Systems and methods for securely managing access to data
First Claim
1. A computer-implemented method for securely managing access to data, the method comprising:
- identifying a request to access encrypted data, the request being made by an application running on an insecure platform;
determining that a requestor has a right to access the encrypted data;
decrypting the encrypted data to provide decrypted data;
in response to identifying the request to access encrypted data and determining that the requestor has the right to access the encrypted data, permitting a secure platform to access the decrypted data, wherein;
an authorization platform performs at least one of the steps of identifying, including, submitting, receiving, decrypting, and permitting;
the insecure platform comprises an insecure virtual machine;
the secure platform comprises a first secure virtual machine;
the authorization platform comprises a second secure virtual machine;
a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine;
the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. The method may: determine that a requestor has a right to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. They method may: submit the request to a policy server, receive permission from the policy server to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A system for securely managing access to data may comprise: an authorization platform, an authentication module, a policy-enforcement module, and a cryptography module.
98 Citations
17 Claims
-
1. A computer-implemented method for securely managing access to data, the method comprising:
-
identifying a request to access encrypted data, the request being made by an application running on an insecure platform; determining that a requestor has a right to access the encrypted data; decrypting the encrypted data to provide decrypted data; in response to identifying the request to access encrypted data and determining that the requestor has the right to access the encrypted data, permitting a secure platform to access the decrypted data, wherein; an authorization platform performs at least one of the steps of identifying, including, submitting, receiving, decrypting, and permitting; the insecure platform comprises an insecure virtual machine; the secure platform comprises a first secure virtual machine; the authorization platform comprises a second secure virtual machine; a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine; the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for securely managing access to data, the method comprising:
-
identifying a request to access encrypted data, the request being made by an application running on an insecure platform; submitting the request to a policy server; receiving permission from the policy server to access the encrypted data; decrypting the encrypted data to provide decrypted data; instead of permitting the decrypted data to be accessed via the insecure platform from which the data was requested, permitting a secure platform to access the decrypted data, wherein; an authorization platform performs at least one of the steps of identifying, submitting, receiving, decrypting, and permitting; the insecure platform comprises an insecure virtual machine; the secure platform comprises a first secure virtual machine; the authorization platform comprises a second secure virtual machine; a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine; the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for securely managing access to data, the system comprising:
-
an authorization platform programmed to receive a data-access request from an insecure platform; an authentication module in communication with the authorization platform, the authentication module being programmed to provide identity information of a user; a policy-enforcement module in communication with the authorization platform, the policy-enforcement module being programmed to use the identity information to determine whether to approve the data-access request; a cryptography module programmed to decrypt data identified by the data-access request to allow the data to be accessed on a secure platform instead of permitting the decrypted data to be accessed via the insecure platform from which the data was requested, wherein; the insecure platform comprises an insecure virtual machine; the secure platform comprises a first secure virtual machine; the authorization platform comprises a second secure virtual machine; a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine; the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the data-access request.
-
Specification