Secured transfer of data between datacenters

US 10,375,034 B2
Filed: 01/30/2017
Issued: 08/06/2019
Est. Priority Date: 01/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

running, at a first datacenter, a first plurality of host programs and a first plurality of encryption units;

establishing, between the first datacenter and a second datacenter, secure communication connections between each of the first plurality of encryption units and a corresponding one of a second plurality of encryptions units running at the second datacenter;

monitoring one or more performance metrics of the first plurality of encryption units;

transferring, by the first datacenter, data from the first plurality of host programs to a second plurality of host programs running at the second datacenter, including by;

receiving, by the first plurality of host programs, information indicative of the one or more performance metrics of the first plurality of encryption units;

selecting, by the first plurality of host programs, a subset of the first plurality of encryption units to encrypt data from the first plurality of host programs, wherein the subset of the first plurality of encryption units is selected based on the information indicative of the one or more performance metrics of the first plurality of encryption units;

sending data from the first plurality of host programs to the subset of the first plurality of encryption units;

encrypting the data sent to the subset of the first plurality of encryption units to generate encrypted data; and

sending, via the secure communication connections, the encrypted data from the subset of the first plurality of encryption units to the second plurality of encryption units.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, a method of transferring data between datacenters may be performed. The method may include running a first plurality of host programs and a first plurality of encryption units at a first datacenter. The method may further include establishing, between the first datacenter and a second datacenter, secure communication connections between each of the first plurality of encryption units and a corresponding one of a second plurality of encryption units running at the second datacenter. The method may further include transferring, by the first datacenter, data from the first plurality of host programs to a second plurality of host programs running at the second datacenter.

Citations

19 Claims

1. A method, comprising:
- running, at a first datacenter, a first plurality of host programs and a first plurality of encryption units;
  
  establishing, between the first datacenter and a second datacenter, secure communication connections between each of the first plurality of encryption units and a corresponding one of a second plurality of encryptions units running at the second datacenter;
  
  monitoring one or more performance metrics of the first plurality of encryption units;
  
  transferring, by the first datacenter, data from the first plurality of host programs to a second plurality of host programs running at the second datacenter, including by;
  
  receiving, by the first plurality of host programs, information indicative of the one or more performance metrics of the first plurality of encryption units;
  
  selecting, by the first plurality of host programs, a subset of the first plurality of encryption units to encrypt data from the first plurality of host programs, wherein the subset of the first plurality of encryption units is selected based on the information indicative of the one or more performance metrics of the first plurality of encryption units;
  
  sending data from the first plurality of host programs to the subset of the first plurality of encryption units;
  
  encrypting the data sent to the subset of the first plurality of encryption units to generate encrypted data; and
  
  sending, via the secure communication connections, the encrypted data from the subset of the first plurality of encryption units to the second plurality of encryption units.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - monitoring one or more levels of usage of the first plurality of encryption units; and
      
      modifying a number of encryption units in the first plurality of encryption units based on the one or more levels of usage.
  - 3. The method of claim 2, wherein the modifying the number of encryption units comprises:
    - sending a request to an orchestration host to instantiate additional encryption units at the first datacenter and the second datacenter.
  - 4. The method of claim 1, further comprising:
    - determining that at least one of the one or more performance metrics of a particular encryption unit of the first plurality of encryption units is below a particular threshold;
      
      in response to the determining, adjusting information indicative of the at least one performance metric of the particular encryption unit; and
      
      providing the information indicative of the at least one performance metric of the particular encryption unit to each of the first plurality of host programs.
  - 5. The method of claim 1, further comprising:
    - determining that a performance level of a particular encryption unit of the first plurality of encryption units is below a performance threshold; and
      
      in response to the determining, sending a request to an orchestration host to remove the particular encryption unit from the first plurality of encryption units.
  - 6. The method of claim 1, further comprising:
    - determining, based on the one or more performance metrics, ranking information corresponding to the first plurality of encryption units; and
      
      providing the information indicative of the one or more performance metrics of the first plurality of encryption units to the first plurality of host programs, wherein the information indicative of the one or more performance metrics includes the ranking information.
  - 7. The method of claim 1, wherein the one or more performance metrics include, for a given encryption unit of the first plurality of encryption units, at least one of a processor utilization, a data transmission speed, or a status of a secure communication connection.
  - 8. The method of claim 1, wherein the secure communication connections include a secure tunnel over a peer-to-peer connection between each of the first plurality of encryption units and the corresponding one of the second plurality of encryption units running at the second datacenter.
  - 9. The method of claim 8, wherein each of the first plurality of encryption units and the second plurality of encryption units share a cryptographic key;
    - and wherein the encrypting includes establishing the secure tunnels using the cryptographic key.

10. A non-transitory, computer-readable medium having computer instructions stored thereon that are capable of being executed by a computer system to cause operations comprising:
- establishing secure communication connections between each of a first plurality of encryption units at a first datacenter and a corresponding one of a second plurality of encryption units at a second datacenter;
  
  providing, to a first plurality of host programs at the first datacenter, information indicative of one or more performance metrics of the first plurality of encryption units;
  
  transferring data from a first host program of the first plurality of host programs to a second host program of a second plurality of host programs at the second datacenter, wherein the transferring includes;
  
  receiving, at a first encryption unit of the first plurality of encryption units, data from the first host program, wherein the receiving is in response to the first host program selecting the first encryption unit to encrypt the data based on the information indicative of one or more performance metrics of the first encryption unit;
  
  encrypting, by the first encryption unit, the data to generate encrypted data; and
  
  sending, via a first secure communication connection of the secure communication connections, the encrypted data to a corresponding second encryption unit at the second datacenter;
  
  monitoring levels of usage of the first plurality of encryption units; and
  
  in response to a determination that the levels of usage exceed a particular threshold, sending a request to an orchestration host to add additional encryption units to the first plurality of encryption units.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory, computer-readable medium of claim 10, wherein the encrypting includes using a parallel packet-processing algorithm to encrypt the data sent to the first encryption unit.
  - 12. The non-transitory, computer-readable medium of claim 10, wherein the operations further comprise:
    - monitoring the one or more performance metrics of the first plurality of encryption units; and
      
      determining ranking information for the first plurality of encryption units based on the one or more performance metrics.
  - 13. The non-transitory, computer-readable medium of claim 12, wherein the operations further comprise:
    - providing the information indicative of one or more performance metrics to the first plurality of host programs, wherein the information indicative of one or more performance metrics includes the ranking information for the first plurality of encryption units.
  - 14. The non-transitory, computer-readable medium of claim 10, wherein each of the first plurality of encryption units share a cryptographic key;
    - and wherein the encrypting comprises establishing a secure tunnel, using the cryptographic key, over a peer-to-peer connection between each of the first plurality of encryption units and the corresponding one of the second plurality of encryption units at the second datacenter.

15. A system, comprising:
- a datacenter facility that includes;
  
  a plurality of computer systems;
  
  a plurality of storage subsystems that are configured to store data for a plurality of entities; and
  
  a network interface configured to communicate with a second datacenter facility;
  
  wherein at least one of the plurality of computer systems includes a non-transitory, computer-readable medium having program instructions stored thereon that are capable of being executed by the plurality of computer systems to perform operations, comprising;
  
  establishing secure communication connections, via the network interface, between each of a first plurality of encryption units executing at the datacenter facility and a corresponding one of a second plurality of encryption units at the second datacenter facility;
  
  providing, to a first plurality of host programs executing on one or more of the plurality of computer systems, information indicative of one or more performance metrics of the first plurality of encryption units;
  
  monitoring one or more performance metrics of the first plurality of encryption units;
  
  transferring data from a first host program of the first plurality of host programs, via the network interface, to a second host program of a second plurality of host programs executing at the second datacenter facility, wherein the transferring includes;
  
  receiving, by the first host program, information indicative of the one or more performance metrics of the first plurality of encryption units;
  
  receiving, at a first encryption unit of the first plurality of encryption units, data from the first host program, wherein the receiving is in response to the first host program selecting the first encryption unit to encrypt the data based on the information indicative of one or more performance metrics of the first encryption unit;
  
  encrypting, by the first encryption unit, the data to generate encrypted data; and
  
  sending, via a first secure communication connection of the secure communication connections, the encrypted data to a corresponding second encryption unit at the second datacenter facility.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein at least one of the first plurality of encryption units includes a virtual machine running on one or more of the plurality of computer systems.
  - 17. The system of claim 15, wherein the secure communication connections include IPsec tunnels created over BGP peer-to-peer connections between the each of the first plurality of encryption units executing at the datacenter facility and the corresponding one of the second plurality of encryption units at the second datacenter facility.
  - 18. The system of claim 15, wherein the operations further comprise:
    - monitoring a transfer rate of the encrypted data; and
      
      based on the transfer rate, modify a number of encryption units in the first plurality of encryption units.

19. A method, comprising:
- running, at a first datacenter, a first plurality of host programs and a first plurality of encryption units;
  
  establishing, between the first datacenter and a second datacenter, secure communication connections between each of the first plurality of encryption units and a corresponding one of a second plurality of encryptions units running at the second datacenter;
  
  transferring, by the first datacenter, data from the first plurality of host programs to a second plurality of host programs running at the second datacenter, including by;
  
  selecting a subset of the first plurality of encryption units to encrypt data from the first plurality of host programs, wherein the subset of the first plurality of encryption units is selected based on information indicative of one or more performance metrics of the first plurality of encryption units;
  
  sending data from the first plurality of host programs to the subset of the first plurality of encryption units;
  
  encrypting the data sent to the subset of the first plurality of encryption units to generate encrypted data; and
  
  sending, via the secure communication connections, the encrypted data from the subset of the first plurality of encryption units to the second plurality of encryption units;
  
  monitoring one or more levels of usage of the first plurality of encryption units; and
  
  modifying a number of encryption units in the first plurality of encryption units based on the one or more levels of usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Eldridge, Paul
Primary Examiner(s)
Chen, Shin-Hon (Eric)

Application Number

US15/419,303
Publication Number

US 20180219838A1
Time in Patent Office

918 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3409   for performance assessment

G06F 11/3433   for load management allocat...

G06F 11/3442   for planning or managing th...

G06F 11/3452   Performance evaluation by s...

G06F 21/602   Providing cryptographic fac...

G06F 2201/81   Threshold

G06F 2221/2107   File encryption

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0485   Networking architectures fo...

Secured transfer of data between datacenters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secured transfer of data between datacenters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links