Systems and methods for encryption and provision of information security using platform services

US 10,270,592 B1
Filed: 03/27/2017
Issued: 04/23/2019
Est. Priority Date: 02/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

retrieving a secure enrollment profile, wherein the secure enrollment profile comprises cryptographic identity data corresponding to a user of a particular electronic computing device that is enrolled with a federated security platform associated with a plurality of tenants, wherein the cryptographic identity data comprises unique cryptographic information;

determining, based on the secure enrollment profile, a particular tenant corresponding to the user for enabling secure tenant-specific tracking of electronic activities of the user and the particular electronic computing device;

receiving, from a server, one or more tenant-specific policies defining actions to be taken with respect to certain electronic activities resulting from interaction by the user with the particular electronic computing device, wherein the unique cryptographic information enables at least secure communications between the server and the particular electronic computing device;

identifying a particular electronic activity resulting from user interaction with the particular electronic computing device;

comparing the identified particular electronic activity to the one or more tenant-specific policies to determine an appropriate action to take with respect to the identified particular electronic activity; and

initiating the appropriate action with respect to the identified particular electronic activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing or encrypting data or other information arising from a user'"'"'s interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user'"'"'s storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

86 Citations

View as Search Results

26 Claims

1. A method, comprising the steps of:
- retrieving a secure enrollment profile, wherein the secure enrollment profile comprises cryptographic identity data corresponding to a user of a particular electronic computing device that is enrolled with a federated security platform associated with a plurality of tenants, wherein the cryptographic identity data comprises unique cryptographic information;
  
  determining, based on the secure enrollment profile, a particular tenant corresponding to the user for enabling secure tenant-specific tracking of electronic activities of the user and the particular electronic computing device;
  
  receiving, from a server, one or more tenant-specific policies defining actions to be taken with respect to certain electronic activities resulting from interaction by the user with the particular electronic computing device, wherein the unique cryptographic information enables at least secure communications between the server and the particular electronic computing device;
  
  identifying a particular electronic activity resulting from user interaction with the particular electronic computing device;
  
  comparing the identified particular electronic activity to the one or more tenant-specific policies to determine an appropriate action to take with respect to the identified particular electronic activity; and
  
  initiating the appropriate action with respect to the identified particular electronic activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the cryptographic identity data further comprises a key space identifier and a tenant-specific device identifier.
  - 3. The method of claim 1, wherein the appropriate action is selected from the group comprising blocking a particular functionality of software operating on the particular electronic computing device, removing a particular user interface element of a particular application, blocking network traffic associated with a particular application, redacting at least some of a particular set of information, encrypting or decrypting a particular file, and encrypting or decrypting electronic data entered into a particular data field of a particular application.
  - 4. The method of claim 3, wherein the particular electronic activity comprises entry of an item of original data into the particular data field.
  - 5. The method of claim 4, wherein the appropriate action comprises encrypting the item of original data.
  - 6. The method of claim 5, wherein initiating the appropriate action further comprises the steps of:
    - transmitting a request for encryption of the item of original data to the server;
      
      receiving a response from the server, wherein the response comprises second unique cryptographic information; and
      
      generating an encrypted output of the item of original data as a function of the item of original data and the second unique cryptographic information.
  - 7. The method of claim 3, wherein the particular electronic activity comprises entry of an encrypted output of an item of original data into the particular data field.
  - 8. The method of claim 7, wherein the appropriate action comprises decrypting the encrypted output of the item of original data.
  - 9. The method of claim 8, wherein initiating the appropriate action further comprises the steps of:
    - identifying a key identifier relating to the encrypted output of the item of original data;
      
      transmitting a request for decryption of the encrypted output of the item of original data to the server, wherein the request includes the key identifier;
      
      receiving a response from the server, wherein the response comprises second unique cryptographic information corresponding to the key identifier; and
      
      generating the item of original data as a function of the encrypted output of the item of original data and the second unique cryptographic information.
  - 10. The method of claim 3, wherein the particular electronic activity comprises attempted use of the particular functionality.
  - 11. The method of claim 10, wherein the appropriate action comprises blocking the particular functionality.
  - 12. The method of claim 11, wherein the particular functionality is selected from the group comprising cut, copy, paste, print, print screen, download, upload, import, export, and save as.
  - 13. The method of claim 1, wherein the user comprises a computing service.

14. A system, comprising:
- a federated security platform associated with a plurality of tenants;
  
  a server; and
  
  an electronic computing device enrolled with the platform, the electronic computing device comprising a processor, the processor operative to;
  
  retrieve a secure enrollment profile, the secure enrollment profile comprising cryptographic identity data corresponding to a user of the electronic computing device, wherein the cryptographic identity data comprises unique cryptographic information;
  
  determine, based on at least the secure enrollment profile, a particular tenant corresponding to the user for enabling secure tenant-specific tracking of electronic activities of the user and the electronic computing device;
  
  receive, from the server, one or more tenant-specific policies defining actions to be taken with respect to certain electronic activities resulting from interaction by the user with the electronic computing device, wherein the unique cryptographic information enables secure communications between the server and the electronic computing device;
  
  identify a particular electronic activity resulting from user interaction with the electronic computing device;
  
  compare the identified particular electronic activity to the one or more tenant-specific policies to determine an appropriate action to take with respect to the identified particular electronic activity; and
  
  initiate the appropriate action with respect to the identified particular electronic activity.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the cryptographic identity data further comprises a key space identifier and a tenant-specific device identifier.
  - 16. The system of claim 14, wherein the appropriate action is selected from the group comprising blocking a particular functionality of software operating on the particular electronic computing device, removing a particular user interface element of a particular application, blocking network traffic associated with a particular application, redacting at least some of a particular set of information, encrypting or decrypting a particular file, and encrypting or decrypting electronic data entered into a particular data field of a particular application.
  - 17. The system of claim 16, wherein the particular electronic activity comprises entry of an item of original data into the particular data field.
  - 18. The system of claim 17, wherein the appropriate action comprises encrypting the item of original data.
  - 19. The system of claim 18, wherein the processor is further operative, as part of initiating the appropriate action, to:
    - transmit a request for encryption of the item of original data to the server;
      
      receive a response from the server, wherein the response comprises second unique cryptographic information; and
      
      generate an encrypted output of the item of original data as a function of the item of original data and the second unique cryptographic information.
  - 20. The system of claim 16, wherein the particular electronic activity comprises entry of an encrypted output of an item of original data into the particular data field.
  - 21. The system of claim 20, wherein the appropriate action comprises decrypting the encrypted output of the item of original data.
  - 22. The system of claim 21, wherein the processor is further operative, as part of initiating the appropriate action, to:
    - identify a key identifier relating to the encrypted output of the item of original data;
      
      transmit a request for decryption of the encrypted output of the item of original data to the server, wherein the request includes the key identifier;
      
      receive a response from the server, wherein the response comprises second unique cryptographic information corresponding to the key identifier; and
      
      generate the item of original data as a function of the encrypted output of the item of original data and the second unique cryptographic information.
  - 23. The system of claim 16, wherein the particular electronic activity comprises attempted use of the particular functionality.
  - 24. The system of claim 23, wherein the appropriate action comprises blocking the particular functionality.
  - 25. The system of claim 24, wherein the particular functionality is selected from the group comprising cut, copy, paste, print, print screen, download, upload, import, export, and save as.
  - 26. The system of claim 14, wherein the user comprises a computing service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ionic Security, Inc. (Twilio, Inc.)
Original Assignee
Ionic Security, Inc. (Twilio, Inc.)
Inventors
Ghetti, Adam, Green, Ken, Silva, Kenneth, Rollins, Michael, Tinkler, Nathaniel, Eckman, Jeremy, Speers, Ryan
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/469,886
Time in Patent Office

757 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2133   Verifying human interaction...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

Systems and methods for encryption and provision of information security using platform services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for encryption and provision of information security using platform services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others