POLICY MANAGEMENT FOR DATA MIGRATION
First Claim
1. A system, comprising:
- at least one processor; and
memory including instructions that, when executed by the at least one processor, cause the system to;
receive, to a resource provider environment, a first data object from a user environment, the first data object including user data, a data tag, a policy, and an audit log, the data tag corresponding to the policy for the user data and causing the policy to be automatically applied to the first data object in the user environment, the audit log including a history of events relating to the user data;
determine that the policy is supported by, and is free of conflicts from other policies of, the resource provider environment;
cause the user data, the policy, the data tag, and the audit log to be stored to at least one data repository in the resource provider environment;
receive a request for at least a portion of the user data;
determine that a source of the request is authorized to receive the user data;
add information for the request to the audit log for the user data;
generate a second data object including the user data, the data tag, the policy, and the audit log; and
send the second data object to a destination specified by the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.
-
Citations
20 Claims
-
1. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive, to a resource provider environment, a first data object from a user environment, the first data object including user data, a data tag, a policy, and an audit log, the data tag corresponding to the policy for the user data and causing the policy to be automatically applied to the first data object in the user environment, the audit log including a history of events relating to the user data; determine that the policy is supported by, and is free of conflicts from other policies of, the resource provider environment; cause the user data, the policy, the data tag, and the audit log to be stored to at least one data repository in the resource provider environment; receive a request for at least a portion of the user data; determine that a source of the request is authorized to receive the user data; add information for the request to the audit log for the user data; generate a second data object including the user data, the data tag, the policy, and the audit log; and send the second data object to a destination specified by the request. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving a data object from a first environment to a second environment, the second environment provided by a different entity than provides the first environment, the data object including data and a policy for managing access to the data; determining that storing the data to the second environment, and managing access to the data using the policy, complies with any related policies of the second environment; storing the data and the policy to the second environment; enforcing access to the data in the second environment per the policy; and adding information to an audit log for the data in response to access or actions taken with respect to the data. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computer system, cause the computer system to:
-
determine a classification and at least one predicate for user data stored in a user environment, each predicate of the at least one predicate relating to an action capable of being performed with respect to the user data; automatically determine, based at least in part upon the classification and the at least one predicate, at least one data tag to be associated with the user data, each data tag of the at least one data tag associated with a respective policy of at least one policy to be associated with the user data; receive a request to transmit the user data for storage in a remote environment operated by a separate entity; generate a data object including at least the user data and the at least one policy; and transmit the data object to the remote environment. - View Dependent Claims (18, 19, 20)
-
Specification