VIRTUAL SERVICE PROVIDER ZONES
First Claim
Patent Images
1. A system, comprising:
- a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices;
a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;
receiving, to the second web service interface, a request from a requestor to store data;
encrypting the data using a cryptographic key inaccessible to the first data storage service;
transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and
maintain access to the cryptographic key while preventing access to the cryptographic key by the first data storage service.
1 Assignment
0 Petitions
Accused Products
Abstract
A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.
-
Citations
28 Claims
-
1. A system, comprising:
-
a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices; a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least; receiving, to the second web service interface, a request from a requestor to store data; encrypting the data using a cryptographic key inaccessible to the first data storage service; transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and maintain access to the cryptographic key while preventing access to the cryptographic key by the first data storage service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
one or more processors; and memory comprising computer executable instructions that, when executed by the one or more processors, cause the system to; operate an application programming interface to which requests are submittable over a network; for each first request of at least a plurality of requests submitted to the application programming interface, process the first request by at least; using a key to perform one or more cryptographic operations on data involved in processing the first request; and transmitting, across a network, a second request to a service that causes the service to perform one or more operations on the data in encrypted form, the service lacking access to the key and being configured to be independently capable of processing the first request. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a requestor at a network address of the one or more computer systems, an application programming interface request to perform one or more operations; and processing the application programming interface request by at least; transmitting, over a network, a request to a service that is configured to be independently capable of performing the one or more operations, the request being configured to causes the service to perform one or more service operations on encrypted data, the encrypted data being encrypted under a key that is inaccessible to the service; and using the key to perform one or more cryptographic operations in connection with the encrypted data. - View Dependent Claims (17, 18, 19, 20, 21)
-
22. One or more computer-readable storage media having collectively stored therein computer executable instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
provide an application programming interface accessible at a network address; receive, at the application programming interface, an application programming interface request to perform one or more operations on a set of data; fulfill the received request by, at least in part; causing at least a subset of the set of data to be encrypted under a key kept inaccessible to a remote service; utilizing the remote service to perform at least a subset of the one or more operations on the set of data such that, for the subset of the set of data, the remote service has access to the subset of the set of data only in encrypted form. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification