Systems and methods for management of secure data in cloud-based network

US 8,108,912 B2
Filed: 05/29/2008
Issued: 01/31/2012
Est. Priority Date: 05/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method of accessing data, comprising:

identifying a process instantiated in a cloud;

receiving, from at least one instantiated virtual machine in a cloud-based network, a request to access secure data;

translating the request to locate the secure data in a secure data store hosted in an on-premise network;

retrieving the secure data from the secure data store;

encoding the secure data to generate protected secure data; and

transmitting the protected secure data from the secure data store of the on-premise network to the at least one instantiated virtual machine in the cloud-based network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to systems and methods for the management of secure data in a cloud-based network. A secure data store can store sensitive or confidential data, such as account numbers, social security numbers, medical or other information in an on-premise data facility. Regulatory and/or operational requirements may prohibit the migration or unprotected transmission of the secure data to the cloud. An operator can instantiate a set of virtual machines to access and process the secure data, for example to process online purchase transactions. To prevent unauthorized disclosure of the secure data, the secure data store can receive data access requests via a translation module that translates the secure data. The secure data store can retrieve and transmit the secure data using a protection mechanism such as a masking and/or encryption mechanism, avoiding the unprotected transport or exposure of that data to the cloud.

Citations

29 Claims

1. A method of accessing data, comprising:
- identifying a process instantiated in a cloud;
  
  receiving, from at least one instantiated virtual machine in a cloud-based network, a request to access secure data;
  
  translating the request to locate the secure data in a secure data store hosted in an on-premise network;
  
  retrieving the secure data from the secure data store;
  
  encoding the secure data to generate protected secure data; and
  
  transmitting the protected secure data from the secure data store of the on-premise network to the at least one instantiated virtual machine in the cloud-based network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the translating comprises translating an address into a secure data table.
  - 3. The method of claim 1, wherein the receiving, translating, retrieving, encoding, and transmitting are performed by a cloud management system.
  - 4. The method of claim 3, wherein the secure data store is co-located with the cloud management system.
  - 5. The method of claim 3, wherein the secure data store is located external to the cloud management system.
  - 6. The method of claim 1, wherein the encoding of the secure data comprises at least one of masking the secure data and encrypting the secure data.
  - 7. The method of claim 1, further comprising decoding the protected secure data in the at least one instantiated virtual machine to generate decoded secure data.
  - 8. The method of claim 7, further comprising operating on the decoded secure data the at least one instantiated virtual machine.
  - 9. The method of claim 8, further comprising transmitting updated secure data from the at least one instantiated virtual machine to the secure data store.
  - 10. The method of claim 1, wherein at least one instantiated virtual machine comprises a migrated image of an on-premise machine.
  - 11. The method of claim 1, wherein the secure data comprises at least one of user identification data, account data, medical data, technical data, and financial data.

12. A system for managing access to data, comprising:
- a first interface to at least one instantiated virtual machine in a cloud-based network; and
  
  a management module, comprising a processor communicating with memory and with the at least one instantiated virtual machine via the first interface, the management module being configured to —
  
  receive a request for secure data from the at least one instantiated virtual machine,translate the request to locate the secure data in a secure data store hosted in an on-premise network,retrieve the secure data from the secure data store,encode the secure data to generate protected secure data, andtransmit the protected secure data from the secure data store of the on-premise network to the at least one instantiated virtual machine in the cloud-based network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the translating comprises translating an address into a secure data table.
  - 14. The system of claim 12, wherein the management module resides in a cloud management system.
  - 15. The system of claim 14, wherein the secure data store is co-located with the cloud management system.
  - 16. The system of claim 14, wherein the secure data store is located external to the cloud management system.
  - 17. The system of claim 12, wherein the management module is further configured to encode the secure data by at least one of masking the secure data and encrypting the secure data.
  - 18. The system of claim 12, wherein the management module is further configured to decode the protected secure data in the at least one instantiated virtual machine to generate decoded secure data.
  - 19. The system of claim 18, wherein the decoded secure data is operated on in the at least one instantiated virtual machine.
  - 20. The system of claim 19, wherein updated secure data is transmitted from the at least one instantiated virtual machine to the secure data store.
  - 21. The system of claim 12, wherein at least one instantiated virtual machine comprises a migrated image of an on-premise machine.
  - 22. The system of claim 12, wherein the secure data comprises at least one of user identification data, account data, medical data, technical data, and financial data.

23. A non-transitory computer-readable medium, the computer-readable medium being readable to execute a method of managing access to data, the method comprising:
- receiving a request to access secure data from at least one instantiated virtual machine in a cloud-based network;
  
  translating the request to locate the secure data in a secure data store hosted in an on-premise network;
  
  retrieving the secure data from the secure data store;
  
  encoding the secure data to generate protected secure data; and
  
  transmitting the protected secure data from the secure data store of the on-premise network to the at least one instantiated virtual machine in the cloud-based network.

24. A method of storing a set of secure data in an on-premise network, the method comprising:
- receiving a request to store secure data received from at least one instantiated virtual machine in a cloud-based network;
  
  generating a location in a secure data store hosted in the on-premise network in which to store the set of secure data;
  
  encoding the set of secure data to generate protected secure data; and
  
  transmitting the protected secure data from the at least one instantiated virtual machine in the cloud-based network to the secure data store in the on-premise network.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The method of claim 24, wherein the generating comprises generating an address in a secure data table.
  - 26. The method of claim 24, wherein the encoding comprises at least one of masking the secure data and encrypting the secure data.
  - 27. The method of claim 24, wherein the method further comprises:
    - extracting the protected secure data from the secure data store,transmitting the protected secure data to the at least one instantiated virtual machine, anddecoding the protected secure data in the at least one instantiated virtual machine to generate decoded secure data.
  - 28. The method of claim 27, wherein the method further comprises operating on the decoded secure data in the at least one instantiated virtual machine.
  - 29. The method of claim 24, wherein the secure data comprises at least one of user identification data, account data, medical data, technical data, and financial data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Ferris, James Michael
Primary Examiner(s)
EL HADY, NABIL M

Application Number

US12/129,341
Publication Number

US 20090300719A1
Time in Patent Office

1,342 Days
Field of Search

726/3, 726/27, 713/171, 713/189, 709/201, 709/226
US Class Current

726/3
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06Q 20/02   involving a neutral party, ...

G06Q 20/389   Keeping log of transactions...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

Systems and methods for management of secure data in cloud-based network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for management of secure data in cloud-based network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links