Geofencing of data in a cloud-based environment
First Claim
Patent Images
1. A method for managing access to data, the method comprising:
- configuring a geographic region for a data item, wherein the geographic region is represented by a plurality of grid squares that is definable by a single coordinate location, the plurality of grid squares defines an area of protection for the data item;
encrypting the data item with a key (DEK), wherein the DEK is encrypted by using the plurality of grid squares to generate a set of encrypted encryption key (EDEK);
receiving a request to access the data item;
identifying a location associated with the request to access the data item;
determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location associated with the request corresponds to at least one EDEK from among the set of EDEK; and
allowing or denying access to the data item based at least in part on if the location corresponds to a geographic location for which access is denied for the data item.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an approach to incorporate geographical access control features for a cloud-based storage platform. This allows, for example, enterprise administrators to define geographical areas (geofences) with arbitrary precision within which content access can be denied for items of data.
21 Citations
18 Claims
-
1. A method for managing access to data, the method comprising:
-
configuring a geographic region for a data item, wherein the geographic region is represented by a plurality of grid squares that is definable by a single coordinate location, the plurality of grid squares defines an area of protection for the data item; encrypting the data item with a key (DEK), wherein the DEK is encrypted by using the plurality of grid squares to generate a set of encrypted encryption key (EDEK); receiving a request to access the data item; identifying a location associated with the request to access the data item; determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location associated with the request corresponds to at least one EDEK from among the set of EDEK; and allowing or denying access to the data item based at least in part on if the location corresponds to a geographic location for which access is denied for the data item. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process, the process comprising:
-
configuring a geographic region for a data item, wherein the geographic region is represented by a plurality of grid squares that is definable by a single coordinate location, the plurality of grid squares defines an area of protection for the data item; encrypting the data item with a key (DEK), wherein the DEK is encrypted by using the plurality of grid squares to generate a set of encrypted encryption key (EDEK); receiving a request to access the data item; identifying a location associated with the request to access the data item; determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location associated with the request corresponds to at least one EDEK from among the set of EDEK; and allowing or denying access to the data item based at least in part on if the location corresponds to a geographic location for which access is denied for the data item. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for managing access to data, the system comprising:
-
a processor; a memory comprising a computer program product, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by the processor causes the processor to execute a process, the process comprising; configuring a geographic region for a data item, wherein the geographic region is represented by a plurality of grid squares that is definable by a single coordinate location, the plurality of grid squares defines an area of protection for the data item; encrypting the data item with a key (DEK), wherein the DEK is encrypted by using the plurality of grid squares to generate a set of encrypted encryption key (EDEK); receiving a request to access the data item; identifying a location associated with the request to access the data item; determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location associated with the request corresponds to at least one EDEK from among the set of EDEK; and allowing or denying access to the data item based at least in part on if the location corresponds to a geographic location for which access is denied for the data item. - View Dependent Claims (18)
-
Specification