Leveraging security as a service for cloud-based file sharing
First Claim
1. A method comprising:
- at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, receiving instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded;
receiving an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file;
determining that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated;
based on the determining, forwarding the encrypted file from the file sharing server to a cloud-based security-as-a-service (SECaaS) server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious, the cloud-based SECaaS server being external to the cloud-based file sharing server and the enterprise network;
receiving a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and
allowing the at least one second user to download the encrypted file based on the determination.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based security-as-a-service (SECaaS) server that is also external to the enterprise network and has connectivity to the enterprise network. The file sharing server receives a determination of validation from the cloud-based SECaaS server and allows a second user to download the file based on the determination. To make the determination, the SECaaS server retrieves cryptographic keying material from a cloud-based key management server, and decrypts the file.
-
Citations
20 Claims
-
1. A method comprising:
-
at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, receiving instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded; receiving an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file; determining that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated; based on the determining, forwarding the encrypted file from the file sharing server to a cloud-based security-as-a-service (SECaaS) server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious, the cloud-based SECaaS server being external to the cloud-based file sharing server and the enterprise network; receiving a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and allowing the at least one second user to download the encrypted file based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising
an enterprise network; -
a cloud-based security-as-a-service (SECaaS) server external to the enterprise network and having connectivity to the enterprise network; and a cloud-based file sharing server external to the enterprise network and the cloud-based SECaaS server, but having connectivity to the enterprise network and the cloud-based SECaaS server, the cloud-based file sharing server being configured to; receive instructions from the enterprise network to validate files uploaded by users associated with the enterprise network before allowing the files to be downloaded; receive an encrypted file from a first user, the encrypted file specifying at least one second user authorized to download the encrypted file; determine that the first user is associated with the enterprise network and, thus, that any files received from the first user should be validated; based on a determination that the first user is associated with the enterprise network, forward the encrypted file from the file sharing server to the cloud-based SECaaS server with which the cloud-based file sharing server is authenticated so that the cloud-based SECaaS server can decrypt the encrypted file and determine whether the file is malicious; receive a determination of maliciousness from the cloud-based SECaaS server, wherein the cloud-based SECaaS server generates the determination based on a decrypted version of the encrypted file, but does not provide the file sharing server with access to the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious; and allow the at least one second user to download the encrypted file based on the determination. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising
an enterprise network; -
a cloud-based file sharing server external to the enterprise network and having connectivity to the enterprise network; a cloud-based key management server external to the enterprise network and having connectivity to the enterprise network; and a cloud-based security-as-a-service (SECaaS) server that is external to the enterprise network and the cloud-based file sharing server, but that has connectivity to the enterprise network and the cloud-based file sharing server, the cloud-based SECaaS server being configured to; receive a request from the enterprise network for authorization information that authorizes the SECaaS server to perform file scanning services; provide the requested authorization information to the enterprise network; authenticate the file sharing server using the authorization information; receive an encrypted file from the file sharing server when the cloud-based file sharing server determines that the encrypted file is received from a user associated with the enterprise network and forwards the encrypted file based on the user being associated with the enterprise network; retrieve cryptographic keying material from the key management server, the keying material allowing the encrypted file to be decrypted; decrypt the encrypted file to generate a decrypted version of the encrypted file; inspect the decrypted version of the encrypted file to determine whether the file is malicious; and notify the file sharing server as to whether the file is malicious while retaining the decrypted version at the SECaaS server so that the file sharing server cannot access the decrypted version, regardless of whether the encrypted file is determined to be malicious or non-malicious. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification