Data protection in a networked computing environment

US 10,686,809 B2
Filed: 05/06/2019
Issued: 06/16/2020
Est. Priority Date: 04/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of providing data protection in a networked computing environment, comprising:

detecting, by at least one computer device, a breach of a first system in the networked computing environment;

in response to the detecting of the breach of the first system, generating, by the at least one computer device, a second system in the networked computing environment, wherein the second system includes a database which includes a scrambled version of low value data and a patch which is a configuration update applied to the database of the second system that eliminates a vulnerability exposed by the breach; and

converting, by the at least one computer device, the first system to a decoy system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for providing data protection in a networked computing environment are provided. A method includes detecting, by at least one computer device, a breach of a first system in the networked computing environment. The method also includes generating, by the at least one computer device, a second system in the networked computing environment, wherein the second system includes a patch based on the breach. The method additionally includes converting, by the at least one computer device, the first system to a decoy system. The method further includes generating, by the at least one computer device, a third system in the networked computing environment, wherein the third system has reduced security relative to the first system.

148 Citations

20 Claims

1. A method of providing data protection in a networked computing environment, comprising:
- detecting, by at least one computer device, a breach of a first system in the networked computing environment;
  
  in response to the detecting of the breach of the first system, generating, by the at least one computer device, a second system in the networked computing environment, wherein the second system includes a database which includes a scrambled version of low value data and a patch which is a configuration update applied to the database of the second system that eliminates a vulnerability exposed by the breach; and
  
  converting, by the at least one computer device, the first system to a decoy system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 18, 19, 20)
- - 2. The method of claim 1, wherein the generating the second system comprises:
    - determining a vulnerability that permitted the breach;
      
      creating the patch to eliminate the vulnerability;
      
      provisioning a new production server and a new production database in the networked computing environment; and
      
      applying the patch to at least one of the new production server and the new production database.
  - 3. The method of claim 1, further comprising:
    - routing a client request for a service to the first system prior to the generating the second system; and
      
      routing a client request for the service to the second system after the generating the second system.
  - 4. The method of claim 1, wherein:
    - the first system and the second system are physically separate; and
      
      the first system in the networked computer environment comprises a first server and a first database and the second system in the networked computer environment comprises a second server and a second database.
  - 5. The method of claim 1, wherein the converting the first system to the decoy system comprises generating and adding decoy high value data to the database of the first system.
  - 6. The method of claim 1, wherein a service provider at least one of creates, maintains, deploys and supports the at least one computer device.
  - 7. The method of claim 1, wherein the detecting the breach, the generating the second system, and the converting the first system are provided by a service provider on a subscription, advertising, and/or fee basis.
  - 8. The method of claim 1, wherein the detecting the breach, the generating the second system, and the converting the first system are provided by software as a service in a cloud environment.
  - 9. The method of claim 1, wherein the configuration update mitigates the breach.
  - 18. The method of claim 1, wherein the low value data comprises non-confidential data.
  - 19. The method of claim 18, wherein the converting the first system to the decoy system comprises deleting high value data from the decoy system.
  - 20. The method of claim 19, wherein the high value data comprises confidential data and a decoy high value data is generated based on the low value data contained in a first database in the first system.

10. A computer program product for providing data protection in a networked computing environment, the computer program product comprising a computer readable storage device having program instructions embodied therewith, the program instructions being executable by a computer device to cause the computer device to:
- detect a breach of a first production system in the networked computing environment;
  
  in response to the detecting the breach of the first production system, generate a second production system in the networked computing environment, wherein the second production system includes a database which includes a scrambled version of low value data and a patch which is a configuration update applied to the database of the second system that eliminates a vulnerability exposed by the breach; and
  
  convert the first production system to a decoy system,wherein the scrambled version of the low value data is encrypted.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer program product of claim 10, wherein the generating the second production system comprises:
    - determining a vulnerability that permitted the breach;
      
      creating the patch to eliminate the vulnerability;
      
      provisioning a new production server and a new production database in the networked computing environment; and
      
      applying the patch to at least one of the new production server and the new production database.
  - 12. The computer program product of claim 10, the program instructions further being executable by the computer device to cause the computer device to:
    - route a client request for a service to the first production system prior to the generating the second production system; and
      
      route a client request for the service to the second production system after the generating the second production system.
  - 13. The computer program product of claim 10, wherein:
    - the first production system and the second production system are physically separate; and
      
      the first production system in the networked computer environment comprises a first server and a first database and the second production system in the networked computer environment comprises a second server and a second database.
  - 14. The computer program product of claim 10, wherein the converting the first production system to the decoy system comprises generating decoy high value data based on low value data contained in a database in the first production system;
    - and storing the decoy high value data in the database.
  - 15. The computer program product of claim 10, wherein a service provider at least one of creates, maintains, deploys and supports the at least one computer device.
  - 16. The computer program product of claim 10, wherein the detecting the breach, the generating the second production system, and the converting the first production system are provided by a service provider on a subscription, advertising, and/or fee basis.
  - 17. The computer program product of claim 10, wherein the detecting the breach, the generating the second production system, and the converting the first production system are provided by software as a service in a cloud environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Boss, Gregory J., Hamilton, II, Rick A., Hoy, Jeffrey R., Magro, Agueda M. H.
Primary Examiner(s)
Tabor, Amare F

Application Number

US16/404,236
Publication Number

US 20190260774A1
Time in Patent Office

407 Days
Field of Search

726 23, 726 22, 726 24- 25, 713187-189
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Data protection in a networked computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

148 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data protection in a networked computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links