Automated management of confidential data in cloud environments
First Claim
1. A method for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the method comprising:
- physically separating the shared networked storage from a key vault system;
receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer;
encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating;
categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level;
storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating;
validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption;
creating a transfer ticket, the transfer ticket comprising a first signature made by the security layer and a second signature made by the key vault system; and
sending the transfer ticket to the security layer.
1 Assignment
0 Petitions
Accused Products
Abstract
A shared networked storage may be separated from a key vault system. A storage request with data to be stored and the storage request with a confidentiality rating may be received. The confidentiality rating may indicate a level of confidentiality the data is associated with. The storage request with the data and the confidentiality rating may be received via a shared networked storage access interface by a security layer. The data to be stored by the key vault system and the confidentiality rating may be encrypted on request of the security layer and into a data container. The shared networked storage may be categorized into Cloud zones. Each Cloud zone may be assigned a trust level. The data container may be stored in one of the Cloud zones of the shared networked storage. The trust level of the one of the Cloud zones may correspond to the confidentiality rating.
-
Citations
17 Claims
-
1. A method for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the method comprising:
-
physically separating the shared networked storage from a key vault system; receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer; encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating; categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level; storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating; validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption; creating a transfer ticket, the transfer ticket comprising a first signature made by the security layer and a second signature made by the key vault system; and sending the transfer ticket to the security layer. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computing device to cause the computing device to perform a method, the method comprising:
-
physically separating the shared networked storage from a key vault system; receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer; encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating; categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level; storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating; validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption; creating a transfer ticket, the transfer ticket comprising a first signature made by the security layer and a second signature made by the key vault system; and sending the transfer ticket to the security layer. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A system for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the system comprising:
-
a memory; a shared networked storage including the security layer, the security layer physically separated from key vault system, wherein the shared networked storage comprises Cloud zones, wherein each of the Cloud zones has an assigned trust level; a receiving unit adapted to receive a storage request together with data to be stored in the shared networked storage and together with a confidentiality rating, wherein the storage request together with that data and the confidentiality rating is received via the shared networked storage access interface by the security layer; wherein the key vault system is adapted to encrypt the data to be stored and the confidentiality rating on request of the security layer into a data container; a storage component adapted to store the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating; wherein the key vault system is further adapted to, validate that the storage request is compliant with configurable policies by; validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption; creating a transfer ticket, the transfer ticket comprising a first signature made by the security layer and a second signature made by the key vault system; and sending the transfer ticket to the security layer. - View Dependent Claims (14, 15, 16, 17)
-
Specification