Secure data proxy for cloud computing environments

US 10,284,557 B1
Filed: 11/17/2016
Issued: 05/07/2019
Est. Priority Date: 11/17/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a plurality of host devices configured to support execution of applications on behalf of one or more tenants of cloud infrastructure; and

a secure data proxy implemented utilizing at least one of the host devices;

wherein the secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications;

wherein the data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure;

wherein the secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy; and

wherein the secure data proxy comprises a clustered secure data proxy implemented utilizing a cluster of proxy containers provided by respective ones of the host devices and wherein applications executing in respective application containers of respective ones of the host devices are each able to locally access the corresponding proxy container provided by that host device;

the host devices being implemented on at least one processing platform comprising a processor coupled to a memory.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus in one embodiment comprises a plurality of host devices configured to support execution of applications on behalf of one or more tenants of cloud infrastructure. The apparatus further comprises a secure data proxy implemented utilizing at least one of the host devices. The secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications. The data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure. The secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy. The secure data proxy may be further configured to perform deduplication operations in conjunction with transfer of the data between the persistent storage and the non-persistent storage.

51 Citations

View as Search Results

20 Claims

1. An apparatus comprising:
- a plurality of host devices configured to support execution of applications on behalf of one or more tenants of cloud infrastructure; and
  
  a secure data proxy implemented utilizing at least one of the host devices;
  
  wherein the secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications;
  
  wherein the data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure;
  
  wherein the secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy; and
  
  wherein the secure data proxy comprises a clustered secure data proxy implemented utilizing a cluster of proxy containers provided by respective ones of the host devices and wherein applications executing in respective application containers of respective ones of the host devices are each able to locally access the corresponding proxy container provided by that host device;
  
  the host devices being implemented on at least one processing platform comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1 wherein the cloud infrastructure comprises a plurality of clouds each comprising a plurality of host devices and the secure data proxy is implemented in a distributed matter utilizing one or more of the host devices in each of multiple ones of the clouds of the cloud infrastructure.
  - 3. The apparatus of claim 1 wherein the non-persistent storage of the secure data proxy comprises random access memory.
  - 4. The apparatus of claim 1 wherein the host devices comprise respective container host devices and the applications execute in respective application containers implemented utilizing the container host devices.
  - 5. The apparatus of claim 1 wherein a given one of the application containers comprises a proxy extension through which that application container communicates with the proxy container on the same host device.
  - 6. The apparatus of claim 1 wherein the secure data proxy interacts with the storage system to transfer the data required for execution of the application into the non-persistent storage of the secure data proxy and to transfer corresponding modified data back from the non-persistent storage of the secure data proxy to the storage system.
  - 7. The apparatus of claim 1 wherein the secure data proxy is configured to mount one or more storage volumes from the external storage system and to expose at least portions of the one or more mounted storage volumes to one or more application containers in which at least one of the applications executes.
  - 8. The apparatus of claim 1 wherein the secure data proxy comprises a first secure data proxy associated with a first tenant of the cloud infrastructure and the apparatus further comprises one or more additional secure data proxies associated with respective additional tenants of the cloud infrastructure.
  - 9. The apparatus of claim 1 wherein the data obtained by the secure data proxy from the persistent storage in the storage system external to the cloud infrastructure for storage in the non-persistent storage of the secure data proxy is at no time stored in persistent storage of the cloud infrastructure.
  - 10. The apparatus of claim 1 further comprising a key management system accessible to the secure data proxy and configured to provide cryptographic keys to the secure data proxy for performing the cryptographic operations wherein the cryptographic keys comprise data encryption keys utilized for encrypting respective instances of at least one of blocks, objects and files of the data.
  - 11. The apparatus of claim 10 further comprising a metadata server accessible to the secure data proxy and configured to provide metadata to the secure data proxy for performing the cryptographic operations and wherein encryption of the metadata under a key encryption key is performed by the key management system.
  - 12. The apparatus of claim 1 wherein the secure data proxy is further configured to perform deduplication operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy.
  - 13. The apparatus of claim 12 wherein one or more of the deduplication operations are applied to encrypted instances of at least one of blocks, objects and files of the data and a deduplication decision of a given such deduplication operation is based at least in part on metadata of the encrypted instances wherein the metadata comprises one or more data encryption keys of the encrypted instances and wherein the metadata is protected under a key encryption key.

14. A method comprising:
- configuring a plurality of host devices to support execution of applications on behalf of one or more tenants of cloud infrastructure; and
  
  implementing a secure data proxy utilizing at least one of the host devices;
  
  wherein the secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications;
  
  wherein the data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure;
  
  wherein the secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy; and
  
  wherein the secure data proxy comprises a clustered secure data proxy implemented utilizing a cluster of proxy containers provided by respective ones of the host devices and wherein applications executing in respective application containers of respective ones of the host devices are each able to locally access the corresponding proxy container provided by that host device;
  
  the method being performed by at least one processing platform comprising a processor coupled to a memory.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 wherein a key management system accessible to the secure data proxy is configured to provide cryptographic keys to the secure data proxy for performing the cryptographic operations wherein the cryptographic keys comprise data encryption keys utilized for encrypting respective instances of at least one of blocks, objects and files of the data.
  - 16. The method of claim 14 wherein the cloud infrastructure comprises a plurality of clouds each comprising a plurality of host devices and the secure data proxy is implemented in a distributed matter utilizing one or more of the host devices in each of multiple ones of the clouds of the cloud infrastructure.

17. A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing platform comprising a processor coupled to a memory causes the processing platform:
- to configure a plurality of host devices to support execution of applications on behalf of one or more tenants of cloud infrastructure; and
  
  to implement a secure data proxy utilizing at least one of the host devices;
  
  wherein the secure data proxy comprises non-persistent storage configured to store data required for execution of at least one of the applications;
  
  wherein the data is obtained by the secure data proxy from persistent storage in a storage system external to the cloud infrastructure;
  
  wherein the secure data proxy is configured to perform cryptographic operations in conjunction with transfer of the data between the persistent storage of the external storage system and the non-persistent storage of the secure data proxy; and
  
  wherein the secure data proxy comprises a clustered secure data proxy implemented utilizing a cluster of proxy containers provided by respective ones of the host devices and wherein applications executing in respective application containers of respective ones of the host devices are each able to locally access the corresponding proxy container provided by that host device.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17 wherein a key management system accessible to the secure data proxy is configured to provide cryptographic keys to the secure data proxy for performing the cryptographic operations wherein the cryptographic keys comprise data encryption keys utilized for encrypting respective instances of at least one of blocks, objects and files of the data.
  - 19. The computer program product of claim 18 further comprising a metadata server accessible to the secure data proxy and configured to provide metadata to the secure data proxy for performing the cryptographic operations and wherein encryption of the metadata under a key encryption key is performed by the key management system.
  - 20. The computer program product of claim 17 wherein the cloud infrastructure comprises a plurality of clouds each comprising a plurality of host devices and the secure data proxy is implemented in a distributed matter utilizing one or more of the host devices in each of multiple ones of the clouds of the cloud infrastructure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Nossik, Misha, Du, Lejin, McCulligh, Murray
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
Tafaghodi, Zoha Piyadehghibi

Application Number

US15/354,486
Time in Patent Office

901 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

Secure data proxy for cloud computing environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data proxy for cloud computing environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links