System and method for automatically securing sensitive data in public cloud using a serverless architecture

US 10,248,809 B1
Filed: 04/17/2018
Issued: 04/02/2019
Est. Priority Date: 04/11/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising a cloud compute service for executing jobs immediately upon receipt of a notification, the cloud compute service comprising:

one or more hardware processors; and

a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;

receiving, at the cloud compute service, a first notification that a first sensitive file comprising sensitive data has been received at a file receipt location, the first sensitive file being sent by a client device;

selecting, by the cloud compute service, a warm container instance for completing a first job comprising stripping the sensitive data from the first sensitive file;

assigning, by the cloud compute service, the first job to the warm container instance;

retrieving, by the warm container instance, the first sensitive file from the file receipt location;

generating, by the warm container instance, a first stripped file by stripping the sensitive data from the first sensitive file based on a configuration file;

transmitting, by the warm container instance, the first stripped file to a storage location;

deleting the first sensitive file from the file receipt location; and

terminating the warm container instance, whereinterminating the container instance comprises deleting files comprising sensitive data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided executing jobs immediately upon receipt of a notification. The systems and methods may include receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device; generating, by the cloud compute service, a container instance in response to the notification; retrieving, by the container instance, the sensitive file from the file receipt location; generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file; transmitting, by the container instance, the stripped file to a storage location; deleting the sensitive file and associated file pointers from the file receipt location; and terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Citations

16 Claims

1. A system comprising a cloud compute service for executing jobs immediately upon receipt of a notification, the cloud compute service comprising:
- one or more hardware processors; and
  
  a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;
  
  receiving, at the cloud compute service, a first notification that a first sensitive file comprising sensitive data has been received at a file receipt location, the first sensitive file being sent by a client device;
  
  selecting, by the cloud compute service, a warm container instance for completing a first job comprising stripping the sensitive data from the first sensitive file;
  
  assigning, by the cloud compute service, the first job to the warm container instance;
  
  retrieving, by the warm container instance, the first sensitive file from the file receipt location;
  
  generating, by the warm container instance, a first stripped file by stripping the sensitive data from the first sensitive file based on a configuration file;
  
  transmitting, by the warm container instance, the first stripped file to a storage location;
  
  deleting the first sensitive file from the file receipt location; and
  
  terminating the warm container instance, whereinterminating the container instance comprises deleting files comprising sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein selecting the warm container instance is based on at least one of performance criteria or security criteria.
  - 3. The system of claim 2, wherein the security criteria comprises at least one of comparing the total runtime of the warm container instance to a threshold runtime or comparing the total number of jobs performed to threshold number of jobs.
  - 4. The system of claim 2, wherein the performance criteria comprises at least one of an estimated processing cost or an estimated runtime.
  - 5. The system of claim 1, the operations further comprising, prior to terminating the warm container instance:
    - receiving a second notification that a second sensitive file comprising sensitive data has been received at the file receipt location, the second sensitive file received from a client device;
      
      selecting, by the cloud compute service, the warm container instance for completing a second job comprising stripping the sensitive data from the second sensitive file;
      
      assigning, by the cloud compute service, the second job to the warm container instance;
      
      retrieving, by the warm container instance, the second sensitive file from the file receipt location;
      
      generating, by the warm container instance, a second stripped file by stripping the sensitive data from the second sensitive file based on a second configuration file;
      
      transmitting, by the warm container instance, the second stripped file to a second storage location; and
      
      deleting the second sensitive file from the file receipt location.
  - 6. The system of claim 5, wherein the second configuration file is the same as the first configuration file.
  - 7. The system of claim 5, wherein the second storage location is the same as the first storage location.
  - 8. The system of claim 1, wherein the each of the first storage location is accessible to users who complete an authentication process.
  - 9. The system of claim 1, wherein the terminating is based on security criteria, the security criteria comprising at least one of comparing the total runtime of the warm container instance to a threshold runtime or comparing the total number of jobs performed to threshold number of jobs.
  - 10. The system of claim 1, wherein the stripping is further based on an environment variable.
  - 11. The system of claim 1, wherein terminating the warm container instance further comprises wiping data by overwriting memory blocks.
  - 12. The system of claim 1, wherein deleting the first sensitive file comprises deleting file pointers associated with the first sensitive file, the file pointers indicating the memory address of blocks of sensitive data.
  - 13. The system of claim 5, wherein deleting the second sensitive file comprises deleting file pointers associated with the second sensitive file, the file pointers indicating the memory address of blocks of sensitive data.
  - 14. The system of claim 12, wherein deleting the first sensitive file further comprises overwriting memory blocks associated with the first sensitive file.
  - 15. The system of claim 13, wherein deleting the second sensitive file further comprise overwriting memory blocks associated with the second sensitive file.

16. A non-transitory computer readable medium having stored instructions, which when executed, cause at least one processor to perform operations comprising:
- receiving, at the cloud compute service, a first notification that a first sensitive file comprising sensitive data has been received at a file receipt location, the first sensitive file being sent by a client device;
  
  selecting, by the cloud compute service, a warm container instance for completing a first job comprising stripping the sensitive data from the first sensitive file;
  
  assigning, by the cloud compute service, the first job to the warm container instance;
  
  retrieving, by the warm container instance, the first sensitive file from the file receipt location;
  
  generating, by the warm container instance, a first stripped file by stripping the sensitive data from the first sensitive file based on a configuration file;
  
  transmitting, by the warm container instance, the first stripped file to a storage location;
  
  deleting the first sensitive file and associated file pointers from the file receipt location; and
  
  terminating the warm container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Fonseka, Nathal L, Pansari, Ankit
Primary Examiner(s)
Dinh, Minh

Application Number

US15/955,359
Time in Patent Office

350 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/162   Delete operations erasing i...

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2115   Third party

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links