VIRTUAL SERVICE PROVIDER ZONES

US 20160196438A1
Filed: 03/14/2016
Published: 07/07/2016
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first data storage service, implemented with computing resources in a first set facilities that is in a different jurisdiction from a second set of facilities operated by the a computing resource service provider, the first data storage service receiving web service requests and the first data storage service operates as a proxy by at least;

receiving, at a first web service interface of the first data storage service, a request from a requestor to store data;

encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key inaccessible to an entity located in a particular facility of the second set of facilities, the first data storage service operates as the proxy for the entity; and

transmitting the encrypted data to the entity for persistent storage on behalf of the requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

11 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a first data storage service, implemented with computing resources in a first set facilities that is in a different jurisdiction from a second set of facilities operated by the a computing resource service provider, the first data storage service receiving web service requests and the first data storage service operates as a proxy by at least;
  
  receiving, at a first web service interface of the first data storage service, a request from a requestor to store data;
  
  encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key inaccessible to an entity located in a particular facility of the second set of facilities, the first data storage service operates as the proxy for the entity; and
  
  transmitting the encrypted data to the entity for persistent storage on behalf of the requestor.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the entity further comprises a second data storage service, implemented with computing resources in the second set facilities and operated by the computing resource service provider, the second data storage service receiving web service requests transmitted to a second web service interface of the second data storage service.
  - 3. The system of claim 2, wherein the first data storage service operating as the proxy further comprises at least:
    - receiving, at the first web service interface, a second request from the requestor to retrieve the data;
      
      obtaining encrypted data from the second data storage service corresponding to the data;
      
      decrypting the encrypted data using the cryptographic key to generate the data; and
      
      providing the data in response to the request.
  - 4. The system of claim 2, wherein the first web service interface and the second web service interface are publicly addressable interfaces within a public communications network.
  - 5. The system of claim 1, wherein encrypting the data using the cryptographic key further comprises encrypting the data without a corresponding request from the requestor to encrypt the data.

6. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,implementing a first data storage service using computing resources in a first facility and operated by a computing resource service provider, where the first data storage service operates as a proxy to an entity in a different jurisdiction from the first facility by at least;
  
  receiving a request to store data;
  
  encrypting the data using a cryptographic key to obtain encrypted data, the cryptographic key inaccessible to the entity; and
  
  transmitting the encrypted data to the entity for persistent storage on behalf of a requestor.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The computer-implemented method of claim 6, wherein the computer-implemented method further comprises implementing a second data storage service using computing resources in a second facility that is in the different jurisdiction from the first facility and operated by the computing resource service provider;
    - andwherein the entity further comprises the second data storage service.
  - 8. The computer-implemented method of claim 7, wherein the first data storage service operating as a proxy further comprises at least:
    - receiving a second request indicating data to be provided to the requestor associated with the second request;
      
      obtaining, from the second data storage service, encrypted data associated with the data to be provided to the requestor;
      
      decrypting the encrypted data using the cryptographic key; and
      
      providing a result of decrypting the encrypted data to the requestor.
  - 9. The computer-implemented method of claim 7, wherein the first data storage service is operated by a different organizational entity than the second data storage service.
  - 10. The computer-implemented method of claim 6, wherein the request to store data further comprises an application programming interface request received at a web services front end of the first data storage service.
  - 11. The computer-implemented method of claim 10, wherein operating as the proxy further comprises determining to restrict access to the data based at least in part on an analysis of the application programming interface request.
  - 12. The computer-implemented method of claim 11, wherein encrypting the data using the cryptographic key further comprises encrypting the data based at least in part on the determination to restrict access to the data.
  - 13. The computer-implemented method of claim 6, wherein encrypting the data using the cryptographic further comprises transmitting, to a cryptography service, a request that causes the cryptography service to perform one or more cryptographic operations to encrypt the data.
  - 14. The computer-implemented method of claim 6, wherein the request is one of a plurality of requests, where at least a portion of the plurality of requests are transmitted by different users and where each user corresponds to an account of the first data storage service.

15. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
- execute a first data storage service with computing resources of a first facility that is in a first jurisdiction;
  
  operate the first data storage service as a proxy;
  
  receive a request to store data; and
  
  fulfill the request by at least;
  
  causing the first data storage service to obtain encrypted data, the encrypted data generated based at least in part on using a cryptographic key to encrypt the data, the cryptographic key is inaccessible to an entity for which the first data storage service is the proxy, the entity located in a second jurisdiction; and
  
  causing the first data storage service to transmit the encrypted data to the entity.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to fulfill the request further include instructions that cause the computer system to analyze the request to determine that access to the data is restricted.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to obtain encrypted data further include instructions that cause the computer system to:
    - transmit an encryption request to a cryptography service for the cryptographic key; and
      
      encrypt the data using the cryptographic key.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - receive a second request for data;
      
      fulfill the second request by at least;
      
      causing the first data storage service to obtain the encrypted data from the entity;
      
      causing the first data storage service to decrypt the encrypted data; and
      
      provide a result of decrypting the encrypted data in response to the second request.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 18, wherein the instructions that cause the computer system to cause the first data storage service to decrypt the encrypted data further include instructions that cause the computer system to:
    - request a decryption key from a cryptography service, where the decryption key is associated with the encrypted data; and
      
      decrypt the encrypted data using the decryption key.
  - 20. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to execute a second data storage service with computing resources of a second facility in the second jurisdiction, the second jurisdiction different from the first jurisdiction;
    - andwherein the entity further comprises the second data storage service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James

Granted Patent

US 10,055,594 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

VIRTUAL SERVICE PROVIDER ZONES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUAL SERVICE PROVIDER ZONES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links