SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION
First Claim
1. A method of providing transparent encryption for a web resource, the method comprising:
- receiving, at a key manager operating on a first server, an encryption key policy;
receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator;
defining, at the key manager, an access control list based on a selection of user identifiers;
associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators;
generating, at the key manager, an encryption key and a key identifier for the first resource locator;
establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server;
sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;
storing, at a transparent encryption module on the second server, the encryption key and the access control list in protected memory;
receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier;
determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource;
encrypting, at the transparent encryption module, using the encryption key, data that is passed from the client device to the first resource; and
decrypting, at the transparent encryption module, using the encryption key, data that is passed from the first resource to the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.
-
Citations
19 Claims
-
1. A method of providing transparent encryption for a web resource, the method comprising:
-
receiving, at a key manager operating on a first server, an encryption key policy; receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator; defining, at the key manager, an access control list based on a selection of user identifiers; associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators; generating, at the key manager, an encryption key and a key identifier for the first resource locator; establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server; sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;
the encryption key, the key identifier, and the access control list;storing, at a transparent encryption module on the second server, the encryption key and the access control list in protected memory; receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier; determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource; encrypting, at the transparent encryption module, using the encryption key, data that is passed from the client device to the first resource; and decrypting, at the transparent encryption module, using the encryption key, data that is passed from the first resource to the client device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of providing transparent encryption for a web resource, the method comprising:
-
receiving, at a second server, from a key manager operating on a first server, information comprising; an encryption key; a key identifier; an access control list; and one or more resource locators; receiving one or more resources from the web resource, wherein each resource corresponds to one of the one or more resource locators; encrypting each of the one or more resources using the encryption key to create one or more encrypted resources; appending the key identifier to each of the one or more encrypted resources; sending the one or more encrypted resources to the web resource; and storing the encryption key and the access control list in protected memory, while preventing the encryption key and the access control list from being stored on a hard disk, wherein; at least a part of the web resource operates on the second server; and the protected memory is not accessible by a web resource administrator of the second server. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable memory having stored thereon a sequence of instructions which, when executed by one or more processors, causes the one or more processors to manage a security policy for a web resource by a key manager by:
-
receiving an encryption key policy and a key expiration date; receiving a time of day restriction and a data quota; receiving, from the web resource, one or more user identifiers, wherein the web resource operates on a separate server; receiving a selection of user identifiers from the one or more user identifiers; defining an access control list based on the selection of user identifiers, the encryption key policy, the time of day restriction, and the data quota; receiving, from the web resource on the separate server, one or more resource locators; receiving a selection of a first resource locator from the one or more resource locators; associating the access control list and the encryption key policy with the first resource locator; generating an encryption key and a key identifier for the first resource locator; sending the encryption key, the key identifier, and the access control list to a transparent encryption module, wherein; the transparent encryption module is communicatively coupled to the web resource; and the transparent encryption module is located on the separate server; encrypting the encryption key using a master encryption key; and storing the encrypted encryption key on a hard drive of the key manager;
wherein the hard drive is physically secured from a web resource administrator of the separate server. - View Dependent Claims (16, 17, 18, 19)
-
Specification