Encryption load balancing and distributed policy enforcement

US 20080022136A1
Filed: 12/21/2006
Published: 01/24/2008
Est. Priority Date: 02/18/2005
Status: Abandoned Application

First Claim

Patent Images

1. An encryption load balancing and distributed policy enforcement system comprising:

one or more engines for communicating with one or more devices and for executing cryptographic operations on data; and

a dispatcher, in communication with the one or more engines, that receives one or more requests from a client and delegates at least one of the one or more requests to the one or more engines.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To achieve encryption load balancing, a dispatcher, in communication with one or more engines, delegates one or more requests to the one or more engines. The engines execute cryptographic operations on data. The dispatcher may implement one or more load balancing algorithms to delegate requests to engines in accordance with data protection classes and rules for improved efficiency, performance, and security. To achieve distributed policy enforcement, the engines may also analyze whether the request violates an item access rule.

Citations

40 Claims

1. An encryption load balancing and distributed policy enforcement system comprising:
- one or more engines for communicating with one or more devices and for executing cryptographic operations on data; and
  
  a dispatcher, in communication with the one or more engines, that receives one or more requests from a client and delegates at least one of the one or more requests to the one or more engines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the data is contained in or produced in response to the one or more requests.
  - 3. The system of claim 1, wherein a first of the engines has a different service class than a second of the engines.
  - 4. The encryption load balancing system of claim 1, wherein the device is a database and the requests are queries.
  - 5. The system of claim 4, wherein the dispatcher is configured to parse at least one of said one or more queries and delegate at least one of said one or more queries to a subset of said one or more engines on the basis of query type.
  - 6. The system of claim 1, wherein the dispatcher is configured to delegate at least one of said one or more queries to the client.
  - 7. The system of claim 1, wherein the client is configured to delegate at least one of said one or more queries to the client.
  - 8. The system of claim 1, wherein the addition of an additional engine requires minimal manual configuration.
  - 9. The system of claim 1, wherein the dispatcher is configured to delegate at least one of said one or more queries to at least one of said one or more engines using a load balancing algorithm.
  - 10. The system of claim 9, wherein the load balancing algorithm is a shortest queue algorithm wherein a length of at least one of the one or more engines'"'"' queue is weighted.
  - 11. The system of claim 10, wherein the queue is weighted to reflect complexity of at least one of the one or more requests delegated to the engine.
  - 12. The system of claim 11, wherein the queue is weighted to reflect the engine'"'"'s processing power.
  - 13. The system of claim 1, wherein the dispatcher is in further communication with a key management system to obtain one or more encryption keys related to the one or more queries.
  - 14. The system of claim 13, wherein the one or more encryption keys communicated by the dispatcher to the one or more engines are encrypted with a server encryption key.
  - 15. The system of claim 1, wherein at least one of the one or more engines analyzes whether one of the requests violates an item access rule.
  - 16. The system of claim 15, wherein the system further comprises an access control manager for distributing one or more access rules to at least one of the one or more engines.
  - 17. The system of claim 16, wherein at least one of the one or more engines reports an item access rule violation to the access control manager.
  - 18. The system of claim 17, wherein the access control manager analyzes the violation and adjusts at least one item access rule for a user or a group.

19. An encryption load balancing system comprising:
- (a) one or more devices;
  
  (b) a client having an application for generating one or more requests for data residing on the devices;
  
  (c) a key management system, in communication with a policy database;
  
  (d) one or more engines, in communication with the one or more devices, for executing cryptographic operations on data contained in or produced in response to the one or more requests; and
  
  (e) a dispatcher, in communication with the client, the key management system, and the one or more engines, that (i) receives the requests from the client;
  
  (ii) communicates with the key management system to verify the authenticity and authorization of the requests; and
  
  (iii) delegates the requests to the one or more engines using a load balancing algorithm.

20. An encryption load balancing method comprising:
- receiving a request for information residing on a device from a client; and
  
  delegating the request to one or more engines configured to execute cryptographic operations on data.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 21. The method of claim 20, the method further comprising dividing the request into one or more sub-request.
  - 22. The method of claim 21, wherein the method further comprising delegating at least one of the sub-requests to the client.
  - 23. The method of claim 20 wherein the request is delegated using a load balancing algorithm.
  - 24. The method of claim 20, the method further comprising communicating with a key management system to determine whether a request is authorized.
  - 25. The method of claim 20, the method further comprising communicating with a key management system to determine the key class of a request.
  - 26. The method of claim 20, wherein the request is a sub-request.
  - 27. The method of claim 20, wherein the request is an insertion command.
  - 28. The method of claim 20, the method further comprising:
    - generating encrypted data from the data in the request;
      
      amending the request to replace the data with the encrypted data; and
      
      forwarding the request to the device.
  - 29. The method of claim 28, the method further comprising determining whether the request constitutes a violation of at least one item access rule.
  - 30. The method of claim 29, the method further comprising notifying an access control system of the violation.
  - 31. The method of claim 20, the method further comprising:
    - forwarding the request to the device;
      
      receiving encrypted data from the device;
      
      decrypting the encrypted data; and
      
      returning unencrypted data to a client.
  - 32. The method of claim 31, the method further comprising determining whether the result of the request constitutes a violation of at least one item access rule.
  - 33. The method of claim 32, the method further comprising:
    - notifying the access control system of the violation.

34. An encryption load balancing method comprising:
- (a) receiving a request for information residing on a device from a client;
  
  (b) verifying authorization of the request and determining a key class of the request by communicating with a key management system; and
  
  (c) delegating, through use of a load balancing algorithm, the request to one or more engines configured to execute cryptographic operations on data, wherein the engine;
  
  (i) generates encrypted data from the data in the request;
  
  (ii) amends the request to replace the data with the encrypted data; and
  
  (iii) forwards the request to the device.

35. An encryption load balancing method comprising:
- (a) receiving a request for information residing on a device from a client;
  
  (b) verifying authorization of the request and determining a key class of the request by communicating with a key management system; and
  
  (c) delegating, through use of a load balancing algorithm, the request to one or more engines configured to execute cryptographic operations on data, wherein the engine;
  
  (i) forwards the request to the device;
  
  (ii) receives encrypted data from the device;
  
  (iii) decrypts the encrypted data; and
  
  (iv) returns unencrypted data to the client.

36. A computer-readable medium whose contents cause a computer to perform an encryption load balancing method comprising:
- receiving a request for information residing on a device from a client; and
  
  delegating the request to one or more engines configured to execute cryptographic operations on data.

37. An encryption load balancing system comprising:
- a first preprocessor for communicating with one or more devices and for receiving requests from a client;
  
  a second preprocessor for executing cryptographic operations on data contained in and produced in response to the requests; and
  
  a dispatcher arranged to divide a request into at least a first and a second sub-request, and to delegate the first sub-request to the first preprocessor and the second sub-request to the second preprocessor.
- View Dependent Claims (38)
- - 38. The system of claim 37, wherein the sub-requests are delegated to the preprocessors using a load balancing algorithm.

39. An encryption load balancing system comprising:
- (a) one or more storage devices having;
  
  (i) a first portion encrypted at a first encryption level; and
  
  (ii) a second portion encrypted at a second encryption level that differs from the first encryption level;
  
  (b) a first preprocessor configured to receive a request for information residing on one or more of the storage devices from a client application, the request;
  
  (i) seeking interaction with first data from the first portion; and
  
  (ii) seeking interaction with second data from the second portion;
  
  (c) a second preprocessor in communication with the first preprocessor, the second preprocessor configured to execute a cryptographic operations on data contained in or produced in response to the request; and
  
  (d) a dispatcher in communication with the first preprocessor, the dispatcher being configured;
  
  (i) to separate a database request into a first sub-request for interaction with the first data and a second sub-request for interaction with the second data;
  
  (ii) to delegate the first sub-request to the first preprocessor; and
  
  (iiI) to delegate the second sub-request to the second preprocessor.
- View Dependent Claims (40)
- - 40. The system of claim 39, wherein the dispatcher delegates a plurality of sub-requests to a plurality of second preprocessors using a load balancing algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf, Rozenberg, Yigal

Application Number

US11/644,106
Publication Number

US 20080022136A1
Time in Patent Office

Days
Field of Search
US Class Current

713/194
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 67/1001   for accessing one among a p...

H04L 67/1006   with static server selectio...

H04L 67/1008   based on parameters of serv...

H04L 67/1017   based on a round robin mech...

H04L 67/1021   based on client or server l...

H04L 67/1023   based on a hash applied to ...

H04L 67/1031   Controlling of the operatio...

H04L 9/0897   involving additional device...

Encryption load balancing and distributed policy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption load balancing and distributed policy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links