POLICY MANAGEMENT FOR DATA MIGRATION

US 20170093913A1
Filed: 09/24/2015
Published: 03/30/2017
Est. Priority Date: 09/24/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

memory including instructions that, when executed by the at least one processor, cause the system to;

receive, to a resource provider environment, a first data object from a user environment, the first data object including user data, a data tag, a policy, and an audit log, the data tag corresponding to the policy for the user data and causing the policy to be automatically applied to the first data object in the user environment, the audit log including a history of events relating to the user data;

determine that the policy is supported by, and is free of conflicts from other policies of, the resource provider environment;

cause the user data, the policy, the data tag, and the audit log to be stored to at least one data repository in the resource provider environment;

receive a request for at least a portion of the user data;

determine that a source of the request is authorized to receive the user data;

add information for the request to the audit log for the user data;

generate a second data object including the user data, the data tag, the policy, and the audit log; and

send the second data object to a destination specified by the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Citations

20 Claims

1. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive, to a resource provider environment, a first data object from a user environment, the first data object including user data, a data tag, a policy, and an audit log, the data tag corresponding to the policy for the user data and causing the policy to be automatically applied to the first data object in the user environment, the audit log including a history of events relating to the user data;
  
  determine that the policy is supported by, and is free of conflicts from other policies of, the resource provider environment;
  
  cause the user data, the policy, the data tag, and the audit log to be stored to at least one data repository in the resource provider environment;
  
  receive a request for at least a portion of the user data;
  
  determine that a source of the request is authorized to receive the user data;
  
  add information for the request to the audit log for the user data;
  
  generate a second data object including the user data, the data tag, the policy, and the audit log; and
  
  send the second data object to a destination specified by the request.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the first data object includes a set of tags, each tag of the set corresponding to at least one of:
    - a categorization of the data object, a respective policy of a set of policies for the data object, or a respective action capable of being performed with respect to the data object.
  - 3. The system of claim 2, wherein the instructions when executed further cause the system to:
    - determine, from the request, an intended action to be performed with respect to the user data, wherein determining that the source of the request is authorized to receive the user data includes determining whether the corresponding policy, of the set of policies, allows the intended action to be performed on the user data by the source of the request.
  - 4. The system of claim 2, wherein the instructions when executed further cause the system to:
    - determine a bucket in the resource provider environment to which to store the user data, the user data being stored separately from the policy; and
      
      determine at least one bucket policy associated with the bucket,wherein determining that the policy is free of conflicts from other policies of the resource provider environment includes determining that neither the user data nor the policy violate any bucket policy of the at least one bucket policy associated with the bucket.

5. A computer-implemented method, comprising:
- receiving a data object from a first environment to a second environment, the second environment provided by a different entity than provides the first environment, the data object including data and a policy for managing access to the data;
  
  determining that storing the data to the second environment, and managing access to the data using the policy, complies with any related policies of the second environment;
  
  storing the data and the policy to the second environment;
  
  enforcing access to the data in the second environment per the policy; and
  
  adding information to an audit log for the data in response to access or actions taken with respect to the data.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The computer-implemented method of claim 5, further comprising:
    - receiving a request for at least a portion of the data;
      
      determining that a source of the request is authorized, per the policy, to receive the data;
      
      adding information for the request to the audit log for the user data;
      
      generating a second data object including the data, the policy, and the audit log; and
      
      sending the second data object to a destination specified by the request.
  - 7. The computer-implemented method of claim 6, further comprising:
    - extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope, wherein generating the second data object further includes placing the data in a second envelope and including the policy and the audit log in the second envelope.
  - 8. The computer-implemented method of claim 5, further comprising:
    - causing the policy to be stored to a policy repository managed by a policy engine, the policy engine responsible for enforcing the policy in the second environment, a set of policies stored to the policy repository each corresponding to a standardized policy format.
  - 9. The computer-implemented method of claim 5, further comprising:
    - determining that the policy is immutable; and
      
      preventing modification of the policy or specification of a new policy for the data.
  - 10. The computer-implemented method of claim 5, further comprising:
    - receiving a request to modify the policy, the policy being mutable;
      
      determining that a source of the request is authorized to modify the policy;
      
      updating the policy per the request; and
      
      updating the audit log to reflect modification of the policy.
  - 11. The computer-implemented method of claim 5, further comprising:
    - storing a set of policies received with the data object, wherein a corresponding policy to enforce from the set of policies is based at least in part upon an expressed intended action to be performed with respect to the data.
  - 12. The computer-implemented method of claim 5, further comprising:
    - storing, in the second environment, either (1) a respective policy for each data object stored in the second environment or (2) a set of standardized policies which tags for data objects stored by the second objects can identify.
  - 13. The computer-implemented method of claim 5, further comprising:
    - causing the policy to remain associated with, and enforced on, the data regardless of movement of the data within the second environment.
  - 14. The computer-implemented method of claim 5, further comprising:
    - verifying a digital signature on the policy before enforcing the policy on the data in the second environment.
  - 15. The computer-implemented method of claim 5, further comprising:
    - receiving a request for the data by an application in the first environment or a third environment;
      
      generating a second data object including the data, the policy, and the audit log, the data being encrypted under a credential available to the second environment;
      
      sending the second data object to a destination specified by the request;
      
      receiving a subsequent request to access the data included in the second data object;
      
      determining, based on information for the subsequent request, that the intended use for the data complies with the policy; and
      
      providing a temporary credential enabling the data to be decrypted for a period of time.
  - 16. The computer-implemented method of claim 15, wherein the temporary credential is provided to an intermediate application configured to decrypt the data using the temporary credential and provide the decrypted data to the application associated with the request.

17. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- determine a classification and at least one predicate for user data stored in a user environment, each predicate of the at least one predicate relating to an action capable of being performed with respect to the user data;
  
  automatically determine, based at least in part upon the classification and the at least one predicate, at least one data tag to be associated with the user data, each data tag of the at least one data tag associated with a respective policy of at least one policy to be associated with the user data;
  
  receive a request to transmit the user data for storage in a remote environment operated by a separate entity;
  
  generate a data object including at least the user data and the at least one policy; and
  
  transmit the data object to the remote environment.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions when executed further cause the computer system to:
    - generate an audit log for the user data, the audit log containing information regarding changes and access to the user data; and
      
      include the audit log in the data object transmitted to the remote environment.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein:
    - the audit log further includes information regarding changes and access to the at least one policy and the at least one data tag.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the instructions when executed further cause the computer system to:
    - specify whether each tag associated with the user data is mutable or immutable, a mutable tag modifiable only by a trusted and authorized entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Summers, Carl Wesley, Nadal, Jonathan Jorge, Gattu, Praveen Kumar, Gillani, Syed Omair Zafar

Granted Patent

US 10,645,120 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6236   between heterogeneous systems

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/0846   using time-dependent-passwo...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

POLICY MANAGEMENT FOR DATA MIGRATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY MANAGEMENT FOR DATA MIGRATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links