Establishing a cleanroom data processing environment

US 10,225,259 B2
Filed: 08/19/2016
Issued: 03/05/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

configuring a virtual private cloud environment to prevent data from being sent to network locations external to the virtual private cloud environment;

receiving, by one or more computing resources deployed within the virtual private cloud environment through a first user account that is associated with the virtual private cloud environment, a first set of data;

deploying a set of one or more software components within the virtual private cloud environment, the set of one or more software components received from a second user account that is associated with the virtual private cloud environment;

wherein the first user account is associated with a first authentication token and the second user account is associated with a second authentication token;

generating, by the set of one or more software components deployed within the virtual private cloud environment based at least in part on the first set of data that is associated with the first user account, a set of output data;

continuously while the first set of data is stored in the virtual private cloud environment and unless the first user account authorizes export of the first set of data, preventing the first set of data from being sent to network locations external to the virtual private cloud environment; and

preventing access to resources within the virtual private cloud environment by network devices external to the virtual private cloud environment unless both the first user account and the second user account have been authenticated based, at least in part, on the first authentication token and the second authentication token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing a virtual cleanroom data processing environment are described herein. In one or more embodiments, a virtual private cloud environment is configured to prevent data from being sent to network locations external to the virtual private cloud environment. One or more computing resources deployed within the virtual private cloud environment receives, from a first source external to the virtual private cloud environment, a first set of data that is associated with a first user account. A set of one or more software components, received from a second source, are also deployed within the virtual private cloud environment. Once deployed, the set of software components generates, based at least in part on the first set of data, a set of output data. The first set of data is continuously prevented from being sent to network locations external to the virtual private cloud environment.

51 Citations

View as Search Results

20 Claims

1. A method comprising:
- configuring a virtual private cloud environment to prevent data from being sent to network locations external to the virtual private cloud environment;
  
  receiving, by one or more computing resources deployed within the virtual private cloud environment through a first user account that is associated with the virtual private cloud environment, a first set of data;
  
  deploying a set of one or more software components within the virtual private cloud environment, the set of one or more software components received from a second user account that is associated with the virtual private cloud environment;
  
  wherein the first user account is associated with a first authentication token and the second user account is associated with a second authentication token;
  
  generating, by the set of one or more software components deployed within the virtual private cloud environment based at least in part on the first set of data that is associated with the first user account, a set of output data;
  
  continuously while the first set of data is stored in the virtual private cloud environment and unless the first user account authorizes export of the first set of data, preventing the first set of data from being sent to network locations external to the virtual private cloud environment; and
  
  preventing access to resources within the virtual private cloud environment by network devices external to the virtual private cloud environment unless both the first user account and the second user account have been authenticated based, at least in part, on the first authentication token and the second authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1,wherein the virtual private cloud environment includes a virtual private cloud endpoint;
    - wherein all outbound data from the virtual private cloud environment to sources external to the virtual private cloud environment are routed through the virtual private cloud endpoint.
  - 3. The method of claim 2, wherein the virtual private cloud endpoint disables access by the set of one or more software components to network locations external to the virtual private cloud environment.
  - 4. The method of claim 1, further comprising:
    - generating an administrator session in response to receiving the first authentication token and the second authentication token; and
      
      wherein during the administrator session access is restricted to a single internet protocol address and outbound access to the first set of data is prevented.
  - 5. The method of claim 1, further comprising:
    - storing a set of one or more policies that control access to a set of policies that control access to resources in the virtual private cloud environment; and
      
      preventing changes to the set of one or more policies unless both the first user account and the second user account have been authenticated.
  - 6. The method of claim 1, further comprisingregistering a first set of one or more security credentials for the first user account;
    - wherein the first set of one or more security credentials allows the first user account to store the first set of data in the virtual private cloud environment;
      
      registering a second set of one or more security credentials for the second user account;
      
      wherein the second set of one or more security credentials does not allow access to the first set of data that is stored in the virtual private cloud environment;
      
      registering a third set of one or more security credentials for the set of one or more software components deployed within the virtual private cloud environment; and
      
      wherein the third set of one or more security credentials provides at least one software component of the set of one or more software components with access to read the first set of data that is stored within the virtual private cloud environment and does not allow the one or more software components to access any resources sufficient to send the first set of data outside of the virtual private cloud environment without prior approval of at least the first user account.
  - 7. The method of claim 6, further comprising:
    - maintaining audit logs that track accesses to data stored within the virtual private cloud environment;
      
      wherein both the first and second set of security credentials are restricted from accessing the audit logs at rest; and
      
      wherein an administrator access session is initiated to copy a requested set of audit logs to a first location;
      
      wherein the second set of security credentials allow the second user account to read the audit logs in the first location and allow the second user account to approve and copy the audit logs to a second location;
      
      wherein the first set of one or more security credentials allow the first user account to read the audit logs from the second location.
  - 8. The method of claim 1, further comprising:
    - providing the set of output data to at least one network location outside of the virtual private cloud environment; and
      
      wherein the first set of data is not included in the set of output data.
  - 9. The method of claim 1, further comprising generating a set of log data that tracks all accesses to resources within the virtual private cloud environment by devices external to the virtual private cloud environment.

10. One or more non-transitory computer readable media storing instructions, which, when executed by one or more hardware processors, cause operations comprising:
- configuring a virtual private cloud environment to prevent data from being sent to network locations external to the virtual private cloud environment;
  
  receiving, by one or more computing resources deployed within the virtual private cloud environment through a first user account that is associated with the virtual private cloud environment, a first set of data;
  
  deploying a set of one or more software components within the virtual private cloud environment, the set of one or more software components received from a second user account that is associated with the virtual private cloud environment;
  
  wherein the first user account is associated with a first authentication token and the second user account is associated with a second authentication token;
  
  generating, by the set of one or more software components deployed within the virtual private cloud environment based at least in part on the first set of data that is associated with the first user account, a set of output data;
  
  continuously while the first set of data is stored in the virtual private cloud environment and unless the first user account authorizes export of the first set of data, preventing the first set of data from being sent to network locations external to the virtual private cloud environment; and
  
  preventing access to resources within the virtual private cloud environment by network devices external to the virtual private cloud environment unless both the first user account and the second user account have been authenticated based, at least in part, on the first authentication token and the second authentication token.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The one or more non-transitory computer readable media of claim 10,wherein the virtual private cloud environment includes a virtual private cloud endpoint;
    - wherein all outbound data from the virtual private cloud environment to sources external to the virtual private cloud environment are routed through the virtual private cloud endpoint.
  - 12. The one or more non-transitory computer readable media of claim 11, wherein the virtual private cloud endpoint disables access by the set of one or more software components to network locations external to the virtual private cloud environment.
  - 13. The one or more non-transitory computer readable media of claim 10, the instructions further causing operations comprising:
    - generating an administrator session in response to receiving the first authentication token and the second authentication token; and
      
      wherein during the administrator session access is restricted to a single internet protocol address and outbound access to the first set of data is prevented.
  - 14. The one or more non-transitory computer readable media of claim 10, the instructions further causing operations comprising:
    - storing a set of one or more policies that control access to a set of policies that control access to resources in the virtual private cloud environment; and
      
      preventing changes to the set of one or more policies unless both the first user account and the second user account have been authenticated.
  - 15. The one or more non-transitory computer readable media of claim 10, the instructions further causing operations comprising:
    - registering a first set of one or more security credentials for the first user account;
      
      wherein the first set of one or more security credentials allows the first user account to store the first set of data in the virtual private cloud environment;
      
      registering a second set of one or more security credentials for the second user account;
      
      wherein the second set of one or more security credentials does not allow access to the first set of data that is stored in the virtual private cloud environment;
      
      registering a third set of one or more security credentials for the set of one or more software components deployed within the virtual private cloud environment; and
      
      wherein the third set of one or more security credentials provides at least one software component of the set of one or more software components with access to read the first set of data that is stored within the virtual private cloud environment and does not allow the one or more software components to access any resources sufficient to send the first set of data outside of the virtual private cloud environment without prior approval of at least the first user account.
  - 16. The one or more non-transitory computer readable media of claim 15, the instructions further causing operations comprising:
    - maintaining audit logs that track accesses to data stored within the virtual private cloud environment;
      
      wherein both the first and second set of security credentials are restricted from accessing the audit logs at rest; and
      
      wherein an administrator access session is initiated to copy a requested set of audit logs to a first location;
      
      wherein the second set of security credentials allow the second user account to read the audit logs in the first location and allow the second user account to approve and copy the audit logs to a second location;
      
      wherein the first set of one or more security credentials allow the first user account to read the audit logs from the second location.
  - 17. The one or more non-transitory computer readable media of claim 10, the instructions further causing operations comprising:
    - providing the set of output data to at least one network location outside of the virtual private cloud environment; and
      
      wherein the first set of data is not included in the set of output data.
  - 18. The one or more non-transitory computer readable media of claim 10, the instructions further causing operations comprising generating a set of log data that tracks all accesses to resources within the virtual private cloud environment by devices external to the virtual private cloud environment.

19. A system comprising:
- one or more hardware processors;
  
  one or more non-transitory computer readable media storing instructions, which, when executed by the one or more hardware processors, cause operations comprising;
  
  configuring a virtual private cloud environment to prevent data from being sent to network locations external to the virtual private cloud environment;
  
  receiving, by one or more computing resources deployed within the virtual private cloud environment through a first user account that is associated with the virtual private cloud environment, a first set of data;
  
  deploying a set of one or more software components within the virtual private cloud environment, the set of one or more software components received from a second user account that is associated with the virtual private cloud environment;
  
  wherein the first user account is associated with a first authentication token and the second user account is associated with a second authentication token;
  
  generating, by the set of one or more software components deployed within the virtual private cloud environment based at least in part on the first set of data that is associated with the first user account, a set of output data;
  
  continuously while the first set of data is stored in the virtual private cloud environment and unless the first user account authorizes export of the first set of data, preventing the first set of data from being sent to network locations external to the virtual private cloud environment; and
  
  preventing access to resources within the virtual private cloud environment by network devices external to the virtual private cloud environment unless both the first user account and the second user account have been authenticated based, at least in part, on the first authentication token and the second authentication token.
- View Dependent Claims (20)
- - 20. The system of claim 19,wherein the virtual private cloud environment includes a virtual private cloud endpoint;
    - wherein all outbound data from the virtual private cloud environment to sources external to the virtual private cloud environment are routed through the virtual private cloud endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Plichta, Jeremy Ryszard, Baird, Andrew V, Siggs, Roger, DiMichel, Kevin Scott, Cuthbertson, Robert J, Mitchell, David Michael
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US15/242,292
Publication Number

US 20170289169A1
Time in Patent Office

928 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/308   retaining data, e.g. retain...

Establishing a cleanroom data processing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing a cleanroom data processing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links