System and method for dynamically allocating resources

US 20060190986A1
Filed: 01/20/2006
Published: 08/24/2006
Est. Priority Date: 01/22/2005
Status: Active Grant

First Claim

Patent Images

1. A method of dynamically allocating computing resources for a transaction related to data, based on the satisfaction of policies, such as privacy policies, comprising the steps of:

(a) receiving a request requiring a computing resource to process data to be processed;

(b) selecting, based on the data to be processed and contextual information, a set of rules associated with the data to be processed;

(c) selecting a resource or resources to process the data and transmitting the data, in a protected/encrypted format, to the selected resource or resources;

(d) sending a message from the selected resource to a trusted privacy service requesting a key to decrypt the data to allow the data to be decrypted so that it can be processed on the selected resource;

(e) sending a key from the trusted privacy service to the resource to allow the resource to decrypt the data and process the data it the trusted privacy service determines that the selected resource complies with the selected rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network has a number of resources. One or more trusted localisation provider certifies the location of the resources. Encrypted data is closely associated with a policy package defining privacy policies for the data and metapolicies for their selection. A trusted privacy service enforces the privacy policies. The trusted privacy service is arranged to supply a key to a resource to allow that resource to process data if the trusted privacy service determines from the trusted localisation provider certifying the location and other contextual information of the resource that the privacy policy allows processing of the data on that resource in that location.

55 Citations

View as Search Results

18 Claims

1. A method of dynamically allocating computing resources for a transaction related to data, based on the satisfaction of policies, such as privacy policies, comprising the steps of:
- (a) receiving a request requiring a computing resource to process data to be processed;
  
  (b) selecting, based on the data to be processed and contextual information, a set of rules associated with the data to be processed;
  
  (c) selecting a resource or resources to process the data and transmitting the data, in a protected/encrypted format, to the selected resource or resources;
  
  (d) sending a message from the selected resource to a trusted privacy service requesting a key to decrypt the data to allow the data to be decrypted so that it can be processed on the selected resource;
  
  (e) sending a key from the trusted privacy service to the resource to allow the resource to decrypt the data and process the data it the trusted privacy service determines that the selected resource complies with the selected rules.
- View Dependent Claims (2, 3, 4, 18)
- - 2. A method according to claim 1 wherein the trusted privacy service receives data from a trusted localisation provider which provides certified data regarding the location of the resource.
  - 3. A method according to claim 1 wherein the rules are stored as a privacy package closely associated with the data, the privacy package identifying for the data rules allocating the processing and/or storage of data in a resource depending on the properties of the resource, including the location of the resource.
  - 4. A method according to claim 1 wherein some data is only to be processed on a trusted platform;
    - the method including creating localisation information on the trusted platform by;
      
      creating a new key pair including a new public key and a new private key, the new private key being kept on the trusted platform; and
      
      using the private key to certify or sign the localisation information.
  - 18. A computer program product arranged to carry out the steps of a method according to claim 1 when run on a suitable networked system or computer.

5. A computer system comprising:
- a plurality of resources;
  
  a network linking the resources;
  
  at least one trusted localisation provider arranged to certify the location of the resources;
  
  a policy package associated with data, defining different privacy policies for the data and metadata to select the relevant set of privacy policies;
  
  at least one trusted privacy service arranged to enforce the privacy policies;
  
  a store storing confidential data in an encrypted fashion, wherein the encrypted data can only be decrypted using one or more keys; and
  
  a resource allocation server arranged to dynamically allocate resources to process the data;
  
  wherein the trusted privacy service is arranged to supply one or more keys to a resource to allow that resource to process data if the trusted privacy service determines from the trusted localisation provider, and the resource that the privacy policy allows processing of the data on that resource in that location.
- View Dependent Claims (6, 7, 8, 9)
- - 6. A computer system according to claim 5 wherein trusted localisation providers are provided within respective resources.
  - 7. A computer system according to claim 5 further comprising:
    - a registration entity arranged to store data relating to the resources;
      
      wherein the resource allocation service is arranged to allocate resources to process data based on information stored in the registration entity; and
      
      wherein at least one trusted localisation provider is provided in the registration entity.
  - 8. A computer system according to claim 5 wherein at least some of the resources are trusted resources including a trusted privacy module and a trusted localisation provider, the trusted privacy module in the resource being arranged to digitally sign localisation data provided by the trusted localisation service to certify the localisation data.
  - 9. A computer system according to claim 5 wherein data is stored in an encrypted form together with and closely associated with the privacy policy of that data.

10. A data item for use in a secure environment including:
- encrypted confidential data; and
  
  a policy package including;
  
  at least one privacy policy set setting out how the encrypted confidential data is to be processed; and
  
  at least one metapolicy, including rules setting out which privacy policy is appropriate when a resource processes the data, at least one of the rules including the location of the resource carrying out the processing;
  
  wherein the data item is tightly bound together in the secure environment to keep the policy package associated with the encrypted confidential data.

11. A method of processing confidential data in a resource, comprising the steps of:
- (a) receiving, from a resource allocation service, the confidential data bound together with a policy package setting out the privacy policy or policies associated with the data;
  
  (b) obtaining, from a trusted localisation provider, localisation information regarding the resource;
  
  (c) sending a message from the resource to a trusted privacy service, the message including the policy package and the localisation information, requesting a key to decrypt the data to allow the data to be processed on the selected resource; and
  
  (d) receiving, from the trusted privacy service, a key to allow the resource to decrypt the data and process the data, if the trusted privacy service determines from the policy package that the resource may process the data.
- View Dependent Claims (12, 13)
- - 12. A method according to claim 11 wherein the trusted localisation provider and a trusted privacy module are located within the resource, wherein:
    - in the step of sending a message to the resource the trusted privacy module digitally signs the localisation information so that the trusted privacy service can check that the localisation information is trusted.
  - 13. A method according to claim 11 wherein the method further includes sending further information from the resource to the trusted localisation provider relating to the privacy policies in force in the resource, so that the trusted localisation provider can verify that the resource has suitable privacy policies to process the data.

14. A hardware resource for processing data, including code:
- (a) to receive, from a resource allocation service, the confidential data bound together with a policy package setting out the privacy policy or policies associated with the data;
  
  (b) to obtain, from a trusted localisation provider, localisation information regarding the resource;
  
  (c) to send a message from the resource to a trusted privacy service, the message including the policy package and the localisation information, requesting a key to decrypt the data to allow the data to be processed on the selected resource; and
  
  (d) to receive, from the trusted privacy service, a key to allow the resource to decrypt the data and process the data if the trusted privacy service determines from the policy package that the resource may process the data.

15. A method of operating a trusted privacy service including:
- receiving, from a resource, a request to process data, the request including localisation information and a policy package defining the rules for processing the data;
  
  requesting, from the resource, further information regarding the properties of the resource;
  
  receiving, from the resource, the further information regarding the properties of the resource;
  
  resolving the rules in the policy package based on the localisation information and the further information regarding the properties of the resource to determine if the resource may process the data; and
  
  providing a key to the resource if it is determined that the resource may process the data.
- View Dependent Claims (16)
- - 16. A method according to claim 15 wherein the policy package contains at least one privacy policy set setting out the requirements that need to be satisfied so that the encrypted confidential data can be accessed and processed;
    - and at least one metapolicy including rules setting out which privacy policy is appropriate when a resource processes the data, at least one of the rules including the location of the resource carrying out the processing, the method comprising;
      
      evaluating the metapolicy based at least in part on the received contextual information, such as localisation, to select which privacy policy applies to the resource sending the request to process the data; and
      
      evaluating the further information based on the or each selected privacy policy to determine if the resource sending the request to process the data may process the data.

17. A trusted privacy service including code:
- to receive, from a resource, a request to process data, the request including localisation information and a policy package defining the rules for processing the data;
  
  requesting from the resource further information regarding the properties of the resource;
  
  to receive, from the resource, the further information regarding the properties of the resource;
  
  to resolve the rules in the policy package based on the localisation information and the further information regarding the properties of the resource to determine if the resource may process the data; and
  
  to provide a key to the resource if it is determined that the resource may process the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Pearson, Siani Lynne, Mont, Marco Casassa

Granted Patent

US 9,137,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0407   wherein the identity of one...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/60   Scheduling or organising th...

H04L 9/083   involving central third par...

System and method for dynamically allocating resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamically allocating resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links