TECHNIQUES FOR ACHIEVING TENANT DATA CONFIDENTIALITY FROM CLOUD SERVICE PROVIDER ADMINISTRATORS

US 20120328105A1
Filed: 09/12/2012
Published: 12/27/2012
Est. Priority Date: 09/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising:

establishing, on the machine, a tenant storage machine (TSM) in a cloud storage environment for an authenticated tenant;

managing, from the machine, a tenant key store within the TSM for the authenticated tenant, the tenant key store including encryption keys for encrypting data of the authenticated tenant within the cloud storage environment; and

ensuring, from the machine, just TSM storage processes are given access to the tenant key store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for achieving tenant data confidentiality in a cloud environment are presented. A daemon process within a Tenant Storage Machine (TSM) manages a key store for a particular tenant of a cloud storage environment having multiple other tenants. Just TSM storage processes are given access to the key store. Data is decrypted for the particular tenant when access is needed and data is encrypted using encryption keys of the key store when written in the cloud storage environment.

107 Citations

20 Claims

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising:
- establishing, on the machine, a tenant storage machine (TSM) in a cloud storage environment for an authenticated tenant;
  
  managing, from the machine, a tenant key store within the TSM for the authenticated tenant, the tenant key store including encryption keys for encrypting data of the authenticated tenant within the cloud storage environment; and
  
  ensuring, from the machine, just TSM storage processes are given access to the tenant key store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein establishing further includes creating the TSM as a Virtual Machine (VM) and processing environment within the cloud storage environment for the authenticated tenant to access the data of the authenticated tenant.
  - 3. The method of claim 1, wherein managing further includes ensuring that the TSM includes just one key store, which is the tenant key store of the authenticated tenant.
  - 4. The method of claim 1, wherein managing further includes creating the tenant key store as a container within the TSM for the authenticated tenant.
  - 5. The method of claim 1, wherein managing further includes delegating management and any access to the tenant key store to a key daemon that processes within the TSM.
  - 6. The method of claim 1, wherein managing further includes restricting root processes from accessing to the tenant key store.
  - 7. The method of claim 6, wherein restricting further includes limiting Application Programming Interface (API) calls that can be initiated outside the TSM and ensuring all such calls have no access to the tenant key store.
  - 8. The method of claim 1, wherein ensuring further includes using the encryption keys by the TSM storage processes to encrypt changed data written in the cloud storage environment before that changed data is stored in the cloud storage environment.
  - 9. The method of claim 1 further comprising, decrypting the data for the authenticated tenant by the TSM storage processes at startup for a storage session between the tenant and the TSM.
  - 10. The method of claim 9, wherein decrypting further includes using, by the TSM storage processes, a master key housed with the data to decrypt the encryption keys from the tenant key store.
  - 11. The method of claim 10, wherein using further includes using the master key to decrypt the data within the TSM for the storage session.

12. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors of a machine configured to perform the method, comprising.acquiring, on the machine, a master key for a tenant when a tenant storage machine (TSM) is initiated to the tenant in a cloud storage environment;
- decrypting, on the machine, encryption keys using the master key when data is being read within the TSM; and
  
  generating, on the machine random additional encryption keys and encrypting those random additional encryption keys with the master key and then encrypting additional data being written in the cloud storage environment with the random additional encryption keys.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12 further comprising, providing the encrypted random additional encryption keys to a key daemon processing within the TSM.
  - 14. The method of claim 13 further comprising storing the master key, encrypted versions of the encryption keys, and encrypted versions of the random additional encryption keys within the cloud storage environment when the TSM is terminated.
  - 15. The method of claim 14 further comprising, using a predefined algorithm to hide the encrypted versions of the encrypted keys and the encrypted versions of the random additional encrypted keys within the cloud storage environment.
  - 16. The method of claim 12, wherein generating further includes using a specific encryption key for each block of data being written in the cloud storage environment, wherein each block having a different encryption key from other blocks.
  - 17. The method of claim 12, wherein generating further includes generating a new random encryption key each time any new additional data is written to the cloud storage environment.

18. A system, comprising:
- a cloud storage environment having one or more processors, memory, and storage, the cloud storage environment situated in a cloud environment and accessed over a network; and
  
  the memory configured with a key manager implemented as executable instructions that process on the one or more processors of the cloud storage environment;
  
  wherein the key manager is configured to maintain a key storage for a particular tenant using a particular tenant storage machine (TSM) within the cloud storage environment shared by multiple other tenants, the key storage including a master key and a plurality of encrypted encryption keys, the key manger only allows TSM storage processes to access the key storage.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the TSM is a Virtual Machine and processing environment established dynamically for the particular tenant when a storage session with the cloud storage environment is initiated.
  - 20. The system of claim 19, wherein the key storage is hidden and stored in the cloud storage environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mayadata, Inc.
Original Assignee
Mayadata, Inc.
Inventors
Ranganathan, Shyamsundar, Mukkara, Umasankar, Xavier, Felix

Granted Patent

US 9,270,459 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/0897 involving additional device...

TECHNIQUES FOR ACHIEVING TENANT DATA CONFIDENTIALITY FROM CLOUD SERVICE PROVIDER ADMINISTRATORS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR ACHIEVING TENANT DATA CONFIDENTIALITY FROM CLOUD SERVICE PROVIDER ADMINISTRATORS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links