Enhanced remote key management for an enterprise in a cloud-based environment
First Claim
Patent Images
1. A method comprising:
- maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected;
receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user;
determining that the data item corresponding to the content request is associated with remote key management functionality;
initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and
monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.
-
Citations
30 Claims
-
1. A method comprising:
-
maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected; receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user; determining that the data item corresponding to the content request is associated with remote key management functionality; initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
one or more processors; and a memory unit having instructions stored thereon which, when executed by the one or more processors, causes the system to; maintain a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected, receive a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user, determine that the data item corresponding to the content request is associated with remote key management functionality, initiate a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request, and monitor access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product embodied in a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process, the process comprising:
-
maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected; receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user; determining that the data item corresponding to the content request is associated with remote key management functionality; initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification