SYSTEMS AND METHODS FOR SECURE MULTI-TENANT DATA STORAGE

US 20120166818A1
Filed: 08/11/2011
Published: 06/28/2012
Est. Priority Date: 08/11/2010
Status: Active Grant

First Claim

Patent Images

1. A method of securely storing data in a multi-tenant data storage system, comprising:

receiving a first data set from a first data source;

receiving a second data set from a second data source;

encrypting the first data set with a first key;

encrypting the second data set with a second key, the second key different from the first key;

generating a first plurality of shares, wherein each of the first plurality of shares contains a distribution of data from the encrypted first data set;

generating a second plurality of shares, wherein each of the second plurality of shares contains a distribution of data from the encrypted second data set; and

storing at least one share of the first plurality of shares and at least one share of the second plurality of shares in a first shared memory device of the multi-tenant data storage system,wherein access to the first key and a threshold number of the first plurality of shares are necessary to restore the first data set.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for transmitting data for secure storage. For each of two or more data sets, a plurality of shares are generated containing a distribution of data from an encrypted version of the data set. The shares are then stored in a shared memory device, wherein a data set may be reconstructed from a threshold number of the associated plurality of shares using an associated key. Also provided are systems and methods for providing access to secured data. A plurality of shares containing a distribution of data from an encrypted version of a data set are stored in a memory device. A client is provided with a virtual machine that indicates the plurality of shares, and the capability to reconstruct the data set from the plurality of shares using an associated key.

160 Citations

34 Claims

1. A method of securely storing data in a multi-tenant data storage system, comprising:
- receiving a first data set from a first data source;
  
  receiving a second data set from a second data source;
  
  encrypting the first data set with a first key;
  
  encrypting the second data set with a second key, the second key different from the first key;
  
  generating a first plurality of shares, wherein each of the first plurality of shares contains a distribution of data from the encrypted first data set;
  
  generating a second plurality of shares, wherein each of the second plurality of shares contains a distribution of data from the encrypted second data set; and
  
  storing at least one share of the first plurality of shares and at least one share of the second plurality of shares in a first shared memory device of the multi-tenant data storage system,wherein access to the first key and a threshold number of the first plurality of shares are necessary to restore the first data set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first and second data sources are unrelated.
  - 3. The method of claim 1, wherein the first data set is encrypted with the first key at a first server and the second data set is encrypted with the second key at a second server different from the first server.
  - 4. The method of claim 3, wherein the first and second servers are blades.
  - 5. The method of claim 3, wherein the first and second servers are virtual machines.
  - 6. The method of claim 1, wherein the at least one share of the first plurality of shares and the at least one share of the second plurality of shares are stored contiguously in the first shared memory device.
  - 7. The method of claim 1, wherein the at least one share of the first plurality of shares and the at least one share of the second plurality of shares are stored in the first shared memory device without a physical partitioning or a virtual partitioning of the first shared memory device between the stored at least one share of the first plurality of shares and the stored at least one share of the second plurality of shares.
  - 8. The method of claim 1, further comprising:
    - storing some of the first plurality of shares and some of the second plurality of shares in a second shared memory device different from the first shared memory device.
  - 9. The method of claim 8, wherein at least one of the first plurality of shares is stored on both the first shared memory device and the second shared memory device.
  - 10. The method of claim 1, further comprising:
    - storing at least two of the first plurality of shares and at least two of the second plurality of shares in the first shared memory device.
  - 11. The method of claim 1, wherein access to the second key and a threshold number of the second plurality of shares are necessary to restore the second data set.

12. A method of providing access to secured data, comprising:
- encrypting a first data set using a first key;
  
  generating a first plurality of shares, wherein each of the first plurality of shares contains a distribution of data from the encrypted first data set;
  
  transmitting the first plurality of shares to at least one memory device for storage;
  
  providing, to a first client, access to a second key; and
  
  providing, to the first client, a virtual machine that indicates the first plurality of shares stored on the at least one memory device, wherein the first client is provided with the capability to retrieve the first plurality of shares from the at least one memory device and reconstruct the first data set using the second key.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, wherein the first key contains identical data to the second key.
  - 14. The method of claim 13, wherein each of the first plurality of shares comprises a distribution of data from the encrypted first data set and the first key.
  - 15. The method of claim 12, wherein the first key contains different data than the second key.
  - 16. The method of claim 15, wherein the first and second keys are an asymmetric key pair.
  - 17. The method of claim 12, further comprising:
    - storing the second key in a network-attached memory device;
      
      wherein providing, to the first client, access to the second key comprises providing, to the first client, access to the network-attached memory device.
  - 18. The method of claim 12, further comprising:
    - revoking, from the first client, access to the second key.
  - 19. The method of claim 18, wherein the revoking occurs a predetermined period of time after providing, to the first client, access to the second key.
  - 20. The method of claim 12, further comprising:
    - encrypting a second data set using a third key different from the first key;
      
      generating a second plurality of shares, wherein each of the second plurality of shares contains a distribution of data from the encrypted second data set;
      
      transmitting the second plurality of shares to the at least one memory device for storage;
      
      providing, to a second client different from the first client, access to a fourth key;
      
      providing, to the second client, a virtual machine that indicates the second plurality of shares stored on the at least one memory device, wherein the second client is provided with the capability to retrieve the second plurality of shares from the at least one memory device and reconstruct the second data set using the fourth key.
  - 21. The method of claim 20, wherein the at least one memory device is part of a multi-tenant data storage system.

22. A system for securely storing data in a multi-tenant data storage system, comprising:
- at least one processing device configured to receive a first data set from a first data source and a second data set from a second data source; and
  
  a first shared memory device;
  
  the at least one processing device further configured to;
  
  encrypt the first data set with a first key;
  
  encrypt the second data set with a second key, the second key different from the first key;
  
  generate a first plurality of shares, wherein each of the first plurality of shares contains a distribution of data from the encrypted first data set;
  
  generate a second plurality of shares, wherein each of the second plurality of shares contains a distribution of data from the encrypted second data set; and
  
  store at least one share of the first plurality of shares and at least one share of the second plurality of shares in a first shared memory device of the multi-tenant data storage system,wherein access to the first key and a threshold number of the first plurality of shares are necessary to restore the first data set.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The system of claim 22, wherein the first and second data sources are unrelated.
  - 24. The system of claim 23, wherein the at least one processing device comprises a first server and a second server, and wherein the first data set is encrypted with the first key at a first server and the second data set is encrypted with the second key at a second server different from the first server.
  - 25. The system of claim 24, wherein the first and second servers are blades.
  - 26. The system of claim 24, wherein the first and second servers are virtual machines.
  - 27. The system of claim 22, wherein the at least one share of the first plurality of shares and the at least one share of the second plurality of shares are stored contiguously in the first shared memory device.
  - 28. The system of claim 22, wherein the at least one share of the first plurality of shares and the at least one share of the second plurality of shares are stored in the first shared memory device without a physical partitioning or a virtual partitioning of the first shared memory device between the stored at least one share of the first plurality of shares and the stored at least one share of the second plurality of shares.

29. A system for providing access to secured data, comprising:
- at least one processing device;
  
  a first client; and
  
  at least one memory device;
  
  wherein the at least one processing device is configured to;
  
  encrypt a first data set using a first key;
  
  generate a first plurality of shares, wherein each of the first plurality of shares contains a distribution of data from the encrypted first data set;
  
  transmit the first plurality of shares to the at least one memory device for storage;
  
  provide, to the first client, access to a second key; and
  
  provide, to the first client, a virtual machine that indicates the first plurality of shares stored on the at least one memory device, wherein the first client is provided with the capability to retrieve the first plurality of shares from the at least one memory device and reconstruct the first data set using the second key.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The system of claim 29, wherein the first and second keys are an asymmetric key pair.
  - 31. The system of claim 29, further comprising:
    - a network-attached memory device;
      
      wherein the at least one processing device is further configured to;
      
      store the second key in a network-attached memory device;
      
      wherein providing, to the first client, access to the second key comprises providing, to the first client, access to the network-attached memory device.
  - 32. The system of claim 29, wherein the at least one processing device is further configured to revoke, from the first client, access to the second key.
  - 33. The system of claim 29, wherein the at least one processing device is further configured to:
    - encrypt a second data set using a third key different from the first key;
      
      generate a second plurality of shares, wherein each of the second plurality of shares contains a distribution of data from the encrypted second data set;
      
      transmit the second plurality of shares to the at least one memory device for storage;
      
      provide, to a second client different from the first client, access to a fourth key;
      
      provide, to the second client, a virtual machine that indicates the second plurality of shares stored on the at least one memory device, wherein the second client is provided with the capability to retrieve the second plurality of shares from the at least one memory device and reconstruct the second data set using the fourth key.
  - 34. The system of claim 33, wherein the at least one memory device is part of a multi-tenant data storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
Orsini, Rick L., O'Hare, Mark S., Staker, Matt

Granted Patent

US 8,656,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 13/1663   Access to shared memory

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

H04L 63/061   for key exchange, e.g. in p...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

SYSTEMS AND METHODS FOR SECURE MULTI-TENANT DATA STORAGE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS AND METHODS FOR SECURE MULTI-TENANT DATA STORAGE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others