Virtual service provider zones

US 10,474,829 B2
Filed: 09/21/2017
Issued: 11/12/2019
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

non-transitory memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to;

identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location;

encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data using a data key managed by a cryptography service such that the encrypted portion of the data is undecryptable at the second location;

encrypt, at the first location, the data key to generate an encrypted data key;

generate, at the first location, a data object comprising the encrypted portion and the encrypted data key; and

cause storage of the data object on the second data storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

Citations

20 Claims

1. A system, comprising:
- non-transitory memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to;
  
  identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location;
  
  encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data using a data key managed by a cryptography service such that the encrypted portion of the data is undecryptable at the second location;
  
  encrypt, at the first location, the data key to generate an encrypted data key;
  
  generate, at the first location, a data object comprising the encrypted portion and the encrypted data key; and
  
  cause storage of the data object on the second data storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the storage requirement differs from another storage requirement associated with the first location.
  - 3. The system of claim 2, wherein the storage requirement includes a set of regulations associated with a legal jurisdiction that is different from the other storage requirement that includes a second set of regulations associated with a second legal jurisdiction.
  - 4. The system of claim 2, wherein the storage requirement includes the set of administrative controls that is different from the other storage requirement that includes a second set of administrative controls.
  - 5. The system of claim 1, wherein the first data storage device at the first location operates as a proxy to the second data storage device at the different second location.
  - 6. The system of claim 1, wherein the encrypted portion of the data is encrypted using the data key to generate encrypted data, the data key being accessible to the first data storage device while inaccessible to the second data storage device.
  - 7. The system of claim 6, wherein the data key is managed by the cryptography service associated with the first data storage device.

8. A computer-implemented method, comprising:
- identifying data to be stored in a first data storage device at a first location and a second data storage device at a different second location;
  
  causing to be encrypted using a key of a cryptography service, based at least in part on a storage requirement indicating a set administrative controls associated with the different second location, a portion of the data such that the encrypted portion of the data is undecryptable at the different second location; and
  
  causing storage of a data object comprising the encrypted portion and an encrypted key on the second data storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, wherein the storage requirement differs from another storage requirement associated with the first location.
  - 10. The computer-implemented method of claim 9, wherein the storage requirement includes a set of regulations associated with a legal jurisdiction that is different from the other storage requirement that includes a second set of regulations associated with a second legal jurisdiction.
  - 11. The computer-implemented method of claim 9, wherein the storage requirement includes the set of administrative controls that is different from the other storage requirement that includes a second set of administrative controls.
  - 12. The computer-implemented method of claim 8, wherein the first data storage device at the first location operates as a proxy to the second data storage device at the different second location.
  - 13. The computer-implemented method of claim 8, wherein the encrypted portion of the data is encrypted using the key to generate encrypted data, the key being accessible to the first data storage device while inaccessible to the second data storage device.
  - 14. The computer-implemented method of claim 13, wherein the key is managed by a cryptography service associated with the first data storage device.

15. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- identify data to be stored in a first data storage device at a first location and a second data storage device at a different second location;
  
  obtain a key managed by a separate service to encrypt, based at least in part on a storage requirement indicating a set of administrative controls associated with the different second location, a portion of the data such that the encrypted portion of the data is undecryptable at the different second location; and
  
  cause storage of a data object comprising the encrypted portion and an encrypted key on the second data storage device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the storage requirement differs from another storage requirement associated with the first location.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the storage requirement includes at least one of:
    - a set of regulations associated with a legal jurisdiction that is different from the other storage requirement that includes a second set of regulations associated with a second legal jurisdiction;
      
      orthe set of administrative controls that is different from the other storage requirement that includes a second set of administrative controls.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the first data storage device at the first location operates as a proxy to the second data storage device at the different second location.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the encrypted portion of the data is encrypted using the key to generate encrypted data, the key being accessible to the first data storage device while inaccessible to the second data storage device.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the key is managed by a cryptography service associated with the first data storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James
Primary Examiner(s)
Song, Hee K

Application Number

US15/712,043
Publication Number

US 20180025168A1
Time in Patent Office

782 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

Virtual service provider zones

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual service provider zones

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links