Data encryption service

US 10,395,042 B2
Filed: 06/29/2016
Issued: 08/27/2019
Est. Priority Date: 07/02/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a central data store comprising;

information related to a plurality of applications hosted in a cloud computing environment,information related to a plurality of cryptographic policies used to secure the plurality of applications, andinformation related to a plurality of encryption objects used to secure the plurality of applications; and

one or more computing devices configured to provide one or more data encryption services, wherein at least one computing device from the one or more computing devices comprises;

one or more processors, anda memory having stored thereon a set of instructions that, when executed by the one or more processors, cause the one or more processors to;

receive an application policy to apply to an application of the plurality of applications, the application policy specifying a type of encryption for securing at least a portion of data in the application;

in response to receiving the application policy;

identify the portion of the data in the application to be secured based on the application policy;

determine, based at least in part on the application policy, a cryptographic policy from the plurality of cryptographic policies for securing the portion of the data in the application, wherein the cryptographic policy specifies an encryption object of the plurality of encryption objects for securing the portion of the data in the application, and wherein the cryptographic policy is stored in the central data store; and

generate and store, in the central data store, a mapping between the application policy and the cryptographic policy for the portion of the data in the application;

receive, from a user device, a request for the portion of the data; and

in response to receiving the request;

acquire the encryption object from the central data store, based at least in part on the cryptographic policy;

secure the portion of the data in the application using the encryption object in accordance with the application policy and the cryptographic policy;

transmit the secured portion of the data to the user device; and

transmit notification information related to the application to a remote computing device, wherein the notification information comprises at least one of a roll-over date of the encryption object used to secure the portion of the data in the application, an expiry date of the encryption object, and a renewal date of the encryption object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A centralized framework for managing the data encryption of resources is disclosed. A data encryption service is disclosed that provides various services related to the management of the data encryption of resources. The services may include managing application policies, cryptographic policies, and encryption objects related to applications. The encryption objects may include encryption keys and certificates used to secure the resources. In an embodiment, the data encryption service may be included or implemented in a cloud computing environment and may provide a centralized framework for effectively managing the data encryption requirements of various applications hosted or provided by different customer systems. The disclosed data encryption service may provide monitoring and alert services related to encryption objects managed by the data encryption service and transmit the alerts related to the encryption objects via various communication channels.

Citations

17 Claims

1. A system comprising:
- a central data store comprising;
  
  information related to a plurality of applications hosted in a cloud computing environment,information related to a plurality of cryptographic policies used to secure the plurality of applications, andinformation related to a plurality of encryption objects used to secure the plurality of applications; and
  
  one or more computing devices configured to provide one or more data encryption services, wherein at least one computing device from the one or more computing devices comprises;
  
  one or more processors, anda memory having stored thereon a set of instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive an application policy to apply to an application of the plurality of applications, the application policy specifying a type of encryption for securing at least a portion of data in the application;
  
  in response to receiving the application policy;
  
  identify the portion of the data in the application to be secured based on the application policy;
  
  determine, based at least in part on the application policy, a cryptographic policy from the plurality of cryptographic policies for securing the portion of the data in the application, wherein the cryptographic policy specifies an encryption object of the plurality of encryption objects for securing the portion of the data in the application, and wherein the cryptographic policy is stored in the central data store; and
  
  generate and store, in the central data store, a mapping between the application policy and the cryptographic policy for the portion of the data in the application;
  
  receive, from a user device, a request for the portion of the data; and
  
  in response to receiving the request;
  
  acquire the encryption object from the central data store, based at least in part on the cryptographic policy;
  
  secure the portion of the data in the application using the encryption object in accordance with the application policy and the cryptographic policy;
  
  transmit the secured portion of the data to the user device; and
  
  transmit notification information related to the application to a remote computing device, wherein the notification information comprises at least one of a roll-over date of the encryption object used to secure the portion of the data in the application, an expiry date of the encryption object, and a renewal date of the encryption object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the set of instructions comprise further instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a mapping between the application and the application policy related to the application.
  - 3. The system of claim 2, wherein the set of instructions comprise further instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine one or more conditions associated with the application policy, wherein the one or more conditions specify when the application policy for the application is applicable;
      
      identify, based at least in part on the application policy, one or more actions to be performed when one or more of the conditions are satisfied; and
      
      generate the mapping between the application and the application policy based at least in part on the one or more conditions and the one or more actions.
  - 4. The system of claim 1, wherein the set of instructions comprise further instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that a first condition is associated with the application policy when a first set of users access the application;
      
      determine that a second condition is associated with the application policy when a second set of users access the application, the second set of users being different from the first set of users;
      
      identify, based at least in part on the application policy, a first encryption to be performed for at least the portion of the data in the application, when the first condition is satisfied; and
      
      identify, based at least in part on the application policy, a second encryption to be performed for at least the portion of the data in the application, when the second condition is satisfied.
  - 5. The system of claim 1, wherein the set of instructions comprise further instructions that, when executed by the one or more processors, cause the one or more processors to:
    - determine that a first condition is associated with the application policy for the application when a user accesses a first portion of data in the application;
      
      determine that a second condition is associated with the application policy for the application when a user accesses a second portion of data in the application, the second portion being different from the first portion;
      
      identify, based at least in part on the application policy, a first action to be performed for the application, when the first condition is satisfied; and
      
      identify, based at least in part on the application policy, a second action to be performed for the application, when the second condition is satisfied.
  - 6. The system of claim 1, wherein the set of instructions comprise further instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a mapping between the application policy, the cryptographic policy, and the encryption object for the portion of the data in the application.
  - 7. The system of claim 1, wherein the encryption object comprises at least one of an encryption key or a digital certificate.

8. A method comprising:
- receiving an application policy to apply to an application of a plurality of applications hosted in a cloud computing environment, the application policy specifying a type of encryption for securing at least a portion of data in the application;
  
  in response to receiving the application policy;
  
  identifying the portion of the data in the application to be secured based on the application policy;
  
  determining, based at least in part on the application policy, a cryptographic policy of a plurality of cryptographic policies for securing the portion of the data in the application, wherein;
  
  the cryptographic policy specifies an encryption object of a plurality of encryption objects for securing the portion of the data in the application,the plurality of cryptographic policies and the plurality of encryption objects are stored in a central data store of the cloud computing environment, andthe central data store further stores information related to the plurality of applications hosted in the cloud computing environment; and
  
  generating and storing, in the central data store, a mapping between the application policy and the cryptographic policy for the portion of the data in the application;
  
  receiving, from a user device, a request for the portion of the data; and
  
  in response to receiving the request;
  
  acquiring the encryption object from the central data store, based at least in part on the cryptographic policy;
  
  securing the portion of the data in the application using the encryption object in accordance with the application policy and the cryptographic policy;
  
  transmitting the secured portion of the data to the user device; and
  
  transmitting notification information related to the application to a remote computing device, wherein the notification information comprises at least one of a roll-over date of the encryption object used to secure the portion of the data in the application, an expiry date of the encryption object, and a renewal date of the encryption object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising generating a mapping between the application and the application policy related to the application.
  - 10. The method of claim 9 wherein generating a mapping between the application and the application policy related to the application comprises:
    - determining one or more conditions associated with the application policy, wherein the one or more conditions specify when the application policy for the application is applicable; and
      
      identifying, based at least in part on the application policy, one or more actions to be performed when one or more of the conditions are satisfied.
  - 11. The method of claim 8 further comprising:
    - determining that a first condition is associated with the application policy when a first set of users access the application;
      
      determining that a second condition is associated with the application policy when a second set of users access the application, the second set of users being different from the first set of users;
      
      identifying, based at least in part on the application policy, a first encryption to be performed for at least the portion of the data in the application, when the first condition is satisfied; and
      
      identifying, based at least in part on the application policy, a second encryption to be performed for at least the portion of the data in the application, when the second condition is satisfied.
  - 12. The method of claim 8 further comprising:
    - determining that a first condition is associated with the application policy for the application when a user accesses a first portion of data in the application;
      
      determining that a second condition is associated with the application policy for the application when a user accesses a second portion of data in the application, the second portion being different from the first portion;
      
      identifying, based at least in part on the application policy, a first action to be performed for the application, when the first condition is satisfied; and
      
      identifying, based at least in part on the application policy, a second action to be performed for the application, when the second condition is satisfied.
  - 13. The method of claim 8 further comprising generating a mapping between the application policy, the cryptographic policy, and the encryption object for the portion of the application.
  - 14. The method of claim 8, wherein the encryption object comprises at least one of an encryption key or a digital certificate.

15. One or more non-transitory computer-readable media storing computer-executable instructions executable by one or more processors, the computer-executable instructions comprising:
- instructions that cause the one or more processors to receive an application policy to apply to an application of a plurality of applications hosted in a cloud computing environment, the application policy specifying a type of encryption for securing at least a portion of data in the application;
  
  instructions that cause the one or more processors to, in response to receiving the application policy;
  
  identify the portion of the data in the application to be secured based on the application policy;
  
  determine, based at least in part on the application policy, a cryptographic policy of a plurality of cryptographic policies for securing the portion of the data in the application, wherein;
  
  the cryptographic policy specifies an encryption object of a plurality of encryption objects for securing the portion of the data in the application,the plurality of cryptographic policies and the plurality of encryption objects are stored in a central data store of the cloud computing environment, andthe central data store further stores information related to the plurality of applications hosted in the cloud computing environment; and
  
  generate and store, in the central data store, a mapping between the application policy and the cryptographic policy for at least the portion of the data in the application;
  
  instructions that cause the one or more processors to receive, from a user device, a request for the portion of the data; and
  
  instructions that cause the one or more processors to, in response to receiving the request;
  
  acquire the encryption object from the central data store, based at least in part on the cryptographic policy;
  
  secure the portion of the data in the application using the encryption object in accordance with the application policy and the cryptographic policy;
  
  transmit the secured portion of the data to the user device; and
  
  transmit notification information related to the application to a remote computing device, wherein the notification information comprises at least one of a roll-over date of the encryption object used to secure the portion of the data in the application, an expiry date of the encryption object, and a renewal date of the encryption object.
- View Dependent Claims (16, 17)
- - 16. The computer-readable media of claim 15, wherein the computer-executable instructions further comprise instructions that cause the one or more processors to generate a mapping between the application policy, the cryptographic policy, and the encryption object for the portion of the data in the application.
  - 17. The computer-readable media of claim 15, wherein the encryption object comprises at least one of an encryption key or a digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Agarwal, Amit, Tirumalai, Srikant Krishnapuram, Sriramadhesikan, Krishnakumar
Primary Examiner(s)
Kabir, Jahangir

Application Number

US15/197,478
Publication Number

US 20170006064A1
Time in Patent Office

1,154 Days
Field of Search

726 1- 4, 726 16, 726 17
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/629   to features or functions of...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3263   involving certificates, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/03   Protecting confidentiality,...

H04W 4/12   Messaging; Mailboxes; Annou...

H04W 4/60   Subscription-based services...

Data encryption service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Data encryption service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links