising:
    - causing the system to receive, through the application programming interface, user-defined rules for modifying data; and
      
      causing the system to modify the subset of the data cause the system to modify the data in accordance with the user-defined rules.
  - 25. The computer-implemented method of claim 21, wherein analyzing the data includes detecting, in the data, one or more instances of a data type specified as sensitive and the subset of data includes the one or more instances of the data type specified as sensitive.
  - 26. The computer-implemented method of claim 21, further comprising causing the system to provide a second subset of the data received to the remote service without modifying the second subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James
Primary Examiner(s)
Gracia, Gary S

Application Number

US13/932,872
Publication Number

US 20150019858A1
Time in Patent Office

1,898 Days
Field of Search

713150, 713152, 713153, 713168, 713169, 713170, 713193, 726 1, 726 28, 726 27, 709206, 709213, 709227, 709239, 709253
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/0471   applying encryption by an i...

H04L 63/06   for supporting key manageme...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

Data loss prevention techniques

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

311 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Data loss prevention techniques

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links