TECHNIQUES FOR ACHIEVING TENANT DATA CONFIDENTIALITY FROM CLOUD SERVICE PROVIDER ADMINISTRATORS
First Claim
Patent Images
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising:
- establishing, on the machine, a tenant storage machine (TSM) in a cloud storage environment for an authenticated tenant;
managing, from the machine, a tenant key store within the TSM for the authenticated tenant, the tenant key store including encryption keys for encrypting data of the authenticated tenant within the cloud storage environment; and
ensuring, from the machine, just TSM storage processes are given access to the tenant key store.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for achieving tenant data confidentiality in a cloud environment are presented. A daemon process within a Tenant Storage Machine (TSM) manages a key store for a particular tenant of a cloud storage environment having multiple other tenants. Just TSM storage processes are given access to the key store. Data is decrypted for the particular tenant when access is needed and data is encrypted using encryption keys of the key store when written in the cloud storage environment.
107 Citations
20 Claims
-
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising:
-
establishing, on the machine, a tenant storage machine (TSM) in a cloud storage environment for an authenticated tenant; managing, from the machine, a tenant key store within the TSM for the authenticated tenant, the tenant key store including encryption keys for encrypting data of the authenticated tenant within the cloud storage environment; and ensuring, from the machine, just TSM storage processes are given access to the tenant key store. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising.
acquiring, on the machine, a master key for a tenant when a tenant storage machine (TSM) is initiated to the tenant in a cloud storage environment; -
decrypting, on the machine, encryption keys using the master key when data is being read within the TSM; and generating, on the machine random additional encryption keys and encrypting those random additional encryption keys with the master key and then encrypting additional data being written in the cloud storage environment with the random additional encryption keys. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
a cloud storage environment having one or more processors, memory, and storage, the cloud storage environment situated in a cloud environment and accessed over a network; and the memory configured with a key manager implemented as executable instructions that process on the one or more processors of the cloud storage environment; wherein the key manager is configured to maintain a key storage for a particular tenant using a particular tenant storage machine (TSM) within the cloud storage environment shared by multiple other tenants, the key storage including a master key and a plurality of encrypted encryption keys, the key manger only allows TSM storage processes to access the key storage. - View Dependent Claims (19, 20)
-
Specification