Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network

US 20140075568A1
Filed: 09/07/2012
Published: 03/13/2014
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system for protecting data managed in a cloud-computing network from malicious data operations comprising:

an Internet-connected server; and

software executing on the server from a non-transitory physical medium, the software providing;

a first function adapted for generating one or more security tokens that validate one or more computing operations to be performed on the data;

a second function adapted for generating a hash for each token generated, the hash detailing, in a secure fashion, the operation type or types permitted by the one or more tokens;

a third function adapted for brokering two-party signature of the one or more tokens; and

a fourth function adapted for dynamically activating the one or more signed tokens for a specific time window required to perform the operations permitted by the token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting data managed in a cloud-computing network from malicious data operations includes an Internet-connected server and software executing on the server from a non-transitory physical medium, the software providing a first function for generating one or more security tokens that validate one or more computing operations to be performed on the data, a second function for generating a hash for each token generated, the hash detailing, in a secure fashion, the operation type or types permitted by the one or more tokens, a third function for brokering two-party signature of the one or more tokens, and a fourth function for dynamically activating the one or more signed tokens for a specific time window required to perform the operations permitted by the token.

101 Citations

View as Search Results

17 Claims

1. A system for protecting data managed in a cloud-computing network from malicious data operations comprising:
- an Internet-connected server; and
  
  software executing on the server from a non-transitory physical medium, the software providing;
  
  a first function adapted for generating one or more security tokens that validate one or more computing operations to be performed on the data;
  
  a second function adapted for generating a hash for each token generated, the hash detailing, in a secure fashion, the operation type or types permitted by the one or more tokens;
  
  a third function adapted for brokering two-party signature of the one or more tokens; and
  
  a fourth function adapted for dynamically activating the one or more signed tokens for a specific time window required to perform the operations permitted by the token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the cloud-computing network is a public network based on an Infrastructure as a Service (IaaS) model.
  - 3. The system of claim 1, implemented in a virtual machine monitoring layer.
  - 4. The system of claim 3, further integrated into a Dom0 system kernel.
  - 5. The system of claim 1, wherein the available computing operations attributed to the one or more generated tokens are pre-defined attributes of a parent object, the operations agreed to in a service level agreement (SLA) between a cloud computing tenant and a cloud computing service provider.
  - 6. The system of claim 1, wherein the one or more generated tokens are stored in an inactive and signed state until they are required to validate a requested operation.
  - 7. The system of claim 1, wherein one or more of the tokens are reusable tokens that are uniquely identified at each instance of use.
  - 8. The system of claim 1, wherein one or more tokens are dynamically generated upon request of a cloud service administrator or cloud tenant for performance of one or more data operations outside of a current SLA.
  - 9. The system of claim 8, wherein the one or more dynamically generated tokens are added to a token storage space containing the pre-negotiated tokens, the one or more tokens incorporating one or more new operations into the SLA as one or more updates.
  - 10. The system of claim 1, wherein the one or more tokens are signed using privately held keys.
  - 11. The system of claim 1, wherein the hash of a token is compared to an embedded hash value to validate the content and operation integrity of the token before activation for use.
  - 12. The system of claim 1 further including a fifth function for validating one or more tokens for operation against pre-negotiated list of permitted operations in the SLA policy governing the provider/tenant relationship.

13. A method for securing against internal malicious operations against data stored on a cloud-computing network comprising the steps:
- (a) generating one or more security tokens that validate one or more computing operations permitted on the data, the operations listed in a pre-negotiated service level agreement between a tenant and service provider of the cloud computing network;
  
  (b) generating hashes for the one or more security tokens, the hashes validating the integrity of each token relevant to the operation or operations that each token permits;
  
  (c) signing the one or more tokens using encryption keys privately held by the tenant and the service provider;
  
  (d) upon request, activating one or more of the tokens to initiate one or more computing operations permitted on the data.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the cloud-computing network is a public network based on an Infrastructure as a Service (IaaS) model.
  - 15. The method of claim 13, wherein the available computing operations attributed to the one or more generated tokens are pre-defined attributes of a parent object, the operations agreed to in a service level agreement (SLA) between a cloud computing tenant and a cloud computing service provider.
  - 16. The method of claim 13, wherein the one or more generated tokens are stored in an inactive and signed state until they are required to validate a requested operation.

17-20. -20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amrita Vishwa Vidyapeetham Deemded University
Original Assignee
Amrita Vishwa Vidyapeetham Deemded University
Inventors
Rangan, P. Venkat, Sathyadevan, Shiju, Achuthan, Krishnashree

Granted Patent

US 9,710,664 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/6218 to a system of files or obj...

Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links