SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION
First Claim
1. A method of providing transparent encryption for a web resource, the method comprising:
- receiving, at a key manager operating on a first server, an encryption key policy;
receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator;
defining, at the key manager, an access control list based on a selection of user identifiers;
associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators;
generating, at the key manager, an encryption key and a key identifier for the first resource locator;
establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server;
sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;
storing, at the transparent encryption module on the second server, the encryption key and the access control list in protected memory;
receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier;
determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource;
encrypting, at the transparent encryption module, data using the encryption key that is passed from the client device to the first resource; and
decrypting, at the transparent encryption module, data using the encryption key that is passed from the first resource to the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.
87 Citations
24 Claims
-
1. A method of providing transparent encryption for a web resource, the method comprising:
-
receiving, at a key manager operating on a first server, an encryption key policy; receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator; defining, at the key manager, an access control list based on a selection of user identifiers; associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators; generating, at the key manager, an encryption key and a key identifier for the first resource locator; establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server; sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;storing, at the transparent encryption module on the second server, the encryption key and the access control list in protected memory; receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier; determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource; encrypting, at the transparent encryption module, data using the encryption key that is passed from the client device to the first resource; and decrypting, at the transparent encryption module, data using the encryption key that is passed from the first resource to the client device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of providing transparent encryption for a web resource, the method comprising:
-
receiving, at a second server, from a key manager operating on a first server, information comprising; an encryption key; a key identifier; an access control list; and one or more resource locators; receiving one or more resources from the web resource, wherein each resource corresponds to one of the one or more resource locators; encrypting each of the one or more resources using the encryption key to create one or more encrypted resources; appending the key identifier to each of the one or more encrypted resources; sending the one or more encrypted resources to the web resource; and storing the encryption key and the access control list in protected memory, while preventing the encryption key and the access control list from being stored on a hard disk, wherein; at least a part of the web resource operates on the second server; and the protected memory is not accessible by a web resource administrator of the second server. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable memory having stored thereon a sequence of instructions which, when executed by one or more processors, causes the one or more processors to manage a security policy for a web resource by a key manager by:
-
receiving an encryption key policy and a key expiration date; receiving a time of day restriction and a data quota; receiving, from the web resource, one or more user identifiers, wherein the web resource operates on a separate server; receiving a selection of user identifiers from the one or more user identifiers; defining an access control list based on the selection of user identifiers, the encryption key policy, the time of day restriction, and the data quota; receiving, from the web resource on the separate server, one or more resource locators; receiving a selection of a first resource locator from the one or more resource locators; associating the access control list and the encryption key policy with the first resource locator; generating an encryption key and a key identifier for the first resource locator; sending the encryption key, the key identifier, and the access control list to a transparent encryption module, wherein; the transparent encryption module is communicatively coupled to the web resource; and the transparent encryption module is located on the separate server; encrypting the encryption key using a master encryption key; and storing the encrypted encryption key on a hard drive of the key manager;
wherein the hard drive is physically secured from a web resource administrator of the separate server. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system for maintaining the integrity of a transparent encryption system for a web resource by a watchdog function, the system comprising:
-
a processor; and a memory communicatively coupled with and readable by the processor and having stored therein a sequence of instructions which, when executed by the processor, cause the processor to maintaining the integrity of the transparent encryption system by; establishing a secure communication channel between a key manager operating on a first server and a transparent encryption module operating on a second server; receiving, from the key manager, information associated with a first resource locator in the web resource, wherein the information comprises; an encryption key; a key identifier; and an access control list; sending the information to the transparent encryption module using the secure communication channel; logging, on the first server, an attempt to access a first resource associated with the first resource locator by the transparent encryption module on the second server; crawling the web resource on the second server to identify unencrypted resources that should be encrypted according to the encryption policy, wherein the watchdog function uses an API of the web resource; monitoring the key manager to detect attempts to change a configuration of the key manager; and monitoring the transparent encryption module to determine whether any software is operating between the transparent encryption module and the web resource. - View Dependent Claims (21, 22, 23, 24)
-
Specification