Leveraging security as a service for cloud-based file sharing

US 10,135,826 B2
Filed: 09/04/2015
Issued: 11/20/2018
Est. Priority Date: 09/04/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, receiving instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded;

receiving an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file;

determining that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated;

based on the determining, forwarding the encrypted file from the file sharing server to a cloud-based security-as-a-service (SECaaS) server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious, the cloud-based SECaaS server being external to the cloud-based file sharing server and the enterprise network;

receiving a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and

allowing the at least one second user to download the encrypted file based on the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based security-as-a-service (SECaaS) server that is also external to the enterprise network and has connectivity to the enterprise network. The file sharing server receives a determination of validation from the cloud-based SECaaS server and allows a second user to download the file based on the determination. To make the determination, the SECaaS server retrieves cryptographic keying material from a cloud-based key management server, and decrypts the file.

Citations

20 Claims

1. A method comprising:
- at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, receiving instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded;
  
  receiving an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file;
  
  determining that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated;
  
  based on the determining, forwarding the encrypted file from the file sharing server to a cloud-based security-as-a-service (SECaaS) server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious, the cloud-based SECaaS server being external to the cloud-based file sharing server and the enterprise network;
  
  receiving a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and
  
  allowing the at least one second user to download the encrypted file based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein forwarding the encrypted file to the cloud-based SECaaS server further comprises:
    - forwarding a uniform resource locator (URL) to the cloud-based SECaaS server, the URL enabling the cloud-based SECaaS server to obtain cryptographic keying information from a cloud-based key management server having connectivity to the enterprise network, the cryptographic keying information allowing the encrypted file to be decrypted.
  - 3. The method of claim 1, wherein at least one of the first user or the second user is located outside of the enterprise network.
  - 4. The method of claim 1, wherein the first user and the second user are unaware of the SECaaS validation.
  - 5. The method of claim 1, further comprising:
    - authenticating the cloud-based file sharing server to the cloud-based SECaaS server with authorization information obtained by the enterprise network from the cloud-based SECaaS server.
  - 6. The method of claim 1, wherein the enterprise network is off-path from a path used to receive the encrypted file.
  - 7. The method of claim 1, wherein the encrypted file prevents users with access to the cloud-based file sharing server from opening, modifying, or tampering with the encrypted file.

8. A system comprisingan enterprise network;
- a cloud-based security-as-a-service (SECaaS) server external to the enterprise network and having connectivity to the enterprise network; and
  
  a cloud-based file sharing server external to the enterprise network and the cloud-based SECaaS server, but having connectivity to the enterprise network and the cloud-based SECaaS server, the cloud-based file sharing server being configured to;
  
  receive instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded;
  
  receive an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file;
  
  determine that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated;
  
  based on a determination that the first user is associated with the enterprise network, forward the encrypted file from the file sharing server to the cloud-based SECaaS server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious;
  
  receive a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and
  
  allow the at least one second user to download the encrypted file based on the determination.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising:
    - a cloud-based key management server external to the enterprise network and having connectivity to the enterprise network, wherein the cloud-based file sharing server forwards the encrypted file to the cloud-based SECaaS server by;
      
      forwarding a uniform resource locator (URL) to the cloud-based SECaaS server, the URL enabling the cloud-based SECaaS server to obtain cryptographic keying information from the cloud-based key management server, the cryptographic keying information allowing the encrypted file to be decrypted.
  - 10. The system of claim 8, wherein at least one of the first user or the second user is located outside of the enterprise network.
  - 11. The system of claim 8, wherein the first user and the second user are unaware of the SECaaS validation.
  - 12. The system of claim 8, wherein the file sharing server is further configured to:
    - authenticate itself with the cloud-based SECaaS server with authorization information obtained by the enterprise network from the cloud-based SECaaS server.
  - 13. The system of claim 8, wherein the enterprise network is off-path from a path used to receive the encrypted file.
  - 14. The system of claim 8, wherein the encrypted file prevents users with access to the cloud-based file sharing server from opening, modifying, or tampering with the encrypted file.

15. A system comprisingan enterprise network;
- a cloud-based file sharing server external to the enterprise network and having connectivity to the enterprise network;
  
  a cloud-based key management server external to the enterprise network and having connectivity to the enterprise network; and
  
  a cloud-based security-as-a-service (SECaaS) server that is external to the enterprise network and the cloud-based file sharing server, but that has connectivity to the enterprise network and the cloud-based file sharing server, the cloud-based SECaaS server being configured to;
  
  receive a request from the enterprise network for authorization information that authorizes the SECaaS server to perform file scanning services;
  
  provide the requested authorization information to the enterprise network;
  
  authenticate the file sharing server using the authorization information;
  
  receive an encrypted file from the file sharing server when the cloud-based file sharing server determines that the encrypted file is received from a user associated with the enterprise network and forwards the encrypted file based on the user being associated with the enterprise network;
  
  retrieve cryptographic keying material from the key management server, the keying material allowing the encrypted file to be decrypted;
  
  decrypt the encrypted file to generate a decrypted version of the encrypted file;
  
  inspect the decrypted version of the encrypted file to determine whether the file is malicious; and
  
  notify the file sharing server as to whether the file is malicious while retaining the decrypted version at the SECaaS server so that the file sharing server cannot access the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the encrypted file is received from the file sharing server with a uniform resource locator (URL) and the cloud-based SECaaS server uses the URL to obtain the keying material from the cloud-based key management server.
  - 17. The system of claim 15, wherein the authorization information is a first piece of authorization information and the cloud-based SECaaS server authorizes itself with the cloud-based key management server with a second piece of authorization information.
  - 18. The system of claim 17, wherein the second piece of authorization information is received from the enterprise network, the enterprise network retrieving the second piece of authorization information from the cloud-based key management server.
  - 19. The system of claim 15, wherein the enterprise network is off-path from a path used to receive the encrypted file.
  - 20. The system of claim 15, wherein the encrypted file prevents users with access to the cloud-based file sharing server from opening, modifying, or tampering with the encrypted file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Reddy, K. Tirumaleswar, Patil, Prashanth, Wing, Daniel
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Bell, Kalish K

Application Number

US14/845,505
Publication Number

US 20170070506A1
Time in Patent Office

1,173 Days
Field of Search

709220, 709223-225, 709229, 726 1- 3, 726 22- 24
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/06   specially adapted for file ...

H04L 67/10   in which an application is ...

Leveraging security as a service for cloud-based file sharing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Leveraging security as a service for cloud-based file sharing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links