Transparent Encryption/Decryption Gateway for Cloud Storage Services

US 20140195798A1
Filed: 01/09/2014
Published: 07/10/2014
Est. Priority Date: 01/09/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for secure data storage in a storage in a distributed computing system by a client of the distributed computing system, the method comprising in a gateway device of the distributed computing system:

intercepting a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;

evaluating the data file for determining a communication protocol used for the team data transmission;

evaluating the data file based on the communication protocol for determining a destination and a source of the data file;

responsive to determining the destination is the storage and the source is the client;

selecting a set of analysis algorithms from a plurality of predetermined analysis algorithms;

analyzing the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;

in response to a determination that the data file comprises sensitive data, replacing payload content of the data file with encrypted payload data; and

transmitting the data file to the storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is provided for secure data storage in a distributed computing system by a client of the distributed computing system. A gateway device intercepts a data file from at least a portion of stream data during transmission. If the destination of the data file is the storage, the gateway device selects a set of analysis algorithms to determine whether the data file comprises sensitive data.

68 Citations

View as Search Results

20 Claims

1. A computer implemented method for secure data storage in a storage in a distributed computing system by a client of the distributed computing system, the method comprising in a gateway device of the distributed computing system:
- intercepting a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;
  
  evaluating the data file for determining a communication protocol used for the team data transmission;
  
  evaluating the data file based on the communication protocol for determining a destination and a source of the data file;
  
  responsive to determining the destination is the storage and the source is the client;
  
  selecting a set of analysis algorithms from a plurality of predetermined analysis algorithms;
  
  analyzing the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;
  
  in response to a determination that the data file comprises sensitive data, replacing payload content of the data file with encrypted payload data; and
  
  transmitting the data file to the storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15, 16, 17)
- - 2. The method according to claim 1, wherein the distributed computing system is a cloud computing system.
  - 3. The method according to claim 1, wherein evaluating the data file for determining the communication protocol comprises:
    - determining that the data file is encrypted; and
      
      determining an encryption key used to encrypt the data,wherein the method further comprises;
      
      responsive to determining the destination is the client and the source is the storage;
      
      decrypting the data file using the determined encryption key; and
      
      transmitting the data file to the client responsive to decrypting the data file.
  - 4. The method according to claim 3, wherein in case the encryption key used to encrypt the data file is unknown the determining the encryption key comprises recovering during a predefined time period said encryption key using a Rainbow table.
  - 5. The method according to claim 1, wherein the intercepting comprises:
    - sequentially intercepting data packets of data file;
      
      determining if the data file is complete;
      
      in response to a determination that the data file is not complete, sending an acknowledgment message to the client for triggering further data transmission from the client.
  - 6. The method according to claim 1, wherein the gateway device comprises a data structure of one or more entries comprising client category identifiers and corresponding encryption data, wherein replacing payload content of the data file with encrypted payload data comprises:
    - determining a client category identifier of the client;
      
      reading the data structure using the client category identifier; and
      
      determining the at least one encryption key based on the encryption data corresponding to the determined client category identifier.
  - 7. The method according to claim 6, wherein the encryption data is indicative of an encryption strength in one or more levels of encryption.
  - 8. The method according to claim 6, wherein determining the at least one encryption key comprises:
    - generating the at least one encryption key;
      
      orselecting the at least one encryption key from plurality of stored encryption keys.
  - 9. The method according claim 1, wherein the plurality of analysis algorithms comprises an analysis algorithm for identifying sensitive data in the payload content of the data file by comparing the payload content of the data file with sensitive data pattern definitions stored in the distributed computing system.
  - 10. The method according to claim 1, wherein the plurality of analysis algorithms further comprises a Reverse Spam Analysis algorithm.
  - 11. The method according to claim 10, wherein analysis of the data file using the Reverse Spam Analysis algorithm comprises:
    - providing reference data for sensitive and non-sensitive data respectively;
      
      processing the reference data by a statistical learning technique for generating weights to denote sensitive and non-sensitive data;
      
      using the generated weights for determining whether the payload content of the data file comprises sensitive data.
  - 12. The method according to claim 15, wherein the distributed computing system comprises an access control list associated with the data file, the access control list comprising client identifiers of clients having access to the data file, wherein transmitting the data file to the client comprises:
    - identifying a client identifier of the client, wherein the predefined authorization condition is satisfied if the access control list comprises the client identifier.
  - 15. The method according to claim 1, further comprising:
    - responsive to determining the destination is the client and the source is the storage;
      
      determining whether the data file is encrypted in accordance with an encryption key of a plurality of stored encryption keys;
      
      responsive to determining the data file is encrypted with a stored encryption key, decrypting the data file using the stored encryption key; and
      
      transmitting the data file to the client in response to determining that the client satisfies a predefined authorization condition.
  - 16. The method according to claim 1, wherein analyzing the data file using each of the analysis algorithms for determining whether the data file comprises sensitive data comprises:
    - determining a respective set of results;
      
      associating each result of the set of results with a number indicating whether the data file comprises sensitive or not sensitive data;
      
      calculating a weighted sum of the numbers indicating whether the data file comprises sensitive data using the predefined weights;
      
      comparing the weighted sum with a predetermined sensitivity threshold value.
  - 17. The method according to claim 1, wherein replacing payload content of the data file with encrypted payload data comprises:
    - creating a data container;
      
      encrypting the payload content of the data file using at least one encryption key;
      
      storing the at least one encryption key;
      
      storing the encrypted payload content in the data container;
      
      augmenting or reducing a size of the payload content of the data container such that the size of the payload content of the data container equals a size of the payload content of the data file; and
      
      replacing the payload content of the data file with the payload content of the data container.

13. A computer-readable storage medium, comprising computer-readable program code embodied therewith which, when executed by a processor, causes the processor to:
- intercept a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;
  
  evaluate the data file for determining a communication protocol used for the stream data transmission;
  
  evaluate the data file based on the communication protocol for determining a destination and a source of the data file;
  
  responsive to determining the destination is the storage and the source is the client;
  
  select a set of analysis algorithms from a plurality of predetermined analysis algorithms;
  
  analyze the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;
  
  in response to a determination that the data file comprises sensitive data, replace content of the data file with encrypted payload data; and
  
  transmit the data file to the storage.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage medium according to claim 13, wherein the computer-readable program code further causes the processor to:
    - responsive to determining the destination is the client and the source is the storage;
      
      determining whether the data file is encrypted in accordance with an encryption key of a plurality of stored encryption keys;
      
      responsive to determining the data file is encrypted with a stored encryption key, decrypting the data file using the stored encryption key; and
      
      transmitting the data file to the client in response to determining that the client satisfies a predefined authorization condition.
  - 19. The computer-readable storage medium according to claim 13, wherein analyzing the data file using each of the analysis algorithms for determining whether the data file comprises sensitive data comprises:
    - determining a respective set of results;
      
      associating each result of the set of results with a number indicating whether the data file comprises sensitive or not sensitive data;
      
      calculating a weighted sum of the numbers indicating whether the data file comprises sensitive data using the predefined weights;
      
      comparing the weighted sum with a predetermined sensitivity threshold value.
  - 20. The computer-readable storage medium according to claim 13, wherein replacing payload content of the data file with encrypted payload data comprises:
    - creating a data container;
      
      encrypting the payload content of the data file using at least one encryption key;
      
      storing the at least one encryption key;
      
      storing the encrypted payload content in the data container;
      
      augmenting or reducing a size of the payload content of the data container such that the size of the payload content of the data container equals a size of the payload content of the data file; and
      
      replacing the payload content of the data file with the payload content of the data container.

14. A gateway device for secure data storage in a storage in a distributed computing system, the gateway device comprising a memory for storing machine executable instructions and a processor for controlling the gateway device, wherein execution of the machine executable instructions causes the processor to:
- intercept a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;
  
  evaluate the data file for determining a communication protocol used for the stream data transmission;
  
  evaluate the data file based on the communication protocol for determining a destination and a source of the data file;
  
  responsive to determining the destination is the storage and the source is the client;
  
  select a set of analysis algorithms from a plurality of predetermined analysis algorithms;
  
  analyze the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;
  
  in response to a determination that the data file comprises sensitive data, replace payload content of the data file with encrypted payload data; and
  
  transmit the data file to the storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Seul, Matthias, Brugger, Dominik W.

Granted Patent

US 9,306,917 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

G06F 21/60   Protecting data

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

Transparent Encryption/Decryption Gateway for Cloud Storage Services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent Encryption/Decryption Gateway for Cloud Storage Services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links