Secure cloud-based shared content

US 10,402,376 B2
Filed: 06/30/2018
Issued: 09/03/2019
Est. Priority Date: 04/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method for:

identifying a cloud-based environment, the cloud-based environment comprising at least a storage device storing a content object accessible by two or more users over a network;

performing, for a first user from a first enterprise, a content-based encryption that generates a first copy of an encrypted file by encrypting the content object with a content-based encryption key, wherein the content-based encryption key is encrypted by a first enterprise-based encryption key;

storing the first copy of the encrypted file at a cloud-based environment;

performing, for a second user from a second enterprise, the content-based encryption that generates a second copy of the encrypted file by encrypting the content object with the content-based encryption key, wherein the content-based encryption key is encrypted by a second enterprise-based encryption key that is different from the first enterprise-based encryption key;

storing the second copy of the encrypted file at a cloud-based environment; and

performing deduplication of the content object across multiple users that perform encryption, wherein the deduplication is performed based at least in part on at least one of, an intra-enterprise deduplicate directive, or an inter-enterprise deduplicate directive, wherein the at least one of the intra-enterprise deduplicate directive or the inter-enterprise deduplicate directive is accessed from metadata pertaining to a respective entity, wherein at least one deduplication directive is determined and the encrypted file is stored based at least in part on the at least one deduplication directive.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for managing content in a cloud-based service platform. Procedures for deduplication of a shared object in a cloud-based environment having one or more storage devices that store one or more files that are accessible by two or more entities. A computer-implemented method commences by generating a content-based encryption key for a shared object wherein the key is derived from one of the shared objects. The shared object is encrypted using the content-based encryption key to generate a content-based encrypted file. The content-based encrypted file is stored in a cloud-based storage system. A second or Nth entity and/or any number of users from the respective entities can upload the same file for shared storage, and before storing the same file for shared storage, a server in the cloud-based storage environment performs deduplication of the encrypted file across multiple entities by applying an intra-enterprise deduplicate directive or an inter-enterprise deduplicate directive.

Citations

16 Claims

1. A method for:
- identifying a cloud-based environment, the cloud-based environment comprising at least a storage device storing a content object accessible by two or more users over a network;
  
  performing, for a first user from a first enterprise, a content-based encryption that generates a first copy of an encrypted file by encrypting the content object with a content-based encryption key, wherein the content-based encryption key is encrypted by a first enterprise-based encryption key;
  
  storing the first copy of the encrypted file at a cloud-based environment;
  
  performing, for a second user from a second enterprise, the content-based encryption that generates a second copy of the encrypted file by encrypting the content object with the content-based encryption key, wherein the content-based encryption key is encrypted by a second enterprise-based encryption key that is different from the first enterprise-based encryption key;
  
  storing the second copy of the encrypted file at a cloud-based environment; and
  
  performing deduplication of the content object across multiple users that perform encryption, wherein the deduplication is performed based at least in part on at least one of, an intra-enterprise deduplicate directive, or an inter-enterprise deduplicate directive, wherein the at least one of the intra-enterprise deduplicate directive or the inter-enterprise deduplicate directive is accessed from metadata pertaining to a respective entity, wherein at least one deduplication directive is determined and the encrypted file is stored based at least in part on the at least one deduplication directive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further receiving a designation from an enterprise to two or more entities for access to sets of files within the cloud-based environment wherein a first set of files are allocated to a first entity and wherein a second set of files are allocated to a second entity.
  - 3. The method of claim 2, further comprising receiving an encrypted subject file to be added to the first set of the files that are allocated to the first entity.
  - 4. The method of claim 1, further comprising storing at least one of, an enterprise key, the content-based encryption key, or an enterprise-based encrypted key, in object metadata.
  - 5. The method of claim 4, further comprising:
    - decrypting, based at least in part on the enterprise key, the enterprise-based encrypted key to produce the content-based encryption key; and
      
      decrypting, based at least in part on the content-based encryption key, the encrypted file to produce an unencrypted file.
  - 6. The method of claim 1, further comprising:
    - receiving a collaboration invitation acceptance from at least one invitee from the entities;
      
      provisioning file access by the invitee to a subject file, the file access characterized at least in part by an association between an invitee enterprise key and the subject file; and
      
      encrypting, based at least in part on the invitee enterprise key, the content-based encryption key to produce an invitee enterprise-based encrypted key.
  - 7. The method of claim 6, further comprising storing the invitee enterprise-based encrypted key in object metadata.
  - 8. The method of claim 1, further comprising delivering, over a network, a virtual file system module to one or more user devices associated with the first user and the second user to access one or more of the files, wherein the virtual file system module performs at least one act of the method.

9. A computer readable medium, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by a processor causes the processor to perform a set of acts for deduplication of a shared object in a cloud-based environment having with one or more storage devices that store one or more files that are accessible by two or more entities, the acts comprising:
- identifying a cloud-based environment, the cloud-based environment comprising at least a storage device storing a content object accessible by two or more users over a network;
  
  performing, for a first user from a first enterprise, a content-based encryption that generates a first copy of an encrypted file by encrypting the content object with a content-based encryption key, wherein the content-based encryption key is encrypted by a first enterprise-based encryption key;
  
  storing the first copy of the encrypted file at a cloud-based environment;
  
  performing, for a second user from a second enterprise, the content-based encryption that generates a second copy of the encrypted file by encrypting the content object with the content-based encryption key, wherein the content-based encryption key is encrypted by a second enterprise-based encryption key that is different from the first enterprise-based encryption key;
  
  storing the second copy of the encrypted file at a cloud-based environment; and
  
  performing deduplication of the content object across multiple users that perform encryption, wherein the deduplication is performed based at least in part on at least one of, an intra-enterprise deduplicate directive, or an inter-enterprise deduplicate directive, wherein the at least one of the intra-enterprise deduplicate directive or the inter-enterprise deduplicate directive is accessed from metadata pertaining to a respective entity, wherein at least one deduplication directive is determined and the encrypted file is stored based at least in part on the at least one deduplication directive.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer readable medium of claim 9, further receiving a designation from an enterprise to two or more entities for access to sets of the files within the cloud-based environment wherein a first set of files are allocated to a first entity and wherein a second set of files are allocated to a second entity.
  - 11. The computer readable medium of claim 10, further comprising instructions which, when stored in memory and executed by the processor causes the processor to perform acts of receiving an encrypted subject file to be added to the first set of the files that are allocated to the first entity.
  - 12. The computer readable medium of claim 9, further comprising instructions which, when stored in memory and executed by the processor causes the processor to perform acts of storing at least one of, an enterprise key, the content-based encryption key, or an enterprise-based encrypted key, in object metadata.
  - 13. The computer readable medium of claim 12, further comprising instructions which, when stored in memory and executed by the processor causes the processor to perform acts of:
    - decrypting, based at least in part on the enterprise key, the enterprise-based encrypted key to produce the content-based encryption key; and
      
      decrypting, based at least in part on the content-based encryption key, the encrypted file to produce an unencrypted file.
  - 14. The computer readable medium of claim 9, further comprising instructions which, when stored in memory and executed by the processor causes the processor to perform acts of:
    - receiving a collaboration invitation acceptance from at least one invitee from the entities; and
      
      provisioning file access by the invitee to a subject file, the file access characterized at least in part by an association between an invitee enterprise key and the subject file; and
      
      encrypting, based at least in part on the invitee enterprise key, the content-based encryption key to produce an invitee enterprise-based encrypted key.

15. A system for accessing a shared object in a cloud-based environment having one or more storage devices that store one or more files that are accessible by two or more entities, the system comprising:
- a storage medium having stored thereon a sequence of instructions; and
  
  a processor or processors that execute the instructions to cause the processor or processors to perform a set of acts, the acts comprising,identifying a cloud-based environment, the cloud-based environment comprising at least a storage device storing a content object accessible by two or more users over a network;
  
  performing, for a first user from a first enterprise, a content-based encryption that generates a first copy of an encrypted file by encrypting the content object with a content-based encryption key, wherein the content-based encryption key is encrypted by a first enterprise-based encryption key;
  
  storing the first copy of the encrypted file at a cloud-based environment;
  
  performing, for a second user from a second enterprise, the content-based encryption that generates a second copy of the encrypted file by encrypting the content object with the content-based encryption key, wherein the content-based encryption key is encrypted by a second enterprise-based encryption key that is different from the first enterprise-based encryption key;
  
  storing the second copy of the encrypted file at a cloud-based environment; and
  
  performing deduplication of the content object across multiple users that perform encryption, wherein the deduplication is performed based at least in part on at least one of, an intra-enterprise deduplicate directive, or an inter-enterprise deduplicate directive, wherein the at least one of the intra-enterprise deduplicate directive or the inter-enterprise deduplicate directive is accessed from metadata pertaining to a respective entity, wherein at least one deduplication directive is determined and the encrypted file is stored based at least in part on the at least one deduplication directive.
- View Dependent Claims (16)
- - 16. The system of claim 15, further receiving a designation from an enterprise to two or more entities for access to sets of the files within the cloud-based environment wherein a first set of files are allocated to a first entity and wherein a second set of files are allocated to a second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Luthra, Tanooj, Malhotra, Ritik
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US16/024,748
Publication Number

US 20180307704A1
Time in Patent Office

430 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0891   using clearing, invalidatin...

G06F 12/1081   for peripheral access to ma...

G06F 12/122   of the least frequently use...

G06F 16/113   Details of archiving lifecy...

G06F 16/172   Caching, prefetching or hoa...

G06F 16/1727   Details of free space manag...

G06F 16/1748   De-duplication implemented ...

G06F 16/1774   Locking methods, e.g. locki...

G06F 16/182   Distributed file systems

G06F 16/183   Provision of network file s...

G06F 16/185   Hierarchical storage manage...

G06F 16/188   Virtual file systems

G06F 16/196   Specific adaptations of the...

G06F 16/22   Indexing; Data structures t...

G06F 16/23   Updating

G06F 16/2443   Stored procedures

G06F 16/9574   of access to content, e.g. ...

G06F 2212/1016   Performance improvement

G06F 2212/1044   Space efficiency improvement

G06F 2212/154   Networked environment

G06F 2212/463 : File

G06F 2212/60 : Details of cache memory

G06F 2212/657 : Virtual address space manag...

G06F 9/46 : Multiprogramming arrangements

H04L 63/0428 : wherein the data content is...

H04L 65/70 : Media network packetisation

H04L 65/762 : at the source reformatting...

H04L 65/80 : Responding to QoS

H04L 67/06 : specially adapted for file ...

H04L 67/1097 : for distributed storage of ...

H04L 67/34 : involving the movement of s...

H04N 19/40 : using video transcoding, i....

View All

Secure cloud-based shared content

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Secure cloud-based shared content

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links