System and method for automatically securing sensitive data in public cloud using a serverless architecture

US 10,460,123 B1
Filed: 02/15/2019
Issued: 10/29/2019
Est. Priority Date: 04/11/2018
Status: Active Grant

First Claim

Patent Images

1. A cloud compute service system comprising:

one or more hardware processors; and

a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;

receiving a notification that a sensitive file comprising sensitive data has been received at a file receipt location;

generating a first container instance in response to the notification;

receiving, from the first container instance, a report to the cloud compute serviceterminating the first container instance based on the report; and

generating a second container instance in response to the notification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided executing jobs immediately upon receipt of a notification. The systems and methods may include receiving, at a cloud compute service, a notification that a sensitive file comprising sensitive data has been received at a file receipt location, the sensitive file being sent by a client device; generating, by the cloud compute service, a container instance in response to the notification; retrieving, by the container instance, the sensitive file from the file receipt location; generating, by the container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file; transmitting, by the container instance, the stripped file to a storage location; deleting the sensitive file and associated file pointers from the file receipt location; and terminating the container instance, wherein terminating the container instance comprises deleting files comprising sensitive data and associated file pointers.

Citations

20 Claims

1. A cloud compute service system comprising:
- one or more hardware processors; and
  
  a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;
  
  receiving a notification that a sensitive file comprising sensitive data has been received at a file receipt location;
  
  generating a first container instance in response to the notification;
  
  receiving, from the first container instance, a report to the cloud compute serviceterminating the first container instance based on the report; and
  
  generating a second container instance in response to the notification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the report comprises at least one of a job status or an error message.
  - 3. The system of claim 1, wherein the sensitive file is received at the file receipt location from a client device.
  - 4. The system of claim 1, wherein terminating the first container instance comprises:
    - deleting sensitive data of the sensitive files from the first container instance; and
      
      deleting file pointers associated with the sensitive data from the first container instance, wherein the file pointers indicate a memory address of blocks of sensitive data.
  - 5. The system of claim 4, wherein terminating the first container instance further comprises wiping data by overwriting memory blocks.
  - 6. The system of claim 1, wherein the operations further comprise:
    - retrieving, through the second container instance, the sensitive file from the file receipt location;
      
      generating, at the second container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;
      
      transmitting, from the second container instance, the stripped file to a first storage location,deleting the sensitive file and associated file pointers from the file receipt location; and
      
      terminating the second container instance based on the report.
  - 7. The system of claim 6, wherein the operations further comprise:
    - transmitting, from the second container instance, the stripped file to a second storage location.
  - 8. The system of claim 2, wherein the stripping comprises:
    - replacing the sensitive data with at least one of aggregate data or encrypted data.
  - 9. The system of claim 6, wherein generating the stripped file further comprises:
    - performing data analysis on data contained in the sensitive file; and
      
      including a result of the data analysis in the stripped file.
  - 10. The system of claim 6, wherein the stripping is further based on an environment variable.
  - 11. The system of claim 6, wherein deleting the sensitive file from the file receipt location comprises:
    - sending, by the cloud compute service, an instruction to the file receipt location, the instruction comprising a command to destroy the sensitive file.
  - 12. The system of claim 6, wherein terminating the second container instance comprises:
    - deleting sensitive data of the sensitive files from the second container instance; and
      
      deleting file pointers associated with the sensitive data from the second container instance, the file pointers indicating a memory address of blocks of sensitive data.
  - 13. The system of claim 12, wherein terminating the second container instance further comprises wiping data by overwriting memory blocks.
  - 14. The system of claim 6, wherein terminating the second container instance further comprises transmitting a termination command to the second container instance.

15. A method for executing jobs immediately upon receipt of a notification, the method comprising:
- receiving a notification that a sensitive file comprising sensitive data has been received at a file receipt location;
  
  generating a first container instance in response to the notification;
  
  receiving, from the first container instance, a report to the cloud compute service terminating the first container instance based on the report; and
  
  generating a second container instance in response to the notification.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the report comprises at least one of a job status or an error message.
  - 17. The method of claim 15, wherein the operations further comprise:
    - retrieving, through the second container instance, the sensitive file from the file receipt location;
      
      generating, at the second container instance, a stripped file by stripping the sensitive data from the sensitive file based on a configuration file;
      
      transmitting, from the second container instance, the stripped file to a first storage location,deleting the sensitive file and associated file pointers from the file receipt location; and
      
      terminating the second container instance based on the report.
  - 18. The method of claim 15, wherein terminating the first container instance comprises:
    - deleting sensitive data of the sensitive files from the first container instance; and
      
      deleting file pointers associated with the sensitive data from the first container instance, the file pointers indicating a memory address of blocks of sensitive data.
  - 19. The method of claim 17, wherein terminating the second container instance comprises:
    - deleting sensitive data of the sensitive files from the second container instance; and
      
      deleting file pointers associated with the sensitive data from the second container instance, the file pointers indicating a memory address of blocks of sensitive data.

20. A cloud compute service system comprising:
- one or more hardware processors; and
  
  a memory unit storing instructions executable by the one or more hardware processors to perform operations comprising;
  
  receiving a notification that a sensitive file comprising sensitive data has been received at a file receipt location;
  
  generating a first container instance in response to the notification;
  
  assigning, to the first container instance, a job comprising stripping the sensitive data from the first sensitive file, wherein the assigning comprises providing, to the first container instance, a file identifier of the sensitive file;
  
  receiving, from the first container instance, a report comprising at least one of a job status or an error message; and
  
  terminating the first container instance based on the report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Fonseka, Nathal L., Pansari, Ankit
Primary Examiner(s)
Dinh, Minh

Application Number

US16/276,916
Publication Number

US 20190318111A1
Time in Patent Office

256 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/162   Delete operations erasing i...

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2115   Third party

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatically securing sensitive data in public cloud using a serverless architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links