Data loss prevention techniques
First Claim
Patent Images
1. A system, comprising:
- one or more processors; and
memory including computer executable instructions that, when executed by the one or more processors, cause the system to;
provide, by a service provider, an application programming interface accessible to one or more customers at a network address;
receive, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by the one or more customers;
analyze, by the service provider, the data to identify, based at least in part on a data type;
a subset of data that has the data type and that meets one or more criteria of one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data polices;
modify, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and
provide, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers.
1 Assignment
0 Petitions
Accused Products
Abstract
Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.
311 Citations
26 Claims
-
1. A system, comprising:
-
one or more processors; and memory including computer executable instructions that, when executed by the one or more processors, cause the system to; provide, by a service provider, an application programming interface accessible to one or more customers at a network address; receive, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by the one or more customers; analyze, by the service provider, the data to identify, based at least in part on a data type;
a subset of data that has the data type and that meets one or more criteria of one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data polices;modify, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and provide, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
-
-
8. A computer-implemented method, comprising:
-
receiving, by a service provider, at an application programming interface proxy to one or more customers at a remote service, a request to process data whose fulfillment involves utilization of the remote service, wherein the remote service comprises a set of computer systems that excludes the system and a cryptographic key is not stored in the remote service in plaintext form; analyzing, by the service provider, the data to make a determination, based at least in part on a data type;
the data has the data type and whether the data implicates one or more data policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data policies;processing, by the service provider, the data in accordance with the determination at least in part by modifying the data according to the one or more data policies implicated prior to utilization of the remote service and the data type, by at least encrypting the data to form encrypted data, wherein the remote service provides data-related services to customers; and utilizing, by a service provider, the remote service that is independently capable to process the request, the remote service lacking the cryptographic key usable to decrypt the encrypted data. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a system, cause the system to:
-
provide, by a service provider, an application programming interface proxy to one or more customers at a remote service, wherein the remote service comprises a set of computer systems that excludes the system and a cryptographic key is not stored in the remote service in plaintext form; cause, by the service provider, one or more data loss prevention policies on data received through the application programming interface proxy to be enforced at the remote service by at least; identifying, by the service provider, a subset of the data received, based at least in part on a data type, the data has the data type and that satisfies one or more data loss prevention criteria of the one or more data loss prevention policies, wherein an encryption algorithm is selected from a plurality of encryption algorithms based on the data type and security requirement associated with the one or more data loss prevention policies; and performing, by the service provider, one or more actions on the subset identified in accordance with the one or more data loss prevention criteria, the one or more actions including; modifying, by the service provider, data in the subset according to the type, at least by encrypting the data in the subset, to form modified data; and providing, by the service provider, the modified data to the remote service that is independently capable to process a request and lacks access to a cryptographic key usable to decrypt the modified data, wherein the remote service provides data-related services to customers. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
21. A computer-implemented method, comprising:
-
providing, by a service provider, an application programming interface accessible to one or more customers at a network address; receiving, by the service provider, data in connection with a request to perform one or more operations submitted to the application programming interface by one or more customers; analyzing, by the service provider, the data to identify, based at least in part on a data type;
a subset of data that has the data type and that meets one or more criteria of one or more data policies;
wherein an encryption algorithm is selected from a plurality of encryption algorithms based on data type and security requirement associated with one or more data polices;modifying, by the service provider, the subset of the data in accordance with the one or more data policies by at least encrypting the subset of the data using a cryptographic key inaccessible to a remote service that is independently capable of processing the request to perform the one or more operations, wherein the remote service comprises a set of computer systems that excludes the system and the cryptographic key is not stored in the remote service in plaintext form; and providing, by the service provider, the modified subset of the data to the remote service, wherein the remote service provides data-related services to customers. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification