VIRTUAL SERVICE PROVIDER ZONES

US 20150006890A1
Filed: 07/01/2013
Published: 01/01/2015
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices;

a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;

receiving, to the second web service interface, a request from a requestor to store data;

encrypting the data using a cryptographic key inaccessible to the first data storage service;

transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and

maintain access to the cryptographic key while preventing access to the cryptographic key by the first data storage service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

30 Citations

View as Search Results

28 Claims

1. A system, comprising:
- a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices;
  
  a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;
  
  receiving, to the second web service interface, a request from a requestor to store data;
  
  encrypting the data using a cryptographic key inaccessible to the first data storage service;
  
  transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and
  
  maintain access to the cryptographic key while preventing access to the cryptographic key by the first data storage service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the first data storage service is implemented with computing resources in a first set of one or more facilities; and
      
      the second data storage service is implemented with computing resources in a second set of one or more facilities that is disjoint from the first set of one or more facilities.
  - 3. The system of claim 1, wherein both the first web service interface and the second web service interface are each publicly addressable interfaces in a public communications network.
  - 4. The system of claim 1, wherein the second data storage service is configured to encrypt the data without requiring the requestor to specify that the data should be encrypted.
  - 5. The system of claim 1, wherein the second data storage service is further configured to:
    - receive, to the second web service interface, a request to retrieve the data;
      
      obtain the encrypted data from the first data storage service;
      
      use the key to decrypt the encrypted data; and
      
      provide the decrypted data.
  - 6. The system of claim 1, wherein the first data storage service and second data storage service are implemented in different legal jurisdictions.
  - 7. The system of claim 1, wherein the first data storage service is configured to operate in accordance with a first set of regulations and the second data storage service is configured to operate in accordance in accordance with a second set of regulations that is different from the first set of regulations.

8. A system, comprising:
- one or more processors; and
  
  memory comprising computer executable instructions that, when executed by the one or more processors, cause the system to;
  
  operate an application programming interface to which requests are submittable over a network;
  
  for each first request of at least a plurality of requests submitted to the application programming interface, process the first request by at least;
  
  using a key to perform one or more cryptographic operations on data involved in processing the first request; and
  
  transmitting, across a network, a second request to a service that causes the service to perform one or more operations on the data in encrypted form, the service lacking access to the key and being configured to be independently capable of processing the first request.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein:
    - the system is operated as part of a first instance of a service type provided by a service provider; and
      
      the service is operated as part of a second instance of the service type provided by the service provider.
  - 10. The system of claim 8, wherein the application programming interface is a web service interface.
  - 11. The system of claim 8, wherein:
    - at least some of the plurality of requests are transmitted by different entities; and
      
      each different entity corresponds to an account of the service.
  - 12. The system of claim 8, wherein:
    - the executable instructions further cause the system to selectively determine whether to perform the one or more cryptographic operations when processing requests; and
      
      the plurality of requests are a subset of a set of requests processed by the system, the subset consisting of requests for which the system has selectively determined to perform the one or more cryptographic operations.
  - 13. The system of claim 8, wherein the executable instructions further cause the system to select the service from a plurality of services capable of being used in processing the first request.
  - 14. The system of claim 8, wherein:
    - the second request to the service causes the service to perform one or more operations on unencrypted data and provide, to the system, a result of performance of the one or more operations and the data in encrypted form;
      
      using the key to perform the one or more cryptographic operations includes decrypting the data in encrypted form; and
      
      the executable instructions further cause the system to perform one or more operations on a collection of data comprising the unencrypted data and the decrypted data.
  - 15. The system of claim 8, wherein the service is operated by a first organizational entity that is different from a second organizational entity that operates the system.

16. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a requestor at a network address of the one or more computer systems, an application programming interface request to perform one or more operations; and
  
  processing the application programming interface request by at least;
  
  transmitting, over a network, a request to a service that is configured to be independently capable of performing the one or more operations, the request being configured to causes the service to perform one or more service operations on encrypted data, the encrypted data being encrypted under a key that is inaccessible to the service; and
  
  using the key to perform one or more cryptographic operations in connection with the encrypted data.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer-implemented method of claim 16, wherein:
    - the one or more cryptographic operations include encryption of data to obtain the encrypted data; and
      
      the one or more service operations include persistent storage of the encrypted data.
  - 18. The computer-implemented method of claim 16, wherein the network address is a public Internet protocol address.
  - 19. The computer-implemented method of claim 16, wherein the method further comprises selecting the service from a plurality of services each independently capable of performing the one or more operations.
  - 20. The computer-implemented method of claim 16, wherein performing the one or more cryptographic operations includes transmitting, over the network to a cryptography service, a request that causes the cryptography service to perform one or more other cryptographic operations using cryptographic information that is inaccessible to both the one or more computer systems and the service.
  - 21. The computer-implemented method of claim 16, wherein the network address is associated with a string that is usable for obtaining the network address from a domain name service, the string being unassociated with a network address for the service by any domain name service.

22. One or more computer-readable storage media having collectively stored therein computer executable instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- provide an application programming interface accessible at a network address;
  
  receive, at the application programming interface, an application programming interface request to perform one or more operations on a set of data;
  
  fulfill the received request by, at least in part;
  
  causing at least a subset of the set of data to be encrypted under a key kept inaccessible to a remote service;
  
  utilizing the remote service to perform at least a subset of the one or more operations on the set of data such that, for the subset of the set of data, the remote service has access to the subset of the set of data only in encrypted form.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The one or more computer-readable storage media of claim 22, wherein:
    - the network address is a public Internet protocol address; and
      
      utilizing the remote service includes transmitting a request to the remote service addressed to a public Internet protocol address of the remote service.
  - 24. The one or more computer-readable storage media of claim 22, wherein:
    - the application programming interface request is a request, from a requestor, to perform a requested operation; and
      
      the remote service is independently capable of performing the requested operation for the requestor.
  - 25. The one or more computer-readable storage media of claim 22, wherein:
    - the computer executable instructions further cause the computer system to analyze the application programming interface request to determine whether to restrict access by the remote service to the subset of the data in encrypted form; and
      
      the remote service only having access to the subset of the data in encrypted form as a result of determining to restrict access by the remote service to the subset of the data in encrypted form.
  - 26. The one or more computer-readable storage media of claim 25, wherein:
    - as a result of determining to restrict access by the remote service to the subset, the instructions further cause the computer system to determine, based at least in part on the analysis, an encryption key;
      
      restricting access by the remote service includes encrypting at least a portion of the subset using the determined encryption key.
  - 27. The one or more computer-readable storage media of claim 22, wherein:
    - the application programming interface request is from a requestor;
      
      a plurality of services that include the remote service are capable of being utilized by the computer system for fulfilling the application programming interface request; and
      
      the computer executable instructions further cause the computer system to select, from the plurality of services, the remote service based at least in part on a configuration setting specific to the requestor.
  - 28. The one or more computer-readable storage media of claim 22, wherein:
    - the computer executable instructions further cause the computer system to encrypt the subset of the set of data using the key; and
      
      utilizing the remote service to perform one or more operations includes submitting a storage request to the remote service to store the set of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James

Granted Patent

US 9,286,491 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

VIRTUAL SERVICE PROVIDER ZONES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUAL SERVICE PROVIDER ZONES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links