Method and system for ensuring compliance in public clouds using fine-grained data ownership based encryption

US 8,566,578 B1
Filed: 02/17/2011
Issued: 10/22/2013
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership comprising:

a private network having at least two parties generating data wherein the at least two parties are generating their particular generated data on behalf of a first entity;

receiving, at a gateway computing system, first and second generated data from respective ones of the two or more parties at a gateway computing system, the gateway computing system being coupled between the private network and a public network, the public network being accessible by the private network only through the gateway computing system;

analyzing, using one or more processors, the first and second generated data and determining whether either or both of the first and second generated data is within the scope of one or more regulatory policies, the analysis resulting in a first determination that the first generated data is within the scope of one or more regulatory policies, and a second determination that the second generated data is not within the scope of one of more regulatory policies;

transferring the second generated data to the public cloud without further processing; and

using one or more processors to;

determine, at the gateway computing system before the first generated data is transferred to the public network, using a data ownership determination system, the ownership of the first generated data to be a first entity;

access ownership based encryption key data associated with the determined owner of the first generated data;

obtain, at the gateway computing system before the first generated data is transferred to the public network, data representing the encryption keys associated with the determined owner of the first generated data at the gateway computing system;

encrypt, at the gateway computing system before the first data is transferred to the public network, the generated data in accordance with the encryption keys associated with the determined owner of the first data, thereby transforming the data into ownership based fine-grained encrypted data; and

transfer the ownership based fine-grained encrypted data from the gateway computing system to the public cloud.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for ensuring compliance in public clouds using fine-grained encryption based on data ownership that includes a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership that is implemented, at least in part, at a gateway computing system through which data passes from the enterprise, and/or one or more end users, prior to being sent to the public cloud. In one embodiment, the data is classified, the ownership of the data is determined, the associated encryption keys are obtained, and the data is encrypted, automatically at the gateway computing system before the data is transferred to the public cloud, and in a manner that is transparent to end-users.

43 Citations

View as Search Results

17 Claims

1. A computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership comprising:
- a private network having at least two parties generating data wherein the at least two parties are generating their particular generated data on behalf of a first entity;
  
  receiving, at a gateway computing system, first and second generated data from respective ones of the two or more parties at a gateway computing system, the gateway computing system being coupled between the private network and a public network, the public network being accessible by the private network only through the gateway computing system;
  
  analyzing, using one or more processors, the first and second generated data and determining whether either or both of the first and second generated data is within the scope of one or more regulatory policies, the analysis resulting in a first determination that the first generated data is within the scope of one or more regulatory policies, and a second determination that the second generated data is not within the scope of one of more regulatory policies;
  
  transferring the second generated data to the public cloud without further processing; and
  
  using one or more processors to;
  
  determine, at the gateway computing system before the first generated data is transferred to the public network, using a data ownership determination system, the ownership of the first generated data to be a first entity;
  
  access ownership based encryption key data associated with the determined owner of the first generated data;
  
  obtain, at the gateway computing system before the first generated data is transferred to the public network, data representing the encryption keys associated with the determined owner of the first generated data at the gateway computing system;
  
  encrypt, at the gateway computing system before the first data is transferred to the public network, the generated data in accordance with the encryption keys associated with the determined owner of the first data, thereby transforming the data into ownership based fine-grained encrypted data; and
  
  transfer the ownership based fine-grained encrypted data from the gateway computing system to the public cloud.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 1, wherein:
    - the gateway computing system is a backup server computing system.
  - 3. The computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 1, wherein:
    - the gateway computing system is a web portal computing system.
  - 4. The computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 1, wherein:
    - at least one of the one or more regulatory policies is selected from the group of regulatory policies consisting of;
      
      the Payment Card Industry Data Security Standard (PCI DSS);
      
      the Health Insurance Portability and Accountability Act (HIPAA); and
      
      the Sarbanes-Oxley Act.
  - 5. The computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 1, wherein:
    - the ownership based encryption key data is obtained from an enterprise encryption key server system.
  - 6. The computing system implemented process for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 1, wherein:
    - the public cloud is the Internet.

7. A method for ensuring compliance in public clouds using fine-grained encryption based on data ownership comprising:
- receiving, at a gateway computing system, first and second generated data from respective ones of two or more users, the gateway computing system being disposed between a private network having two or more computing systems operated by respective ones of the two or more users and a public network having one or more computing systems wherein the two or more users are generating their respective generated data on behalf of a first entity;
  
  analyzing the first and second generated data and determining whether either or both of the first and second generated data is within the scope of one or more regulatory policies, the analysis resulting in a first determination that the first generated data is within the scope of one or more regulatory policies, and a second determination that the second generated data is not within the scope of one of more regulatory policies;
  
  transferring the second generated data to the public cloud without further processing;
  
  determining, at the gateway computing system before the first generated data is transferred to the public network, using a data ownership determination system, the ownership of the first generated data to be the first entity;
  
  accessing ownership based encryption key data associated with the determined owner of the first generated data;
  
  obtaining, at the gateway computing system before the first generated data is transferred to the public network, data representing the encryption keys associated with the determined owner of the generated data at the gateway computing system;
  
  encrypting, at the gateway computing system before the first generated data is transferred to the public network, the first generated data in accordance with the encryption keys associated with the determined owner of the first generated data, thereby transforming the first generated data into ownership based fine-grained encrypted data; and
  
  transferring the ownership based fine-grained encrypted data from the gateway computing system to the public cloud.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 7, wherein:
    - the gateway computing system is a backup server computing system.
  - 9. The method for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 7, wherein:
    - the gateway computing system is a web portal computing system.
  - 10. The method for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 7, wherein:
    - at least one of the one or more regulatory policies is selected from the group of regulatory policies consisting of;
      
      the Payment Card Industry Data Security Standard (PCI DSS);
      
      the Health Insurance Portability and Accountability Act (HIPAA); and
      
      the Sarbanes-Oxley Act.
  - 11. The method for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 7, wherein:
    - the ownership based encryption key data is obtained from an enterprise encryption key server system.
  - 12. The method for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 7, wherein:
    - the public cloud is the Internet.

13. A system for ensuring compliance in public clouds using fine-grained encryption based on data ownership comprising:
- two or more user/application computing systems, each respective user/application computing system being under the control of individual ones of two or more parties;
  
  a gateway computing system;
  
  data representing one or more data security system requirements;
  
  a data ownership determination system;
  
  an encryption key server computing system, the encryption key server computing system including ownership based encryption key data associated with one or more owners of data associated with the two or more user/application computing systems;
  
  a public cloud; and
  
  at least one processor associated with the gateway computing system, the at least one processor associated with the gateway computing system executing at least part of a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership, the process comprising;
  
  receiving, first and second generated data from respective ones of the two or more user/application computing systems, at the gateway computing system, the gateway computing system being coupled between the private network and the public cloud, the public cloud being accessible by the private network only through the gateway computing system wherein at least two parties are generating respective first and second generated data on behalf of a first entity;
  
  analyzing the first and second generated data and the data representing one or more data security system requirements to determine and determining that the generated data is within the scope of the one or more regulatory policies, the analysis resulting in a first determination that the first generated data is within the scope of one or more regulatory policies, and a second determination that the second generated data is not within the scope of one of more regulatory policies;
  
  transferring the second generated data to the public cloud without further processing;
  
  determining, at the gateway computing system, the ownership of the first generated data to be a first entity, before the first generated data is transferred to the public cloud;
  
  accessing the encryption key server computing system and the ownership based encryption key data associated with the determined owner of the first generated data;
  
  obtaining, at the gateway computing system before the first generated data is transferred to the public cloud, data representing the encryption keys associated with the determined owner of the first generated data from the encryption key server computing system;
  
  encrypting, at the gateway computing system before the data is transferred to the public cloud, the first generated data in accordance with the encryption keys associated with the determined owners of the first generated data, thereby transforming the first generated data into ownership based fine-grained encrypted data; and
  
  transferring the ownership based fine-grained encrypted data from the gateway computing system to the public cloud.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 13, wherein:
    - the gateway computing system is a backup server computing system.
  - 15. The system for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 13, wherein:
    - the gateway computing system is a web portal computing system.
  - 16. The system for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 13, wherein:
    - at least one of the one or more regulatory policies is selected from the group of regulatory policies consisting of;
      
      the Payment Card Industry Data Security Standard (PCI DSS);
      
      the Health Insurance Portability and Accountability Act (HIPAA); and
      
      the Sarbanes-Oxley Act.
  - 17. The system for ensuring compliance in public clouds using fine-grained encryption based on data ownership of claim 13, wherein:
    - the public cloud is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
SCHMIDT, KARI L

Application Number

US13/030,010
Time in Patent Office

978 Days
Field of Search

713/153, 713/150, 713/166, 713/168, 713/170, 713/171, 726/1, 726/3, 726/25, 726/26, 709/217
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/088   Usage controlling of secret...

Method and system for ensuring compliance in public clouds using fine-grained data ownership based encryption

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for ensuring compliance in public clouds using fine-grained data ownership based encryption

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links