SYSTEM AND METHOD FOR TOKENIZATION OF DATA FOR STORAGE IN A CLOUD

US 20120278504A1
Filed: 04/19/2012
Published: 11/01/2012
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of obfuscating data in a data object, comprising:

receiving, by an intercepting proxy server computer, the data object from a client device;

at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;

(i) identifying a real data element in the data object;

(ii) creating a token having a random token value;

(iii) concatenating a predetermined prefix and the random token value to generate a replacement value;

(iv) storing the real data element in a look up table indexed by the random token value; and

(v) replacing the real data element with the replacement value, thus generating the modified data object.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens which are randomly generated. To the cloud application real data are only visible as tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. The obfuscating tokens are not computationally related to the original sensitive value. Each intercepted real data element is stored in a local persistent storage layer, and indexed by the corresponding obfuscating token, allowing the real data element to be retrieved when the token is returned from the cloud, for delivery to the user.

44 Citations

View as Search Results

29 Claims

1. A method of obfuscating data in a data object, comprising:
- receiving, by an intercepting proxy server computer, the data object from a client device;
  
  at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a random token value;
  
  (iii) concatenating a predetermined prefix and the random token value to generate a replacement value;
  
  (iv) storing the real data element in a look up table indexed by the random token value; and
  
  (v) replacing the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising transmitting the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 3. The method of claim 1, further comprising:
    - receiving a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      identifying the returned data element as a token-to-be-replaced;
      
      replacing the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      transmitting the modified returned data object to the client device.
  - 4. The method of claim 1, wherein the step (iv) of storing further comprises storing the look up table in a persistent storage device.
  - 5. The method of claim 1, wherein the step (iii) of concatenating further comprises adding a predetermined suffix to the replacement value.
  - 6. The method of claim 1, the step (i) of identifying the real data element further comprises:
    - mapping the data in the data object against a dictionary of attributes; and
      
      identifying the real data element using a corresponding attribute in the dictionary.
  - 7. The method of claim 3, wherein the identifying the token-to-be-replaced further comprises:
    - mapping data in the returned data object against a dictionary of attributes; and
      
      identifying the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 8. The method of claim 3, wherein the replacing the token-to-be-replaced further comprises:
    - extracting the random token value from the token-to-be-replaced; and
      
      determining the real data element, comprising indexing the look up table with the random token value.
  - 9. The method of claim 3, wherein the replacing the token-to-be-replaced further comprises formatting the real data element according to a context in the returned data object.

10. An intercepting proxy server computer, comprising:
- a processor;
  
  a memory having computer readable instructions stored thereon for execution by the processor, causing the processor to obfuscate data in a data object, comprising;
  
  receiving a data object from a client device;
  
  generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a random token value;
  
  (iii) concatenating a predetermined prefix and the token value to generate a replacement value;
  
  (iv) storing the real data element in a look up table indexed by the random token value; and
  
  (v) replacing the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 28)
- - 11. The intercepting proxy server computer of claim 10, wherein the computer readable instructions further cause the processor to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 12. The intercepting proxy server computer of claim 10, wherein the computer readable instructions further cause the processor to:
    - receive a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      identify the returned data element as a token-to-be-replaced;
      
      replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      transmit the modified returned data object to the client device.
  - 13. The intercepting proxy server computer of claim 10, wherein the computer readable instructions further cause the processor to store the look up table in a persistent storage device.
  - 14. The intercepting proxy server computer of claim 10, wherein the computer readable instructions of concatenating further cause the processor to add a predetermined suffix to the replacement value.
  - 15. The intercepting proxy server computer of claim 10, wherein the computer readable instructions of identifying the real data element further cause the processor to:
    - map the data in the data object against a dictionary of attributes; and
      
      identify the real data element using a corresponding attribute in the dictionary.
  - 16. The intercepting proxy server computer of claim 12, wherein the computer readable instructions of identifying the real data element further cause the processor to:
    - map data in the returned data object against a dictionary of attributes; and
      
      identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 17. The intercepting proxy server computer of claim 12, wherein the computer readable instructions of replacing the token-to-be-replaced further cause the processor to:
    - extract the random token value from the token-to-be-replaced; and
      
      determine the real data element, comprising indexing the look up table with the random token value.
  - 18. The intercepting proxy server computer of claim 12, the computer readable instructions of replacing the token-to-be-replaced further cause the processor to format the real data element according to a context in the returned data object.
  - 28. A computer network, comprising the intercepting proxy server computer of claim 10.

19. An intercepting proxy server computer, comprising:
- a processor including a network input/output (TO) system configured to receive a data object from a client device;
  
  a memory having computer readable instructions stored thereon for execution by the processor, causing the processor to obfuscate data in a data object and generate a modified data object for transmission to a server computer in a cloud, forming;
  
  a tooling module configured to identify a real data element in the data object;
  
  a random token generator configured to create a token having a random token value;
  
  a look up table for storing the real data element indexed by the random token value;
  
  a token packaging module configured to concatenate a predetermined prefix and the random token value to generate a replacement value and to replace the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 29)
- - 20. The intercepting proxy server computer of claim 19, wherein the network input/output (TO) system is further configured to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 21. The intercepting proxy server computer of claim 19, wherein:
    - the network input/output (TO) system is further configured to receive a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      the tooling module is further configured to identify the returned data element as a token-to-be-replaced;
      
      the intercepting proxy server computer further comprising a context formatting module configured to replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      the network input/output (TO) system is further configured to transmit the modified returned data object to the client device.
  - 22. The intercepting proxy server computer of claim 19, wherein the look up table is stored in a persistent storage device.
  - 23. The intercepting proxy server computer of claim 19, wherein the token packaging module is further configured to add a predetermined suffix to the replacement value.
  - 24. The intercepting proxy server computer of claim 19, wherein the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the real data element using a corresponding attribute in the dictionary.
  - 25. The intercepting proxy server computer of claim 21, wherein the tooling module is further configured to map data in the returned data object against a dictionary of attributes and identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 26. The intercepting proxy server computer of claim 21, wherein the look up table is configured to extract the random token value from the token-to-be-replaced and to use the random token value as index into the look up table thereby determining the real data element.
  - 27. The intercepting proxy server computer of claim 21, further comprising a context formatting module configured to format the real data element according to a context in the returned data object.
  - 29. A computer network, comprising the intercepting proxy server computer of claim 19.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Woloszyn, Terrence Peter, ANG, George Weilun, Townsend, Derek Jon, Woelful, John Harold

Granted Patent

US 9,021,135 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/246
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G09C 1/00   Apparatus or methods whereb...

H04L 61/2596   Translation of addresses of...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

SYSTEM AND METHOD FOR TOKENIZATION OF DATA FOR STORAGE IN A CLOUD

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR TOKENIZATION OF DATA FOR STORAGE IN A CLOUD

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links