Network vaults
First Claim
Patent Images
1. A system for enabling secured data storage and data utilization, said system comprising:
- a. a dedicated server computer with a sterile environment such that the only software code that is executable on said dedicated server computer is a network vault security software system;
b. a hardware storage device for storing data, said hardware storage device is accessible only by said dedicated server computer;
c. said network vault security software system, such that said security software system is installed on said dedicated server computer, for providing secure access to said data, said security software system includes an integrated multi-layers security mechanism for securing said data, and a server software mechanism for providing a set of services for managing and utilizing said data;
d. a single data access channel within said sterile environment, such that said single data access channel ensures that only said network vault security software system is permitted to be operated by said dedicated server computer, and such that communication with said dedicated server computer is achievable only through said network vault security software system;
e. a network for connecting at least one user to said secured data storage and data utilization system; and
f. client software for communicating with said network vault security software system through said single data access channel, said client software operating on at least one user computer, said user computer operable to connect to said network.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for secure data storage, exchange and/or sharing through a protected central storage facility, containing at least one “network vault” to which access is controlled through a single data access channel. The network vault is similar to a physical safe, in that substantially any type of information can be stored in the network vault, and in that the user need only place the information inside the network vault for the information to be secured. Thus, the system of the present invention combines the flexibility of data storage and retrieval through a network, with the security of controlled access for data storage and retrieval at a fixed physical location. The restriction of data access through a single data access channel greatly simplifies the task of protecting access to the data, since only this single channel must be monitored for unauthorized access, rather than monitoring many such channels (or interfaces). Also, the present invention enables data to be exchanged between two users and/or networks which do not trust each other, again by only permitting access to the stored data through the single data access channel, rather than by attempting to filter communication between the two parties. Thus, the present invention is able to provide security without declarations, since the data is moved into the security system, rather than attempting to impose the security system over an existing data access system.
356 Citations
32 Claims
-
1. A system for enabling secured data storage and data utilization, said system comprising:
-
a. a dedicated server computer with a sterile environment such that the only software code that is executable on said dedicated server computer is a network vault security software system;
b. a hardware storage device for storing data, said hardware storage device is accessible only by said dedicated server computer;
c. said network vault security software system, such that said security software system is installed on said dedicated server computer, for providing secure access to said data, said security software system includes an integrated multi-layers security mechanism for securing said data, and a server software mechanism for providing a set of services for managing and utilizing said data;
d. a single data access channel within said sterile environment, such that said single data access channel ensures that only said network vault security software system is permitted to be operated by said dedicated server computer, and such that communication with said dedicated server computer is achievable only through said network vault security software system;
e. a network for connecting at least one user to said secured data storage and data utilization system; and
f. client software for communicating with said network vault security software system through said single data access channel, said client software operating on at least one user computer, said user computer operable to connect to said network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
a. a virtual private network mechanism (VPN) for providing a secured communication channel between said security software system on said dedicated server computer and said client software on said user computer;
b. a packet filter dedicated firewall for preventing any type of packet exchange with said dedicated server computer, other then communication with said security software system in said dedicated server computer;
c. an authentication security layer for providing a two-way authentication hand-shake process between said security software system on said dedicated server computer and said user using said client software on said user computer;
d. an access control security layer for providing controlled access to said data stored on said hardware storage device, such that said access is provided to said user only if said user is authenticated by said authentication security layer, and only if said user is permitted said access according to an access authorization list, such that said access to said data is permitted only through said single data access channel; and
e. an encryption layer for encrypting and decrypting said data in said storage device, and for encrypting and decrypting data communicated between said dedicated server computer and said user computer.
-
-
5. The system of claim 4, wherein said authentication layer authenticates said user according to a user identifier, said user identifier is selected from a group of identifiers consisting of a password, a key diskette, biometric information and a smart card.
-
6. The system of claim 4, wherein said access control security layer further provides controlled access to said data, such that said access to said data is provided to said user only after a predefined period of delay, such that a user request to access said data is notified to a predefined plurality of users before said access to said data is permitted.
-
7. The system of claim 4, wherein said access control security layer further provides controlled access to said data, such that said access to said data is provided to said user only after an approval of said access by at least one user of predefined plurality of users that must approve said access to said data.
-
8. The system of claim 4, wherein said access control security layer further provides controlled access to said data, such that said access to said data is provided to said user only if predefined plurality of users are collectively connected to said network vault security system, such that said access is notified to all said plurality of users.
-
9. The system of claim 1, wherein said network vault security software system further provides a history repository, such that said history repository is stored by said network vault security software system on said hardware storage device.
-
10. The system of claim 9, wherein said history repository includes records of all access attempts to said data, such that each said record cannot be deleted from said history repository for a predetermined period of time.
-
11. The system of claim 9, wherein said history repository includes all versions of said data, such that each said data version cannot be deleted from said history repository for a predetermined period of time.
-
12. The system of claim 9, wherein said history repository is continuously updated and changes in said history depository are automatically sent as alerts to all relevant users, such that no periodic polling of the system is required.
-
13. The system of claim 1, wherein said server software mechanism further comprises:
-
(1) a network interface for communicating with said client software, said network interface receives packets from said network and sends packets to said network; and
(2) a packet filter for forming said single data access channel in combination with said network interface, said packet filter filtering said packets received from said network according to a destination address, such that if said packets do not feature said destination address, said packets are dropped.
-
-
14. The system of claim 13, wherein said destination address includes a network address of said dedicated server computer.
-
15. The system of claim 13, wherein said destination address includes a transport address of said network vault security software system.
-
16. The system of claim 13, wherein said server software further comprises:
-
(3) a transaction gateway software module for receiving said packets from said packet filter and for receiving said data from said network vault; and
;
(4) an encryption software module for decrypting said packets received by said transaction gateway software module and for encrypting said data received by said transaction gateway software module.
-
-
17. The system of claim 13, wherein said server software further comprises:
(5) a transaction manager software module for receiving said decrypted packets from said transaction gateway software module and for determining at least one access request to access said data in said network vault from said decrypted packets.
-
18. The system of claim 13, wherein said server software further comprises:
(6) a security module for determining if said at least one access request to access said data in said network vault by said user is permitted.
-
19. The system of claim 18, wherein said security module determines if said at least one access request is permitted, according to said access control security layer of said network vault security software system.
-
20. The system of claim 13, wherein said server software further comprises:
(7) a unique file system for organizing said data on said hardware storage device according to a unique organization, such that said data is accessible only according to said unique organization.
-
21. The system of claim 20 wherein said data is organized as a plurality of clusters such that a logical order of said plurality of clusters on said network vault differs from a physical order of said plurality of clusters on said hardware storage device, and wherein said server software further comprises:
-
(8) a unique file system mapping table to map said logical order of said plurality of clusters on said network vault to said physical order of said plurality of clusters on said hardware storage device; and
(9) a virtual disk driver for accessing said data through said unique file system according to at least one data access request, said virtual disk driver accessing said data only if said at least one data access request contains a logical address for at least one of said plurality of clusters matching a physical address for said at least one of said plurality of clusters, according to said unique file system mapping table.
-
-
22. The system of claim 21, wherein said unique file system mapping table is stored on a removable storage medium external to said hardware storage device, such that when said removable storage medium is removed, said logical order of said plurality of clusters remains unknown.
-
23. The system of claim 1, wherein said single data access channel further comprises:
-
a. a system hook for preventing any additional software code from being operated by said dedicated server computer, to prevent installation and execution of a rogue software program for accessing said data; and
b. a packet filter which acts as a gatekeeper for said single data access channel, said packet filter blocks any communication with said dedicated server computer other then communication with said security software system, such that incoming packets are permitted only if said packets are targeted to said security software system on said dedicated server computer, and such that outgoing packets are permitted only if said packets are being sent from said security software system on said dedicated server computer.
-
-
24. The system of claim 1, wherein said network connects at least one additional user computer to the secured data storage and data utilization system, said additional user computer being operated by at least one additional user, such that said additional user is authenticated by said authentication security layer, said user and said additional user are permitted access to said data in said network vault according to said access control security layer, such that said user and said additional user securely exchange data through said network vault, without requiring communication between said user computer and said additional user computer.
-
25. The system of claim 24, wherein at least one user is notified by said network vault security software system when said at least one additional user accesses said data on said network vault.
-
26. The system of claim 24, wherein at least one user is immediately notified by said network vault when said additional user accesses said data of said network vault, such that no periodic polling of the system is required.
-
27. The system of claim 1, wherein the system further comprises:
a. an additional network for connecting at least one additional user to the secured data storage and data utilization system, such that at least one additional user computer is connected to said additional network, said additional user computer being operated by an additional user, said additional user is authenticated by said authentication security layer, said user and said additional user are permitted access to said data in said network vault according to said access control security layer, wherein said packet filter firewall prevents any packet exchange between said network and said additional network, such that said user and said additional user securely exchange data through said network vault, without requiring communication between said network and said additional network.
-
28. The system of claim 1, wherein said client software further comprises:
-
(A) a limited API (application programming interface) for interacting with said server software, such that only said API interacts with said server software, said API providing at least one service for accessing said data, such that said access to said data is provided through said single data access channel; and
(B) at least one user software program for interacting with said user and said API to access said data.
-
-
29. The system of claim 1, wherein said client software further comprises:
(C) a RAM (random access memory) disk for receiving said data from said server software and for temporarily storing said data.
-
30. The system of claim 1, wherein said client software further comprises:
(D) a data replicator software module for providing data replication between at least two network vault systems, for providing higher availability of said data stored on said at least two network vault systems.
-
31. The system of claim 1, wherein said client software further comprises:
(E) a data splitter software module for splitting at least one file between at least two network vault systems, such that said file is mathematically split into a plurality of parts, such that each said part is meaningless without all other said parts of said file, such that each said part is stored on a different said network vault system, such that access to said file requires all said parts of said file from said at least two network vault systems.
-
32. The system of claim 31, wherein said data splitter software module further comprises the steps of:
-
(a) producing a plurality of pseudorandom bytes corresponding to a length of said at least one file;
(b) performing a reversible mathematical operation on said plurality of pseudorandom bytes and said at least one file to obtain a resultant file combination; and
(c) storing said resultant file combination and said plurality of pseudorandom bytes on different said network vault systems, such that said at least one file is accessible only if said at least one file is obtained from said resultant file combination and said plurality of pseudorandom bytes, according to said reversible mathematical operation.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCyber-Ark Software Limited (CyberArk Software Ltd.)
-
Original AssigneeCyber-Ark Software Limited (CyberArk Software Ltd.)
-
InventorsCohen, Alon
-
Primary Examiner(s)Burgess, Glenton B.
-
Assistant Examiner(s)EDELMAN, BRADLEY E
-
Application NumberUS09/253,780Time in Patent Office1,114 DaysField of Search709/204, 709/219, 709/217, 709/225, 709/216, 709/213, 713/201US Class Current709/219CPC Class CodesG06F 21/6272 by registering files or doc...H04L 63/0428 wherein the data content is...H04L 63/083 using passwords cryptograph...H04L 63/10 for controlling access to d...
