DATA LOSS PREVENTION TECHNIQUES

US 20150019858A1
Filed: 07/01/2013
Published: 01/15/2015
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices;

a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;

receiving data in connection with a request, submitted to the second web service interface from a requestor, to store data;

analyzing the received data to generate a determination whether the received data satisfies one or more criteria of one or more data loss prevention policies;

processing the received request in accordance with the generated determination, wherein;

when the determination indicates that the received data satisfies the one or more criteria of the one or more data loss prevention policies, processing the received request includes;

using a key maintained inaccessible to the first data storage service to encrypt the received data; and

transmitting the encrypted received data to the second data storage service by submitting a second request to the first web service interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

Citations

25 Claims

1. A system, comprising:
- a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices;
  
  a second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;
  
  receiving data in connection with a request, submitted to the second web service interface from a requestor, to store data;
  
  analyzing the received data to generate a determination whether the received data satisfies one or more criteria of one or more data loss prevention policies;
  
  processing the received request in accordance with the generated determination, wherein;
  
  when the determination indicates that the received data satisfies the one or more criteria of the one or more data loss prevention policies, processing the received request includes;
  
  using a key maintained inaccessible to the first data storage service to encrypt the received data; and
  
  transmitting the encrypted received data to the second data storage service by submitting a second request to the first web service interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein, when the determination indicates that the one or more criteria of the one or more data loss prevention policies are unsatisfied by the received data, processing the received request includes submitting a third request to web service interface that causes the received data to be persistently stored by the first data storage service such that the data is retrievable, from the first data storage service in unencrypted form.
  - 3. The system of claim 1, wherein the one or more data loss prevention policies are configurable via the second web service interface.
  - 4. The system of claim 1, wherein the first web service interface has at least one public Internet protocol address.
  - 5. The system of claim 1, further comprising a cryptography service configured to maintain the key in a political jurisdiction outside of another legal jurisdiction in which the first data storage service is located.
  - 6. The system of claim 1, wherein the second storage service is further configured to:
    - receive, to the second web service interface, a third request to retrieve the data; and
      
      process the third request by at least;
      
      obtain the encrypted data from the first data storage service by submitting a fourth request to the first web service interface;
      
      using the key to decrypt the obtained encrypted data; and
      
      providing the decrypted obtained encrypted data.

7. A system, comprising:
- one or more processors; and
  
  memory including computer executable instructions that, when executed by the one or more processors, cause the system to;
  
  provide an application programming interface accessible at a network address;
  
  receive data in connection with requests to perform one or more operations submitted to the application programming interface;
  
  analyze the data to identify a subset of the data meeting one or more criteria of one or more data policies;
  
  modifying the subset of data in accordance with the one or more data policies; and
  
  transmit the modified subset of data to a remote service that is independently capable of processing requests to perform the one or more operations.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the instructions further cause the system to perform at least one of:
    - providing one or more notifications corresponding to meeting the one or more criteria;
      
      or performing enhanced logging for the identified subset.
  - 9. The system of claim 7, wherein modifying the subset of data includes encrypting the subset of data.
  - 10. The system of claim 7, wherein the computer executable instructions further cause the system to:
    - receive, through the application programming interface, user-defined rules for modifying data; and
      
      modifying the data is performed in accordance with the user-defined rules.
  - 11. The system of claim 7, wherein:
    - analyzing the data includes detecting, in the data, one or more instances of a data type specified as sensitive; and
      
      the subset of the data includes the detected one or more instances of the data type specified as sensitive.
  - 12. The system of claim 7, wherein the computer executable instructions further cause the computer system to transmit a second subset of the received data to the remote service without modifying the second subset.
  - 13. The system of claim 7, wherein the computer executable instructions further cause the computer system to:
    - receive a second request whose fulfillment includes retrieval of the subset of the data;
      
      obtain the modified subset from the remote service; and
      
      reverse modifying the modified subset to regenerate the subset; and
      
      fulfill the second request using the regenerated subset.

14. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, at an application programming interface proxy to a remote service, a request to process data whose fulfillment involves utilization of the remote service;
  
  analyzing the data to generate a determination whether the data implicates one or more data policies; and
  
  processing the data in accordance with the generated determination, wherein processing the data includes modifying the data according to one or more implicated data policies of the one or more data policies prior to utilization of the remote service.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-implemented method of claim 14, wherein modifying the data includes encrypting the data.
  - 16. The computer-implemented method of claim 14, wherein the request is received at a private Internet protocol address of the application programming interface proxy.
  - 17. The computer-implemented method of claim 14, wherein the request to process the data is a request to store the data.
  - 18. The computer-implemented method of claim 14, further comprising:
    - receiving, at the application programming interface proxy, one or more user-defined criteria for the one or more data policies; and
      
      generating the determination is based at least in part on the user-defined criteria.
  - 19. The computer-implemented method of claim 14, further comprising:
    - receiving, at the application programming interface, a second request to process second data whose fulfillment involves utilization of the remote service; and
      
      preventing the second data from being transmitted to the remote service as a result of the second data satisfying one or more criteria of the one or more data polities.

20. One or more computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a system, cause the system to:
- provide an application programming interface proxy to a remote service;
  
  cause enforcement of one or more data loss prevention policies on data received through the provided application programming interface proxy to the remote service, the enforcement including at least;
  
  identifying a subset of the received data that satisfies one or more data loss prevention criteria of the one or more data loss prevention policies; and
  
  performing one or more actions on the identified subset in accordance with the one or more data loss prevention criteria the one or more actions including modifying data in the identified subset and transmitting the modified data to the remote service.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The one or more computer-readable storage media of claim 20, wherein:
    - the system is operated by a computing resource service provider; and
      
      the application programming interface proxy is available to multiple customers of the computing resource service provider at one or more public network addresses.
  - 22. The one or more computer-readable storage media of claim 20, wherein the application programming interface proxy and remote service are implemented in separate facilities.
  - 23. The one or more computer-readable storage media of claim 20, wherein the one or more data loss prevention policies are programmatically configurable through the application programming interface proxy.
  - 24. The one or more computer-readable storage media of claim 20, wherein the application programming interface proxy and the remote service are accessible by different uniform resource locators.
  - 25. The one or more computer-readable storage media of claim 20, wherein modifying the data includes encrypting the data prior to transmission to the remote service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James

Granted Patent

US 10,075,471 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/0471   applying encryption by an i...

H04L 63/06   for supporting key manageme...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

DATA LOSS PREVENTION TECHNIQUES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

DATA LOSS PREVENTION TECHNIQUES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links