Virtual service provider zones
First Claim
Patent Images
1. A system, comprising:
- non-transitory memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to;
identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location;
encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data using a data key managed by a cryptography service such that the encrypted portion of the data is undecryptable at the second location;
encrypt, at the first location, the data key to generate an encrypted data key;
generate, at the first location, a data object comprising the encrypted portion and the encrypted data key; and
cause storage of the data object on the second data storage device.
1 Assignment
0 Petitions
Accused Products
Abstract
A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.
-
Citations
20 Claims
-
1. A system, comprising:
non-transitory memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to; identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location; encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data using a data key managed by a cryptography service such that the encrypted portion of the data is undecryptable at the second location; encrypt, at the first location, the data key to generate an encrypted data key; generate, at the first location, a data object comprising the encrypted portion and the encrypted data key; and cause storage of the data object on the second data storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-implemented method, comprising:
-
identifying data to be stored in a first data storage device at a first location and a second data storage device at a different second location; causing to be encrypted using a key of a cryptography service, based at least in part on a storage requirement indicating a set administrative controls associated with the different second location, a portion of the data such that the encrypted portion of the data is undecryptable at the different second location; and causing storage of a data object comprising the encrypted portion and an encrypted key on the second data storage device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location; obtain a key managed by a separate service to encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data such that the encrypted portion of the data is undecryptable at the different second location; and cause storage of a data object comprising the encrypted portion and an encrypted key on the second data storage device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification