Systems and methods for encryption and provision of information security using platform services

US 10,567,167 B1
Filed: 07/09/2018
Issued: 02/18/2020
Est. Priority Date: 02/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

retrieving a secure enrollment profile, wherein the secure enrollment profile comprises cryptographic identity data corresponding to a particular electronic computing device that is enrolled with a federated security platform associated with a plurality of tenants;

determining, based on the cryptographic identity data, a particular tenant corresponding to the particular electronic computing device for enabling secure tenant-specific tracking, by the platform, of electronic activities of the particular electronic computing device;

receiving, from the platform, one or more policies defining whether to perform a cryptographic operation with respect to one or more data items generated by the particular electronic computing device according to tenant-defined criteria corresponding to the particular electronic computing device;

automatically identifying the one or more data items;

automatically comparing the one or more data items to the one or more policies to determine whether to perform the cryptographic operation with respect to the one or more data items; and

automatically performing the cryptographic operation with respect to at least one of the one or more data items.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing or encrypting data or other information arising from a user'"'"'s interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user'"'"'s storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

11 Citations

View as Search Results

22 Claims

1. A method, comprising the steps of:
- retrieving a secure enrollment profile, wherein the secure enrollment profile comprises cryptographic identity data corresponding to a particular electronic computing device that is enrolled with a federated security platform associated with a plurality of tenants;
  
  determining, based on the cryptographic identity data, a particular tenant corresponding to the particular electronic computing device for enabling secure tenant-specific tracking, by the platform, of electronic activities of the particular electronic computing device;
  
  receiving, from the platform, one or more policies defining whether to perform a cryptographic operation with respect to one or more data items generated by the particular electronic computing device according to tenant-defined criteria corresponding to the particular electronic computing device;
  
  automatically identifying the one or more data items;
  
  automatically comparing the one or more data items to the one or more policies to determine whether to perform the cryptographic operation with respect to the one or more data items; and
  
  automatically performing the cryptographic operation with respect to at least one of the one or more data items.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the step of automatically identifying the one or more data items occurs based on generation of or change to of the one or more data items.
  - 3. The method of claim 1, wherein the step of automatically performing the cryptographic operation with respect to the at least one of the one or more data items further comprises automatically performing the cryptographic operation with respect to all of the one or more data items.
  - 4. The method of claim 1, further comprising the steps of:
    - prior to retrieving the secure enrollment profile, transmitting an enrollment request to a platform server for enrollment of the particular electronic computing device in the federated security platform;
      
      receiving, from the platform server, an enrollment response corresponding to the enrollment request, wherein the enrollment response comprises the cryptographic identity data;
      
      generating, based on the enrollment response, the secure enrollment profile; and
      
      storing the secure enrollment profile in a database.
  - 5. The method of claim 4, wherein at least a portion of the enrollment response is encrypted.
  - 6. The method of claim 5, wherein the step of generating the secure enrollment profile further comprises decrypting the encrypted portion of the enrollment response.
  - 7. The method of claim 1, wherein the cryptographic identity data comprises a tenant-specific device identifier, one or more shared secrets between the platform and the particular electronic computing device, a key space identifier, an asymmetric key, and/or unique cryptographic information.
  - 8. The method of claim 1, wherein automatically identifying the one or more data items further comprises the step of automatically detecting, via a client module operating on the particular electronic computing device, that the one or more data items are entered into a particular data field.
  - 9. The method of claim 8, wherein automatically comparing the one or more data items to the one or more policies further comprises the step of identifying a need to performing the cryptographic operation with respect to the at least one of the one or more data items.
  - 10. The method of claim 9, wherein the step of automatically performing the cryptographic operation with respect to at least one of the one or more data items further comprises the steps of:
    - identifying, via the client module, contextual information relating to the at least one of the one or more data items;
      
      transmitting a request for performing the cryptographic operation with respect to the at least one of the one or more data items from the client module to the platform, wherein the request includes the contextual information;
      
      receiving, at the client module, a response from the platform, wherein the response comprises unique cryptographic information generated based on the contextual information; and
      
      performing the cryptographic operation with respect to the at least one of the one or more data items as a function of the unique cryptographic information.
  - 11. The method of claim 1, wherein the one or more policies are based on one or more of the following criteria:
    - a geographic location of the particular electronic computing device, a time the one or more data items were generated, and a data type corresponding to the one or more data items.

12. A system, comprising:
- a federated security platform associated with a plurality of tenants, the platform comprising a server; and
  
  an electronic computing device enrolled with the platform, the electronic computing device comprising a processor, the processor operative to;
  
  retrieve, from the platform, a secure enrollment profile, wherein the secure enrollment profile comprises cryptographic identity data corresponding to the electronic computing device;
  
  determine, based on the cryptographic identity data, a particular tenant corresponding to the electronic computing device for enabling secure tenant-specific tracking, by the platform, of electronic activities of the electronic computing device;
  
  receive, from the platform, one or more policies defining whether to perform a cryptographic operation with respect to one or more data items generated by the electronic computing device according to tenant-defined criteria corresponding to the electronic computing device;
  
  automatically identify the one or more data items;
  
  automatically compare the one or more data items to the one or more policies to determine whether to perform the cryptographic operation with respect to the one or more data items; and
  
  automatically perform the cryptographic operation with respect to at least one of the one or more data items.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the processor automatically identifies the one or more data items based on generation of or change to the one or more data items.
  - 14. The system of claim 12, wherein the processor is further operative to automatically perform the cryptographic operation with respect to all of the one or more data items.
  - 15. The system of claim 12, where the processor is further operative to:
    - prior to retrieving the secure enrollment profile, transmit an enrollment request to the server for enrollment of the user of the electronic computing device in the platform;
      
      receive, from the server, an enrollment response corresponding to the enrollment request, wherein the enrollment response comprises the cryptographic identity data;
      
      generate, based on the enrollment response, the secure enrollment profile; and
      
      store the secure enrollment profile in a database operatively connected to the electronic computing device.
  - 16. The system of claim 15, wherein at least a portion of the enrollment response is encrypted.
  - 17. The system of claim 16, wherein the processor is further operative to decrypt the encrypted portion of the enrollment response as part of generating the secure enrollment profile.
  - 18. The system of claim 12, wherein the cryptographic identity data further comprises a tenant-specific device identifier corresponding to the electronic computing device, one or more shared secrets between the platform and the electronic computing device, a key space identifier, an asymmetric key, and/or unique cryptographic information.
  - 19. The system of claim 12, wherein the processor is further operative, as part of automatically identifying the one or more data items, to detect, via a client module operating on the electronic computing device, that the one or more data items are entered into a particular data field.
  - 20. The system of claim 19, wherein the processor is further operative, as part of automatically comparing the one or more data items to the one or more tenant-specific policies, to identify a need to perform the cryptographic operation with respect to the at least one of the one or more data items.
  - 21. The system of claim 20, wherein the processor is further operative, as part of automatically performing the cryptographic operation with respect to the at least one of the one or more data items, to:
    - identify, via the client module, contextual information relating to the at least one of the one or more data items;
      
      transmit a request for performing the cryptographic operation with respect to the at least one of the one or more data items from the client module to the server, wherein the request includes the contextual information;
      
      receive, at the client module, a response from the server, wherein the response comprises unique cryptographic information generated based on the contextual information; and
      
      perform the cryptographic operation with respect to the at least one of the one or more data items as a function of the unique cryptographic information.
  - 22. The system of claim 12, wherein the one or more policies are based on one or more of the following criteria:
    - a geographic location of the electronic computing device, a time the one or more data items were generated, and a data type corresponding to the one or more data items.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ionic Security, Inc. (Twilio, Inc.)
Original Assignee
Ionic Security, Inc. (Twilio, Inc.)
Inventors
Ghetti, Adam, Howard, Jeffrey, Jordan, James, Smith, Nicholas, Eckman, Jeremy, Speers, Ryan, Bhatti, Sohaib
Primary Examiner(s)
Smithers, Matthew

Application Number

US16/029,996
Time in Patent Office

589 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2133   Verifying human interaction...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

Systems and methods for encryption and provision of information security using platform services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for encryption and provision of information security using platform services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links