System and method for automatically securing sensitive data in public cloud using a serverless architecture

US 10,121,021 B1
Filed: 04/11/2018
Issued: 11/06/2018
Est. Priority Date: 04/11/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising a cloud compute service for executing jobs immediately upon receipt of a notification, the cloud compute service comprising:

one or more hardware processors; and

a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;

receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device;

generating, by the cloud compute service, a container instance in response to the notification;

retrieving, by the container instance, the sensitive file from the file receipt location;

generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;

transmitting, by the container instance, the stripped file to a storage location;

deleting the sensitive file and associated file pointers from the file receipt location; and

terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided executing jobs immediately upon receipt of a notification. The systems and methods may include receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device; generating, by the cloud compute service, a container instance in response to the notification; retrieving, by the container instance, the sensitive file from the file receipt location; generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file; transmitting, by the container instance, the stripped file to a storage location; deleting the sensitive file and associated file pointers from the file receipt location; and terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Citations

20 Claims

1. A system comprising a cloud compute service for executing jobs immediately upon receipt of a notification, the cloud compute service comprising:
- one or more hardware processors; and
  
  a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;
  
  receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device;
  
  generating, by the cloud compute service, a container instance in response to the notification;
  
  retrieving, by the container instance, the sensitive file from the file receipt location;
  
  generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;
  
  transmitting, by the container instance, the stripped file to a storage location;
  
  deleting the sensitive file and associated file pointers from the file receipt location; and
  
  terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein stripping comprises:
    - replacing the sensitive data with at least one of aggregate data or encrypted data.
  - 3. The system of claim 1, wherein the operations further comprise:
    - decoding, by the container instance, the sensitive file before stripping the sensitive data; and
      
      encoding, by the container instance, the stripped file before transmitting the stripped file to a storage location.
  - 4. The system of claim 1, wherein the operations further comprise:
    - receiving, at the cloud compute service, from the file receipt location, the configuration file.
  - 5. The system of claim 1, wherein the stripping comprises partial stripping.
  - 6. The system of claim 1, wherein the configuration file comprises at least one of a field name, a string location, or a string length associated with the sensitive data.
  - 7. The system of claim 1, wherein:
    - the sensitive file comprises metadata and tags, the metadata and tags being added by the file receipt location; and
      
      the stripping is further based on the metadata and tags.
  - 8. The system of claim 1, wherein:
    - the sensitive data comprises information associated with a transaction; and
      
      the stripped file is Payment Card Industry compliant.
  - 9. The system of claim 1, wherein terminating the container instance further comprises wiping data by overwriting memory blocks.
  - 10. The system of claim 1, wherein the operations further comprise:
    - transmitting, by the container instance, the stripped file to a second storage location.
  - 11. The system of claim 1, wherein generating the stripped file further comprises:
    - performing data analysis on data contained in the sensitive file; and
      
      including a result of the data analysis in the stripped file.
  - 12. The system of claim 1, wherein deleting the sensitive file from the file receipt location comprises:
    - sending, by the cloud compute service, an instruction to the file receipt location, the instruction comprising a command to destroy the sensitive file.
  - 13. The system of claim 12, wherein destroying the sensitive file comprises:
    - immediately marking the sensitive file for permanent deletion; and
      
      permanently deleting the sensitive file and associated file pointers at a later point in time.
  - 14. The system of claim 1, wherein retrieving the sensitive file from the file receipt location comprises:
    - automatically receiving, by the container instance and from the file receipt location, the sensitive file.
  - 15. The system of claim 1, wherein:
    - the notification comprises a file identifier of the sensitive file; and
      
      retrieving the sensitive file from the file receipt location comprises;
      
      sending a request to the file receipt location, the request comprising the file identifier and an authentication credential; and
      
      receiving the sensitive file in response to the request.
  - 16. The system of claim 1, wherein the sensitive file is one of a plurality of sensitive files received in a stream at file receipt location.
  - 17. The system of claim 1, wherein, prior to terminating the container instance, the operations further comprise,generating, by the container instance, a second stripped file by stripping the sensitive data from the sensitive file based on a configuration file, the second stripped file comprising different information than the first stripped file,transmitting, by the container instance, the second stripped file to a second storage location, the second storage location being different from the first storage location.
  - 18. The system of claim 1, the operations further comprising:
    - generating, by the container instance, a report, the report comprising at least one of a job status or an error message; and
      
      sending, by the container instance, the report to the cloud compute service.

19. A method comprising:
- receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device;
  
  generating, by the cloud compute service, a container instance in response to the notification;
  
  retrieving, by the container instance, the sensitive file from the file receipt location;
  
  generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;
  
  transmitting, by the container instance, the stripped file to a storage location;
  
  deleting the sensitive file and associated file pointers from the file receipt location; and
  
  terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

20. A non-transitory computer readable medium having stored instructions, which when executed, cause at least one processor to perform operations comprising:
- receiving a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device;
  
  generating a container instance in response to the notification;
  
  retrieving, by the container instance, the sensitive file from the file receipt location;
  
  generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;
  
  transmitting, by the container instance, the stripped file to a storage location;
  
  deleting the sensitive file and associated file pointers from the file receipt location; and
  
  terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Fonseka, Nathal L, Pansari, Ankit
Primary Examiner(s)
Dinh, Minh

Application Number

US15/950,551
Time in Patent Office

209 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/162   Delete operations erasing i...

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2115   Third party

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links